Wall of Shame: Four Years LaterBreach Tally, Enforcement Actions Offer Important Lessons
In the four years since the HIPAA breach notification rule went into effect, some 674 major breaches affecting a total of almost 27 million individuals have been confirmed by federal authorities.
One clear lesson from the so called "wall of shame" tally of major breaches is the value of encryption as a breach preventer. More than half of major breaches reported since September 2009 have been tied to lost or stolen unencrypted devices, especially laptops.
"The most risk-avoidant thing you can do is encrypt," says Leon Rodriguez, director of the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA. "I think there is an overestimate of cost and difficulty in encrypting data."
Many of the largest breaches, and 22 percent of all incidents, have involved business associates, pointing to the need for covered entities to monitor whether their vendor partners implement effective security safeguards. This is more important than ever, now that business associates are directly liable for HIPAA compliance under the HIPAA Omnibus Rule.
Meanwhile, roughly 20 percent of breaches have involved "unauthorized access," sometimes with intent to commit fraud. The lesson learned? "Have policies in place to prevent people from snooping into other people's records, and if you find out they are doing that, take action," says Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT, a unit of HHS.
In addition to learning lessons from the causes of major beaches on the tally, healthcare organizations can learn from the enforcement actions that OCR has taken after investigating smaller breaches or following up on HIPAA-related complaints. Many of these actions have highlighted the importance of a thorough risk assessment to uncover security weaknesses that can lead to potentially big problems.
Wall of Shame Trends
OCR lists breaches affecting 500 or more individuals on its tally once the details are confirmed. And although the total number of major breaches reported appears to be on the decline, some mega-breaches are still occurring.
For instance, as of Sept. 27, about 81 breaches occurring in 2013 were on the federal tally, compared with about 160 in 2012 and about 165 in 2011.
But despite the relatively small number of breaches in 2013 so far, the total number of individuals affected by breaches this year is an astounding 4.8 million. That's largely because of one incident: the theft of four unencrypted desktop computers from Advocate Health System that affected about 4 million individuals.
By comparison, in 2012, a total of 2.6 million individuals were affected by all the major breaches combined, while in 2011, a year when there were eight mega-breaches, a total of more than 11 million were affected.
Some expect even more major breaches will be reported in the months to come as a result of the HIPAA Omnibus Rule.
That's because HIPAA Omnibus changed the HIPAA breach notification rule. The standard for breach notification has shifted from assessing whether an incident is likely to result in a significant risk of financial, reputational or other "harm" for an individual, to a more objective assumption that an incident is a reportable breach unless there is a low probability the data was compromised.
"I expect removing the 'harm' factor, and implementing a risk assessment to determine risk of data compromise ... will factor heavily into increases in reporting of breaches to OCR ...," says Dena Boggan, HIPAA security and privacy officer at St. Dominic Jackson Memorial Hospital in Jackson, Miss.
Federal investigations of several major breaches on the wall of shame have resulted in substantial monetary settlements as part of resolution agreements. Among those cases were: a $1.7 million OCR settlement with insurer Wellpoint; a $1.5 million settlement with Massachusetts Eye and Ear Infirmary; and a $1 million settlement Massachusetts General Hospital.
But OCR can also hand out enforcement penalties in HIPAA cases that are too small to make it to the wall of shame.
In January, OCR issued its first HIPAA breach settlement tied to an incident affecting fewer than 500 patients. That incident involved an unencrypted laptop stolen from the Hospice of North Idaho which contained protected health information for 441 patients. The hospice agreed to pay OCR $50,000 to settle the case.
Under HIPAA Omnibus, penalties for each violation can range up to $1.5 million. And OCR "will leverage more civil penalties" as it enforces HIPAA Omnibus, Rodriguez predicts.
The largest enforcement action to date by OCR, and the only civil penalty so far, didn't involve a wall of shame breach. In that case, OCR levied a $4.3 million penalty against Cignet Health for failing to provide patients access to their health information, and then failing to cooperate with the OCR investigators.
Insights From Enforcement
Phil Curran, chief information officer of Cooper University Healthcare in Camden, N.J. says he carefully reviews OCR's resolution agreements to see what security weaknesses are identified and what corrective action plans are prescribed.
"Look to see if there are things that you're not doing that OCR has found in other cases," he advises. For instance, a critical lesson from many corrective action plans is the importance of a risk analysis, he notes.
A recent enforcement action by OCR that highlights risk analysis issues was an August resolution agreement with Affinity Health Plan. The New York-based managed care company agreed to pay federal regulators $1.2 million settlement tied to a 2010 incident that affected about 345,000 individuals whose data was discovered on the hard drives of copy machines that had been returned to a leasing firm.
"Over and over again in our investigations, [OCR has found] failure to do thorough risk analysis," Rodriguez says. That includes assessing where electronic PHI resides, determining vulnerabilities and mitigating risks.
For instance, the failure to conduct a thorough risk assessment is often behind the lack of encryption on devices that end up being stolen or lost, resulting in so many large reportable breaches, Rodriguez says. "We find that entities that failed to do analysis failed to do encryption," he points out.
While a majority of breaches are tied to lost and stolen unencrypted devices, some OCR enforcement cases have focused on "egregious disclosures," such as record snooping by healthcare workers, Rodriguez says.
For example. in July 2011, University of California at Los Angeles Health System agreed to pay a fine of $865,500 and commit to a corrective action plan aimed at remedying gaps in its compliance with HIPAA. Two celebrity patients alleged that health system employees repeatedly viewed their electronic records, as well as those of other patients, without permission.
That case is among HIPAA incidents that happen when "there are no technical safeguards to ensure the person accessing information is authorized," Rodriguez says.