Reporting HIPAA Breaches: A New Approach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/reporting-hipaa-breaches-new-approach-a-7830

As the number of health data breaches continues to climb, the Department of
Health and Human Services is taking steps to make the process of using
online tools to report breaches more efficient, hoping that will help ease
the launching of investigations.

As of Jan. 23, the HHS Office for Civil Rights' tally of major health data
breaches included 1,199 incidents affecting 41.5 million individuals that
have occurred since OCR began tracking breaches in September 2009. At the
end of 2014, the tally stood at 1,186 total incidents affecting 41.3
million individuals (see Biggest Health Data Breaches in 2014).

OCR, which oversees HIPAA enforcement, recently migrated breach reporting
forms to an enhanced Web portal. "These changes to the breach portal are
one of a number of significant process improvements on our backend that
have resulted in tremendous efficiency for our investigative work," an OCR
spokeswoman tells Information Security Media Group.

The new portal for submitting breach reports contains a note that the site
is undergoing unspecified "improvements" through April 30, 2015. Among the
new features so far is an expanded question asking organizations about
their "actions taken" in response to their reported breach.

Some of the responses that organizations can check off are: adopting
encryption technologies; changing or strengthening password requirements;
creating new or updated security rule risk management plans; implementing
new technical safeguards; improving physical security; revising business
associate contracts; and providing training or retraining to BAs or
workforce members.

The OCR spokeswoman declined to comment on exactly how that new information
will be used in OCR investigations.

Achieving Twin Objectives

But OCR Director Jocelyn Samuel said in a statement provided to ISMG: "The
breach notification requirements are achieving their twin objectives of
increasing public transparency in cases of breach and increasing
accountability of covered entities and business associates. The reports
submitted to OCR indicate that millions of affected individuals are
receiving notifications of breaches. At the same time, more entities are
taking remedial action to provide relief and mitigation to individuals and
to secure their data and prevent breaches from occurring in the future."

The leader of OCR says the office "continues to work with the covered
entities and business associates to ensure appropriate remedial action is
taken to address the causes of the breaches, to prevent future incidents,
and to mitigate harm to affected individuals, as well as to ensure full
compliance with the breach notification requirements."

OCR is trying to become more efficient in its breach and HIPAA complaint
investigations as the number of these incidents grow. Samuels recently told
reporters that the agency expects to receive about 17,000 HIPAA complaints
this year.

In her statement provided to ISMG, Samuels says, "Anecdotally, we can say
that we continue to see a rise in the number of reported breaches and
individuals affected. Much of that, I think, may be attributed to covered
entities and business associates' better understanding their compliance
obligations under the breach rule."

Business associates are directly liable for HIPAA compliance under the
HIPAA Omnibus Rule, which went into effect in 2013.

Besides trying to make its breach and HIPAA complaint investigation
processes more efficient, OCR is also working on other enforcement
projects, including resuming its long-overdue HIPAA audit programs, which
remains stalled (see HIPAA Audit Are Still On Hold).

'Wall of Shame' Updates

In addition to launching the new Web portal for submitting breach reporting
forms, OCR has updated its "wall of shame" website that lists health data
breaches affecting 500 or more individuals.

"These breaches are now posted in a new, more accessible format that allows
users to search and sort the posted breaches," notes a message on the
refreshed site. "Additionally, this new format includes brief summaries of
the breach cases that OCR has investigated and closed, as well as the names
of private practice providers who have reported breaches of unsecured
protected health information to the HHS secretary."

OCR did not respond to an ISMG inquiry about whether OCR will add back to
the tally a column that previously listed when breaches were posted to the
website.

Tally Update

Among the most notable incidents added to the federal breach tally in
recent weeks is the Sony Pictures Entertainment hacking attack that
compromised 30,000 employees' health information, as well a massive amount
of other corporate information.

That incident, which occurred on Nov. 24, is listed on the OCR tally as a
breach involving "Sony Pictures Entertainment Health and Welfare Benefits
Plan", a health plan that provides medical insurance and other benefit for
Sony employees.

"Many large companies are self-insured through some third party
administrator, or TPA," notes security expert Tom Walsh, president of the
consulting firm tw-Security, which was recently rebranded from its former
name, Tom Walsh Consulting. So it's no surprise that Sony would store
employee health information, he says. "I'm sure that there are a lot of
companies that rely on their TPA to know what is legally required regarding
their employees' PHI. This should be a wakeup call for all companies that
are self-insured."

The Sony incident offers an important reminder for all organizations, not
just healthcare organizations, to reassess their safeguards for protecting
any sensitive employee health data from external threats, says healthcare
and HIPAA attorney Susan A. Miller (see Protecting Employee Health Data).

Breaches on the Rise

OCR's Samuels tells ISMG, "In terms of numbers of individuals affected and
types of breaches, based on what we have been seeing, I think it is safe to
say that the number of individuals affected by hacking/IT incidents is on
the rise. It is essential that our regulated industry take action to
appropriately safeguard the ePHI that they hold from these types of threats
and hazards."

Adds Walsh, the consultant: "If the government or big businesses - like
Sony - which have far greater resources that most healthcare systems or
community based hospitals, get hacked, any organization can get hacked.
There is no way to defend against every attack if the hacker has enough
time and other resources. The goal is to make them work hard to the point
they'll move to a softer target."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!