HHS is Focusing in on Small Breaches

If you think HIPAA won’t be enforced for small breaches, think again. On August 18, 2016, OCR announced its intent to focus in on smaller breaches. The announcement states “Beginning this month, OCR has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals.”¹ With large breaches occurring seemingly every week, OCR wants to remind us that they are keeping their eyes on the smaller breaches as well.

Breaches affecting fewer than 500 people are not publicized nearly as much as those affecting thousands of individuals. In fact, the OCR breach portal does not even include these smaller breaches. Currently, the HHS Secretary is only required to post a list of breaches of unsecured protected health information affecting 500 or more individuals.²

Take the Breach Notification Rule into consideration. If a Covered Entity or Business Associate experiences a breach affecting over 500 individuals, that breach must be reported to HHS immediately. However, if you have a breach of fewer than 500 client/employees’ information, you are not required to notify HHS at the time the breach is discovered. You should document all the items when they happen, but do not have to report them to HHS until 60 days after the end of the calendar year.

Keep in mind that just because these smaller breaches do not get as much publicity as much as larger breaches does not mean they are not happening.

In 2013, Hospice of North Idaho faced the first HIPAA breach settlement involving fewer than 500 people. After a laptop containing the PHI of 441 individuals was stolen, OCR conducted an investigation. During the investigation, OCR found that the Hospice did not conduct a risk analysis in order to protect their PHI nor did they have policies and procedures in place in regards to mobile device security. The organization paid a settlement of $50,000. At the time, OCR director Leon Rodriguez stated “This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”³

Most recently (2016), Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) experienced a breach. CHCS is a Business Associate that provides management and information technology services to nursing facilities. The theft of a mobile device containing electronic protected health information resulted in a breach of 412 individuals’ PHI. The phone contained PHI that was neither encrypted nor password protected. In this case, OCR also found that CHCS had no risk assessment or policies and procedures addressing mobile device security. They paid a settlement of $650,000.⁴

Most likely due to an increase in the frequency of small breaches, OCR will now be looking deeper into the causes of the breaches affecting fewer than 500 individuals. In their announcement, they listed the factors they will be looking at when investigating these breaches.

Factors include:

• • The size of the breach;

• • Theft of or improper disposal of unencrypted PHI;

• • Breaches that involve unwanted intrusions to IT systems (for example, by hacking); The amount, nature, and sensitivity of the PHI involved;  or

• Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.¹

This HHS action comes in the midst of phase 2 of OCR audits. The 167 chosen covered entities have recently been notified of their selection for the audits. This number does not include the Business Associates OCR plans to audit in late September. There are 2 types of audits: security audits and privacy/breach audits. Additionally, on site audits evaluate auditees against a set of compliance controls. On site audits begin in early 2017.⁵ With audits currently taking place and the OCR becoming more strict about breaches, we can see that HHS is continuing its focus on enforcing HIPAA.

Though HIPAA is 20 years old, it takes quite a bit of time to implement laws of its magnitude. For example, it took years for OSHA to finally be fully implemented in the workplace. After 20 years of HIPAA, the government is finally becoming seriously focused on protecting PHI.

How you can protect your PHI:

• • Encryption: 128-bit end to end encryption should be used to make all PHI indecipherable and unreadable if a device is stolen or lost. Encryption can and should be used both while a file is at rest and while in transit. When sending PHI through email or text, be sure to use HIPAA compliant emailing and texting services to ensure your files are being sent securely.

• • Training: Employees in your organization should all have HIPAA training. This can help prevent internal breaches.

• • Updating firewall/router/etc: Keeping your firewall and router up to date can help to protect you from hackers trying to infiltrate your system.

• Business Associate Agreement (BAA): Ensure that the companies you work with (file sharing, accountants, shredding) are also HIPAA compliant to avoid a breach of PHI.

1. 1. Email announcement sent by HHS on August 18, 2016. For more information visit: http://www.hhs.gov/hipaa/filing-a-complaint/what-to-expect/index.html

1. 1. Section 13402(e)(4) of the HITECH Act: http://www.hhs.gov/hipaa/for-professionals/breach-notification/ 

1. 1. http://www.hhs.gov/about/news/2013/01/03/hhs-announces-first-hipaa-breach-settlement-involving-less-than-500-patients.html

1. 1. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html

1. http://www.healthicity.com/blog/about-new-guidance-ocr-audit-program

Sharing is caring!