Focusing HIPAA Security Based on HHS’s 2011-2012 Annual Breach Report

by Leonardo M. Tamburello

The Department of Health and Human Services (HHS) recently released its 2011-2012 annual report on breaches of unsecured personal health information (PHI) to Congress.  In addition to the staggering number of individuals whose PHI was the subject of such breaches, this report, along with a companion report focused on breach notification rule compliance, provides valuable insights into OCR’s compliance trends

In 2011 and 2012, breaches involving over 500 individuals accounted for almost 98 percent of all individuals (almost 15 million individuals) whose PHI were compromised for these two years.

These data highlight key areas of vulnerability, particularly with respect to electronic PHI.  With the increasing adoption of certified EHR technology through Meaningful Use, the potential for technological exploitation of ePHI vulnerabilities will continue to multiply.  Strategies that could offset this risk include:

  1. Updating and Monitoring Risk Analyses and Risk Management.  OCR has already identified risk analysis and risk management as areas of increased compliance scrutiny. All PHI handlers must perform a thorough risk analysis that identifies and addresses potential risks and vulnerabilities to all ePHI in its ecosystem, regardless of its form or location.  This review would include all computers, tablets, mobile devices, USB “flash” drives and network transmission of ePHI.
  2. Conducting Regular Security Evaluations.       Security evaluations should be done periodically and also incorporated into any change in operations, such as facility, office or data relocation, that could potentially affect the security of PHI.   Clear policies and procedures should be put in effect which insure adequate physical and technical safeguards remain in place during the transition period through the resumption of normal operations.   Technical evaluations of new software, hardware, websites, and other changes to IT infrastructure should be performed by qualified experts before these systems go “live,” to insure that ePHI will not be inadvertently exposed.
  3. Monitoring Security and Control of All Portable Electronic Devices.  Polices should be implemented requiring that ePHI stored and transported on portable electronic devices be properly safeguarded.  This includes mandating the use of appropriate encryption technologies and clear policies and procedures concerning the receipt and removal of portable electronic devices and media containing PHI, and how such information must be secured while off-site.
  4. Secure Disposal of PHI and Media Containing PHI.  Employees should be given clear procedures to insure destruction of paper-based PHI that include documenting the proper disposition of the files.  Similarly, if an electronic device is going to be reused or repurposed, it should first be securely wiped to insure all ePHI is removed and rendered unrecoverable.  Any discarded electronic devices should be securely destroyed and that process adequately documented.
  5. Securing Physical Access Controls.  Physical security should not be overlooked in the technological landscape of modern healthcare. Organizations should insure that physical access to their facilities and workstations is limited to authorized employees.
  6. Continuous Employee Training.  Privacy and security policies and procedures are virtually worthless if employees are not properly trained on them.  Employees and managers should be trained (and re-trained) concerning high risk areas such as proper disclosure of PHI and security requirements.  Employees should also be made aware of sanctions and other consequences for failing to follow proper security and privacy policies and procedures.

HHS has previously stated that in 2014 it will emphasize compliance and security more than ever.  Already in 2014, HHS has collected more in resolution agreement settlements than it did in all of 2013.  Securing PHI is not only required by HIPAA, it also makes sound business sense in case your organization is investigated or randomly audited for HIPAA compliance.