Small breaches could become a big problem
In a year of high-profile, multimillion dollar settlements for large HIPAA breaches, OCR raised the stakes in a big way—by taking a harder line on small breaches. OCR announced plans to crack down on smaller breaches—those affecting fewer than 500 individuals—in August. Although all breaches must be reported to OCR, generally only breaches affecting 500 or more individuals are regularly investigated, while small breaches are investigated only as resources permit. OCR instructed its regional offices to increase investigations of small breaches to discover the root causes. Identifying common root causes will help the agency better measure HIPAA compliance throughout the industry and address industrywide compliance gaps, OCR said. Regional offices may obtain corrective action if an investigation of a smaller breach reveals noncompliance.
Regional offices were instructed to take several factors into consideration when investigating smaller breaches and determining potential corrective action. These are:
- The size of the breach
- Whether a single entity reports multiple small breaches with a similar root cause
- Whether the breach involves theft or improper disposal of PHI or hacking
A closer look
OCR has come under fire for its handling of small breaches. In late 2015, a joint Pro Publica/NPR investigation analyzed federal data on HIPAA complaints and requested documents from OCR, including letters sent to entities that were the subject of HIPAA complaints (www.propublica.org/article/few-consequences-for-health-privacy-law-repeat-offenders). The investigation identified the top serial HIPAA violators, including the Department of Veterans Affairs and CVS. OCR generally responded to these complaints by sending letters reminding the entity of its obligation to protect patient privacy and follow HIPAA, and warned that if OCR received another complaint it may take more serious action. However, OCR rarely took any further or more serious action.
One reason could be that many of these breaches affect fewer than 500 individuals. Both large and small breaches must be reported through OCR’s web portal (www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html) but there are different deadlines for reporting each and, previously, they were not equally prioritized by OCR.
But that asymmetric enforcement policy left many frustrated and means that OCR may be missing data vital to creating an overall picture of HIPAA compliance and effectiveness. An NPR report released in conjunction with Pro Publica’s investigation revealed the lasting and personal harm done by small breaches (www.npr.org/sections/health-shots/2015/12/10/459091273/small-violations-of-medical-privacy-can-hurt-patients-and-corrode-trust).
Massive breaches caused by hackers will put patients at risk for medical and financial identity theft, but, considering the amount of personal data stored by entities across all industries and the sheer number of data breaches, it’s difficult to tie a specific breach to identity theft (see the July and August issues of BOH for more information on breaches and medical identity theft). Small breaches, however, often expose PHI to people in the community the patient lives and works in, leaving the patient at risk for far more personal harm.
But OCR hasn’t ignored all small breaches. In July, the agency reached a $ 650,000 HIPAA settlement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a business associate (BA), for a 2014 breach affecting 412 individuals after an unencrypted mobile device was stolen (www.medicarecompliancewatch.com/news-analysis/business-associate-agrees-650000-hipaa-fine).
The agency’s strong action may have been spurred by CHCS’ long-standing organizationwide HIPAA noncompliance. CHCS hadn’t conducted a risk analysis since September 23, 2013, the compliance date of the Security Rule for BAs, and therefore had no risk management plan. CHCS also lacked any policies regarding the removal of mobile devices from its facility. OCR suggested that, due to CHCS’ widespread neglect of basic security measures, the fine could have been even higher and only a consideration of the role CHCS plays in delivering care to at-risk populations, including the elderly, disabled individuals, and individuals living with HIV/AIDS, tempered its decision.
Implementing OCR’s directive may be a tall order for resource-strapped regional offices and it’s difficult to predict what the outcome will be, Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts, says.
"I’m not sure it’s actually going to make a huge difference, but I think, from the beginning, those of us who were watching HIPAA enforcement were concerned that, while HHS had good intentions, they just didn’t have the resources," she says.
That’s not surprising: HHS is a huge department with many major priorities, including CMS. But, given that HHS and OCR work with limited resources, the new focus on small breaches could be a significant sign of things to come, Borten says. The agency likely recognizes that small breaches are a huge unknown: There’s no "Wall of Shame" for small breaches and little in the way of accountable reporting.
"I just have the sense that there’s an enormous volume of under 500 breaches that get reported that we don’t hear much about," she says. "So I think it’s very important that they take this step."
Some organizations may have been inclined to brush off small breaches: 499 patients is still shy of the 500 mark, she points out, and an organization could easily add it to the end of the year small breach report and forget about it. Those organizations are the ones that will be in for the biggest wake-up call. "Hopefully they’ll hear this and they’ll think again," she says.
