[BreachExchange] Feds plan to investigate more healthcare breaches

Mon Aug 22 20:25:40 EDT 2016

http://www.healthdatamanagement.com/news/feds-plan-to-investigate-more-
healthcare-breaches

The HHS Office for Civil Rights, which enforces rules surrounding HIPAA,
has announced it will investigate breaches of protected health information
affecting fewer than 500 individuals.

In September 2015, the HHS Office of Inspector General recommended that OCR
begin posting smaller data breaches on its public web site, and OCR now is
doing that. The site previously only listed breaches affecting 500 or more
individuals.

In the announcement, OCR cited five recent settlements with covered
entities that had smaller breaches; the settlements included financial
fines and imposition of corrective action plans. But some of these smaller
breaches are not recent, highlighting settlements reached one or more years
ago.

The settlements included Catholic Healthcare Services of the Archdiocese of
Philadelphia ($650,000 on June 29, 2016), Triple-S Management Corp. ($3.5
million on Nov. 30, 2015), St. Elizabeth’s Medical Center in Brighton,
Mass. ($218,400 on July 10, 2015), QCA Health Plan ($250,000 on April 22,
2014), and Hospice of North Idaho ($50,000 on Jan. 3, 2013).

It’s not surprising that OCR now has formally announced more aggressive
reviews of smaller breaches, says Thad Phillips, a principal consultant at
tw-Security, a consultancy. In 2013, Leon Rodriguez, then director at OCR,
warned covered entities that regardless of size, providers needed to better
protect patient information and said OCR would expand investigations of
smaller breaches, Phillips says.

HIPAA settlements that include fines along with correction action plans
will continue, Phillips believes. If OCR wants to expand its audit program
across the nation and conduct more expansive investigations of smaller
breaches, it will need more resources.

“They’re sending another warning shot, but a lot louder,” he notes, adding
he would not be surprised if the agency outsourced some OCR investigations
to contractors to support intentions to conduct more audits. “I think
they’re going to start big and stay big.”

Margret Amatayakul, president at security firm MargretA Consulting, says
its interesting that OCR is targeting smaller breaches for more extensive
investigation. Under HIPAA, these breaches must be reported in an annual
report, not as they happen.

“I have HIPAA risk analysis clients that have never had or at least never
reported small breaches, whereas I believe they probably have had small
breaches and may not be aware of them or the reporting requirement,” she
says. “I have a couple of clients who report every single breach throughout
the year—even in cases where I don’t think they are breaches and don’t need
to report them.”

What’s important about the new OCR focus, Amatayakul notes, is that closer
examination of smaller breaches could bring trouble that would have
happened earlier with small breaches. “If I were OCR, I’d look at
organizations that have had a lot of small breaches as potential targets
for investigation.”

Another well-known healthcare security consultant, Kate Borten at
Marblehead Group, sees OCR’s new approach as reasonable. “OCR had to
prioritize its investigative resources, so initially focusing on larger
breaches made sense. Hopefully now, their investigations are more routine
and can be conducted more efficiently. Hence, OCR now can broaden the scope
to include certain critical smaller breaches.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160822/362e87dd/attachment.html>