HIPAA Privacy Breaches Increasing At A Rapid Rate

The Anthem data breach last February served as a wakeup call to many Privacy, Security, and Compliance Officers since it represented one of the largest data breaches to date. Additionally, a large number of other notable breaches of protected health information (PHI) have occurred recently in all sectors of the health care industry. In Anthem’s case, hackers gained access to databases containing customer and employee identifying data.   As result of this breach, many professionals in the health care compliance arena began to ask themselves how Anthem, a major health insurance plan provider, could have a breach exposing approximately 80 million records. Most people assume that large insurance companies utilize the most sophisticated and secure systems and wonder what Anthem’s breach could mean for other, less sophisticated operations.

Breaches of medical data are far more prevalent than what is reported in the media. Interestingly, only approximately one in twenty PHI data breaches is caused by hackers, as in the case with Anthem. Although hackers can expose larger amounts of data, the most common type of breach involves lost or stolen unencrypted or password protected laptops and mobile drive devices such as flash drives, smart phones, and tablets. Commonly, these types of breaches affect fewer than 500 individuals. Based upon HHS Office for Civil Rights (OCR) data, about four out of five large HIPAA privacy and security breaches were the result of theft. The other major cause of breaches includes unauthorized access.

Since 2003, the OCR has been responsible for enforcing the HIPAA Privacy and Security Rules and for setting electronic PHI security standards. The OCR has also maintained records of reported breaches since then. The HIPAA Breach Notification Rule requires covered entities and business associates to notify OCR following a breach of unsecured PHI. Under the HITECH Act, a list of breaches of unsecured PHI affecting 500 or more individuals must be posted on the OCR website. It is worth reviewing since the website provides information regarding the entity type, location, the number individuals affected, the breach date/type, and where the breach occurred within the system.

Contrary to what most people would expect, after a decade of HIPAA Privacy and Security efforts, breaches are not declining. OCR reports demonstrate a continuing increase in the number of reported data breaches of PHI. In its first year, OCR received 3,742 PHI breach complaints. The annual OCR report of complaints has steadily increased every year since then, except for in 2009. In the most recent year reported by OCR, the number of reported breaches has grown to about 13,000. Based upon OCR published data, it is reported that more than 41 million people have had their PHI compromised in HIPAA privacy and security breaches. However, since breaches involving less than 500 do not require public disclosure, this figure is likely to be a major understatement of the actual number of affected individuals.

OCR reports that the compliance issues investigated most, in order of highest frequency, include:

1. Impermissible uses and disclosures of PHI
2. Lack of safeguards of PHI
3. Lack of patient access to their PHI
4. Lack of administrative safeguards of electronic PHI
5. Use or disclosure of more than the minimum necessary PHI

As a result of investigation and to achieve voluntary compliance, the OCR requires covered entities to take corrective action. The most common types of covered entities that have been required to take corrective action, in order of frequency from most to least, are: (a) private practices; (b) general hospitals; (c) outpatient facilities; (d) pharmacies; and (e) health plans.   Note that the least often category investigated by OCR is the type of organization that Anthem falls into and the most common type were private practices. Private practices most often have breaches as result of lost or stolen laptops or external drives containing PHI that could have been protected easily with the proper controls. For hospitals and outpatient facilities, breaches also frequently occur when physician and other health care professional laptops, flash drives, cell phones, and other external devices containing PHI are lost or stolen.

To avoid the risk of a PHI breach, institutional providers must have baseline security reviews of their systems containing PHI. However, many institutions fail to meet this standard and instead rely upon representations made by their IT professionals – who may lack understanding of or relate to the specific HIPAA requirements. To assess and control risks, technical reviews focusing on proper encryption, application security, and the technical safeguards utilized within internal and external systems of the institution (i.e., business associates) must be combined with administrative reviews.   An independent HIPAA Security Assessment that satisfies the evaluation standard and combines both administrative and technical vulnerability reviews including penetration testing and vulnerability scans, is an investment into creating not only compliant care and service for patients but also represents good risk management practice.