The Department of Health and Human Services' Office for Civil Rights sent a wake-up call to the health care community in January when it announced a data breach settlement with Hospice of North Idaho. The Office for Civil Rights has stepped up enforcement activity in recent months, so reaching a settlement for privacy and security violations was not news. What was different about this settlement was that it was the first time regulators took enforcement action against a provider for a breach involving fewer than 500 patient records.
In an email to SearchHealthIT, an Office for Civil Rights (OCR) representative said the office took action against Hospice of North Idaho because of the provider's "long-standing pattern of non-compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule." In particular, the provider did not conduct a risk analysis at any point from the time the requirement was inserted into the HIPAA Security Rule in 2005 through January 2012.
Cloud may alter breach accountability
North Idaho breach fine is a first
Risk assessment can lower chance of breaches
It didn't matter that the provider's breach involved fewer than 500 patient records, the threshold at which covered entities must report breaches to the OCR and notify affected patients. The organization's history of non-compliance, which OCR pointed out has improved since the breach, was found to be a sufficient reason to take action. The ruling should put other covered entities on notice that they may be liable for similar penalties if they do not comply with the letter of the law. The size of a breach no longer provides cover.
An overlooked problem
The increase in enforcement activity initiated by the OCR in recent months has put privacy and security near the top of the agenda of many compliance professionals. Most organizations are now aware a violation could draw a heavy penalty. But some feel health care providers are still not taking the problem of small data breaches seriously.
Pam Dixon, executive director of the World Privacy Forum, said most organizations are focused on avoiding the Department of Health and Human Services' (HSS) "Wall of Shame," a publicized collection of breaches involving more than 500 patient records. Furthermore, many providers worry about admitting liability by notifying patients of a breach when the law states they do not have to, as is the case in small data spills. Consequently, they often do not respond to small breaches.
This can be a serious problem, because, as Dixon points out, victims of small breaches often suffer more serious reputational or financial harm than victims of large breaches.
Breaches involving several thousand patient records often result from the loss or theft of a laptop or thumb drive that contains protected health information (PHI). And while there may not be intent on the part of a bad actor to use that data for inappropriate purposes, Dixon said breaches involving 30 to 40 patients are more often the result of hacking, in which someone targets the information of specific patients. These patients are more likely to be the victims of identity theft.
They mean business and anybody who thinks that privacy and security compliance is going away or isn't going to be taken seriously is mistaken.
Angela Dinh Rose,
director of health information management solutions, AHIMA
"So if you have 30 people who are intentionally breached, the likelihood is that you're going to have 30 people who are the victims of some kind of mischief," Dixon said.
She said she would like to see more states start putting in place regulations that hold providers accountable for small data breaches. Dixon described the federal HIPAA regulations as a floor -- the minimum which should be expected of health care providers. States can put in place regulations that mandate stronger security than what is required by HIPAA.
Why small breaches receive little attention
Few health care providers would intentionally leave PHI at risk, but security is often misunderstood and responding to small breaches becomes a low priority, said Brian Balow, a lawyer with the firm Dickinson Wright, PLLC, who counsels health care providers on data privacy and security.
"It's one of those things that goes on everybody's checklist to get done, but when push comes to shove, it's the kind of thing that just slips and slips," Balow said. "Until there's an issue, many just cross their fingers and think, 'When I get to it, I get to it.'"
This lack of attention magnifies the harm that can be done by small data breaches. HIPAA reporting rules state breaches affecting fewer than 500 patient records only have to be reported to the OCR at the end of each year. The organization does not have to notify patients or the local media. Because there is no immediate enforcement threat, practices may feel like they are getting a free pass and fail to proactively respond.
But Balow said a small breach is typically indicative of larger privacy and security problems. And if an organization experiences a large data spill after failing to correct technical issues or process failures that initially caused small breaches, it is more likely to be found grossly negligent or willful in their refusal to comply with HIPAA. This drastically increases the risk of fines.
"You'd be playing with fire to just go on with business as usual," he said.
Expect more fines for small breaches
The OCR stirred up excitement when it announced its settlement with Hospice of North Idaho because it was the first time a covered entity had been fined for a breach affecting fewer than 500 patients, but health care providers should get used to this kind of enforcement.
Angela Dinh Rose, director of health information management solutions at the American Health Information Management Association (AHIMA), said she wasn't surprised to hear of the settlement because the OCR has indicated it intends to step up enforcement. While people used to comment that there was no HIPAA police, covered entities and business associates can now expect to be held accountable for their privacy and security practices.
"It didn't shock me," Rose said. "It wasn't surprising because this is what is expected of us now. They mean business, and anybody who thinks that privacy and security compliance is going away or isn't going to be taken seriously is mistaken."