As HIPAA Breaches Accelerate, Tools Lag

For hospital and health system boards, CIOs, and CISOs, better data breach analysis tools, or more consistent legislation cannot come soon enough.

Earlier this month, the HHS Office for Civil Rights issued its Annual Report to Congress on Breaches of Unsecured Protected Health Information, the second such annual report. The findings are sobering.

From September 2009 to December 2012, OCR received 710 breach reports affecting approximately 22.5 million individuals. The frequency of those breach reports, according to one tally, is spiraling upward, up nearly 46% in the period between January 2014 and May 2014 over the same period in the previous year.

Another recent report notes that more and more organizations are learning of breaches by phone calls from, among others, the FBI.

Criminal prosecutions, always permitted under HIPAA, may be on the rise. In March, U.S Department of Justice indicted a former employee of an unnamed East Texas hospital, charged with wrongful disclosure of individual identifiable health information in violation of HIPAA.

The former employee faces up to 10 years in prison and a fine of $250,000 if convicted, according to the indictment, unsealed in July. While such indictments are rare, the recent toughening of enforcement actions may anticipate the growth in such criminal indictments.

Preparing for Tougher Privacy Rules

The OCR itself continues to step up its game. At a recent American Bar Association Health Law Section conference, a chief regional civil rights attorney from OCR warned that covered entities can expect enforcement to increase dramatically, along with fines.

About the only reprieve covered entities can expect will be brief, as incoming OCR chief Jocelyn Samuels transitions over from the civil rights division of the Department of Justice. But she will be on duty soon enough, succeeding Leon Rodriguez, who moved on to a post in the Department of Homeland Security.

Breaches Shift to Online
A preponderance of previous breaches were triggered by lost laptops or misplaced boxes of paper records. But those days are rapidly fading. Today's breaches are increasingly taking place via the same Internet that enables easier patient access and legitimate health information exchanges.

Criminal hackers are also targeting bigger repositories of data, such as state departments of health. The state of Vermont recently confirmed that a development server of the Vermont Health Connect, the state's health insurance exchange under the Affordable Care Act, was the target of cyber-attack last December.

Investigators traced the attack to an IP address in Romania. Another cyber-attack hit the computer server of Montana Department of Public Health and Human Services.

The fines are adding up as well. Parkview Health System in Fort Wayne, Indiana recent paid an $800,000 fine to OCR for unloading 71 boxes of records in a doctor's driveway. But again, that's just paper. The amount of information in those 71 boxes could be dwarfed by a single digital compromise from a cyber-attack.

As always, you can peruse OCR's "wall of shame."

A Patchwork of Laws
And federal penalties aren't the only ones waiting to trip up covered entities. Data privacy regulations vary from state to state. Recently, Florida toughened its breach notification law, which is also prompting greater calls for more uniform state breach notification laws nationwide.

Right now, those laws vary. A lot. For instance, the California Confidentiality and Medical Information Act carries a $1000 penalty per patient if a provider discloses certain medical information without the consent of the patient, says Ted Kobus, partner and co-leader of the privacy and data protection team at BakerHostetler, one of the largest law firms in the U.S., which represents covered entities in data breach cases at both the state and national level.

"Documenting and compliance are the two most important things," Kobus says. "If you're forced to do something that may not be exactly the way that you think the security rule requires you to do it, or you make a decision and accept a risk, the key is going to be documentation. If OCR comes in [and] they see that you've documented that risk, you've understood that risk, and you've responded to it in a certain way, whether it's physical controls or administrative safeguards or some other technological safeguard, you're going to be in a much better position."

Large providers, as usual, are in better shape. "The problem is there are so many healthcare providers that have small physicians' offices or small surgical centers, that may not be as prepared as a sophisticated health system," Kobus says.

What is a Data Breach?
"They don't really understand the extent of compliance that's going to be required. Many of them just aren't prepared to deal with an OCR investigation, and they're not prepared to show their compliance with the HIPAA security and privacy rules."

When I first talked to Kobus a year ago, as I reported on the HIPAA Omnibus legislation then going into effect, he was looking forward to tools the OCR said it would provide to help covered entities go through breach analyses.

A year later, he is still waiting for the release of those tools.

"We really haven't seen any firm guidance on what is considered to be a breach and what's not considered a breach," Kobus says. Some covered entities might also be over-reporting breaches due to lack of such tools, he adds.

"Over-notification doesn't serve anyone well," Kobus says. Those notified of a potential HIPAA breach may become blasé about such notifications; when they receive one that they should pay serious attention to, then they may discard the notification due to a string of prior notifications that led to no serious consequences.

The other event that probably colors the uptick in HIPAA and state breach law notifications is the Target data breach in the 2013 holiday season. "The reason everyone is talking about Target is not because of the numbers, because we've had breaches larger than Target," Kobus says.

"The reason is because every single American was affected by Target, because you either shop at Target, or you know someone who shops at Target. So everyone you know has been affected by this in some way."

The result is "a discussion that's occurring at the board level. People don't want to be the one where it happens on their watch."

For those boards, CIOs and CISOs, better breach analysis tools, or more consistent legislation cannot come soon enough. As more and more healthcare data flows across the Internet, expect more breaches, more headlines, more fines, and more questions than answers.