The 2019 Breach Barometer Report is not good news for the health care industry in that it demonstrates a massive increase in exposed health records even with the HIPAA Security Rule.
The purpose of the HIPAA Security Rule is principally to make sure that electronic protected health information (“EPHI”) is adequately secured, access to EPHI is controlled, and an auditable track of PHI activity is kept.
The 2019 Breach Barometer Report noted that, although there was only a small increase in 2018 in the number of breaches reported, there were three times the number of patient records, more than 15 million, exposed by those breaches.
Hacking was the largest category of breaches in 2018, accounting for 44 percent of those reported, followed by insider breaches at 28 percent, loss and theft at 14 percent, and 13 percent resulted from an unknown cause.
So why have the number of breaches and the number of records affected continued to rise year after year? One might speculate that it isn’t because of lack of enforcement with the huge settlements in lieu of civil money penalties (“CMPs”) that the U.S. Department of Health and Human Services (“DHHS”) has been getting in the past few years. Covered entities and business associates, however, even though being aware of the seven-figure penalties (and one eight-figure penalty), may reason that those sanctioned are isolated cases and that it won’t happen to them. Such is not a risk management strategy that the author would recommend.
Another reason, which personal observation around the country confirms for this author, is failure to conduct an initial risk analysis or failure to update it as required by the Evaluation Standard. Failure to conduct a risk analysis constitutes willful neglect, the highest category of penalty and a penalty that cannot be waived. A cursory review of the CMPs and settlements in lieu thereof demonstrates that failure to do a risk analysis or to update it is the single biggest compliance failure in those cases.
Another reason can certainly be that the health care industry is over-regulated and that, because of lack of time, lack of resources, or a decision that other compliance issues are more important, the health care industry does not place a priority on HIPAA compliance.
The CMPs and settlements are not, however, the only costs of breaches. Remediation, including sending the notice required by HIPAA for some breaches, can be more costly than the CMP or settlement. Blue Cross/Blue Shield of Tennessee, for example, settled with DHHS for $1.5 million but incurred $17 million in remediation costs.
The average cost of a health care organization’s health record data breach is $355 per record, according to a new survey conducted by Ponemon Institute, which conducts independent research on data protection and emerging information technologies.
So if you haven’t done an initial risk analysis or updated your previous one, do so now!
HIPAA does not specify how often to update it, but a good rule of thumb is at least annually or when there is a significant change that could affect data security. Blue Cross/Blue Shield of Tennessee’s breach resulted from not updating its risk analysis when it moved its operations to a new leased building where security was poor enough that a burglar broke in and took all of BCBS of TN’s equipment and media with all its insureds’ data on it.
For a more complete analysis of the effect of HIPAA more than 20 years after its enactment, see my article “20 Plus Years of HIPAA and What Have We Got?” Quinnipiac Health Law Journal, vol. 22:3: 39-106 (2018).
Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on our Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there.
If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation.
Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.
Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if DHHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist.
If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.
As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.