What HHS Breach Reports Tell Us…And What They Don’t!

Posted on October 7, 2010 by

As most of us know by now, under the ARRA breach notification provisions, HIPAA-covered entities and their business associates must notify the affected individuals and HHS of any breaches affecting the unsecured protected health information of 500 or more people. The notification must be made without unreasonable delay and no later than 60 days from the discovery of the breach.

We can get a list of the reported breaches on the HHS website.

 What the report list tells us …

  • The majority of breaches resulted from theft or loss of hardware (laptops, portable devices and portable storage devices).
  • Providers, payers and business associates appear on the list. Already the reports make clear that breaches are occurring across the industry, in both private and public entities, large and small.

… and, what we can learn:

  • Organizations should strongly consider encrypting data in storage on portable hardware and storage devices, but, more importantly…
  • Start from the beginning – ask – why is there patient data on a laptop or other portable storage device in the first place?  Is this really required by the organization’s business model or work flow?  Is there a current policy in place?

What the report list does not tell us, or what we don’t know ….

  • How many breaches there really are, or
  • Whether the number of breaches is increasing, decreasing or remaining the same.

… and, what we can learn:

  • We don’t know what we don’t know – e.g. We don’t know how many breaches there are, and predicting or extrapolating the frequency is nearly impossible.
  • Breach detection is under-emphasized in federal law and regulation, educational activities and organizational activities:
    • The current federal breach reporting law only applies when an organization detects or suspects a breach; and
    • Organizations, for their patients’ best interest as well as that of their own organization, need to put resources, policies and processes into monitoring and breach detection activities.

Other interesting information:

  • HHS treats each breach report from an organization as a self-reported complaint that requires an investigation for compliance with HIPAA’s privacy rule.
    • This is clearly the right thing to do. However, it may deter detection activities and/or influence the risk assessment activity.
  • The Interim Final Rule is currently in force. 
  • This includes the “Harm Provision.”  Once a breach is detected, the organization is allowed to do an assessment of the risk of harm to the affected individuals. If the assessed risk does not exceed a harm threshold, they don’t have to report the breach to HHS.  This creates a grey area in the reporting requirement.                                                             
  • It is unclear if/when/how the federal breach notification rule pre-empts “contrary state law.”  See Howard Anderson’s analysis of a case example: Again, this creates a grey area in the reporting requirement.

Lisa’s Final Words…

Organizations need to:

  • Heed the HIPAA Security Rule and conduct periodic security risk assessments of their enterprise.  In last year’s HIMSS Security Survey, we asked those organizations that actually conducted a risk assessment about the primary benefit of that process, and the majority said that they were able to find patient data at risk. This means they have the opportunity to remediate their security controls and protect the data before it is compromised.
  • Implement incident prevention, detection, network access and monitoring processes.  Organizations should actively monitor their networks, their logs, the integrity of their patient data and physical security processes so they can detect breaches as soon as they happen, remediate and notify those affected. And, fortunately, there are lots of tools and methodologies available to help them do just that.

About Lisa A. Gallagher, BSEE, CISM, CPHIMS

Lisa Gallagher, BSEE, CISM, CPHIMS, is HIMSS Senior Director, Privacy and Security.
This entry was posted in Patient-Centered Systems, Public Policy. Bookmark the permalink.

2 Responses to What HHS Breach Reports Tell Us…And What They Don’t!

  1. Mac McMillan says:
    October 7, 2010 at 5:56 pm

    Lisa,

    This is actually a very good summation of some of the more important lessons learned that current breach reporting can provide. I agree at present there seems to be far too much focus on reporting and not near enough attention being given to detection, hence your statement that “we don’t know what we don’t know” which translates to the thought that there may be more breaches occurring than we are seeing. The goal of good security is to detect and avoid such events, not mere,y to catch and report. This ties into another of your observations which is very key to doing a better job of reducing the risk of breaches, that organizations should first ask the question why was ePHI on the device in the first place. While right on target this is still a reactive question.

    I’d like to suggest a proactive approach to minimizing breaches and meeting our compliance and business obligations to protect information. Take a data centric approach. Start first by describing the life cycle of ePHI in the enterprise and then inventorying its location accurately. Meaning ask the questions proactively who is creating it, how are they creating it, where are they creating it, and then repeat this line of questioning again replacing creating with processing, storing, transmitting, archiving, sharing, disposing, etc. until we have good understanding of the life of PHI in our business. Next conduct an accurate inventory of all your PHI and where it currently resides within your enterprise. Fortunately there are tools out there today that can do this detailed inventorying. Then ask your question. Does PHI need to be on this device, or should it be on this device, or accessible from this location, should this group or individual have access, etc. Once you know the answers to these questions, consider all of the security controls available to develop an integrated solution to creating safe harbor and minimizing breaches by having better knowledge of where our data is, appropriate mechanisms for monitoring and enforcing rules and by minimizing the landscape that has to be encrypted by reducing the number of locations, and the associated risks, where PHI can be found to those that represent a legitimate business purpose and meaningful use.

    We need to think more proactively. Healthcare cannot afford the interruptions or distractions of reactive mitigation of risks.

    Reply

  2. Pingback: Fulfilling our Promise to our Patients…Dealing with the Insider Threat in Healthcare Organizations | HIMSS Blog

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s