Large breaches often grab the headlines, and with good reason. But massive incidents like the Anthem breach may not provide the most useful data for either OCR or other covered entities (CE) and BAs. Massive breaches are statistically unlikely, according to a June 2015 report by researchers at the University of New Mexico and the Lawrence Berkeley National Laboratory (www.econinfosec.org/archive/weis2015/papers/WEIS_2015_edwards.pdf).
"Certainly, you could get hit by one of those big ones," Borten says. "But it’s much more likely, far more likely, you’re going to suffer smaller breaches."
Big breaches come with the risk of big settlements. OCR makes a point of publicizing HIPAA breach settlements and putting the dollar signs front and center. This year alone the agency has levied millions of dollars in HIPAA settlements fines for large breaches. But even as HIPAA breach settlement fines are getting bigger, the numbers don’t stack up against the amount of breaches that are reported each year. Many more organizations get away with little more than a strongly worded letter from OCR. A multimillion dollar fine may be significant for most organizations, but the odds are currently in their favor, Rick Kam, CIPP/US, president and co-founder of ID Experts, says.
"The likelihood that an organization will get fined is so low," he says. "They only catch the big ones, but there are millions of others that are losing data everywhere because nobody’s looking at them."
Too often, organizations assume that if the volume of patients affected by a breach is low, the impact is also low, Borten says, and that’s simply not true. Even a breach involving a single individual’s record can have serious consequences.
As physician practices and local hospitals are absorbed into large corporate health systems, executive perspective on small breaches can become even more skewed, Borten cautions. Executive officers overseeing multiple hospitals, clinics, and physician practices may be more interested in overall numbers and the big picture. A clinical summary handed to the wrong patient at a physician office across the state may simply not register and the impact on the patient will be invisible.
But it’s the duty of privacy and security officers to avoid making that same mistake, she says. "They should be wiser than to fall into that thinking. It falls to them to take a case to the senior leadership or the board of directors and make them recognize that it isn’t just the big breaches," she says. "We worry about the little ones, too."
Privacy and security officers should help provide C-suite the perspective to recognize small breaches and give them the proper weight. A small breach can be just as serious as a large one, Borten says. If an employee posts a patient’s PHI on a social media site, for example, the organization could find itself fighting a lawsuit; even if the case is dismissed, direct legal expenses and time and resources spent preparing documents add up fast. And, as the NPR report showed, it’s not only the patient’s reputation in the community that may suffer; an organization can easily earn a reputation as careless and unconcerned with its patients’ well-being after a small breach.
Small breaches, little data
Because small breaches aren’t investigated to the same standards as large breaches, it’s difficult to measure just how HIPAA-compliant most organizations are and what the real HIPAA pain points are. Another problem is the underreporting of small breaches, Borten says. In 2013 when the HIPAA omnibus rule was released, HHS strengthened the language describing what constitutes a reportable breach. However, HHS also commented at the time that it was concerned there was a significant amount of underreporting. Borten says her experience working with CEs and BAs proves HHS was right to be concerned.
"I think there’s a tendency for underreporting to be more common when there are just one or two patients involved," she says.
In the early days of HIPAA breach notification, some may have been under the impression that CEs and BAs were not required to report breaches affecting fewer than 500 individuals at all, she adds. But that’s never been the case. Although large and small breaches are reported to OCR according to different systems and time frames, organizations are required to treat any breach the same regarding notification to patients.
Small breaches are likely more typical than large ones, Kam says. Since 2009, roughly 230,000 breaches have been reported to OCR. But only approximately 1,000 have been breaches affecting over 500 individuals and subject to the more stringent investigation procedure. Investigating all HIPAA breaches would be a daunting task for any agency, but by almost exclusively looking at large breaches, OCR left the door open for repeat HIPAA offenders. Small breaches are reported to the agency at the end of the year, but each breach is counted separately, meaning an organization could experience multiple small breaches that add up to well over 500 individuals affected—yet still not be investigated because no single breach hit the 500 mark.
"It turns out that for breaches in healthcare, most of the time, the record count is under 500 records," Kam says. "So you have these organizations that are breaching multiple times and not really correcting the situation because it doesn’t get highlighted or investigated."
OCR’s instructions to its regional offices appear aimed to close that loophole. Along with phase two of the HIPAA audit program, this could be a sign that OCR is getting serious about collecting facts on HIPAA compliance in the real world and improving education and enforcement. The agency might be realizing that it’s time to change if it expects organizations to take HIPAA compliance seriously.
"If you’re seeing the same problem over and over, you’ve got to do something to change," Kam says. "So far, nobody’s listening."