I know I often talk here about HIPAA requirements, HIPAA breaches, and HIPAA fines. That is because I believe this to be a very important issue . . . one that small and mid-sized behavioral health organizations do not seem to concern themselves with very much. The matter of doing a practice becomes the driving factor, and regulatory requirements get glossed over.
I wanted to be sure you have the information from a recent notice from the Office for Civil Rights (OCR). In an email to the OS OCR Privacy List, OCR announced an initiative to more widely investigate smaller breaches.
Beginning this month, OCR, through the continuing hard work of its Regional Offices, has begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals. Regional Offices will still retain discretion to prioritize which smaller breaches to investigate, but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches. Among the factors Regional Offices will consider include:
* The size of the breach;
* Theft of or improper disposal of unencrypted PHI;
* Breaches that involve unwanted intrusions to IT systems (for example, by hacking);
* The amount, nature and sensitivity of the PHI involved; or
* Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.Regions may also consider the lack of breach reports affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates.
Let me explain the thinking behind this initiative. OCR believes that breaches of PHI occur because of certain root causes. They have largely focused on large breaches in order to determine the root causes of such events because they affect so many people.
The root causes of breaches may indicate entity-wide and industry-wide noncompliance with HIPAA’s regulations, and investigation of breaches provides OCR with an opportunity to evaluate an entity’s compliance programs, obtain correction of any deficiencies, and better understand compliance issues in HIPAA-regulated entities more broadly.
Focusing on smaller breaches will allow OCR to begin to determine if root causes in smaller events are the same as or different from those in larger events. This will hopefully result is recommendations about how smaller organizations can remedy any problem situations.
Remember, if the PHI you maintain is located on computers, removable drives, or cloud storage that is fully encrypted (while in motion and while at rest), it is considered a safe harbor. The obvious simplest solution for everyone is to encrypt every place in which the PHI for which you are responsible resides electronically . . . your computers, your storage, your emails . . . and to be sure your file cabinets are locked!
Seth Krieger says:
I would just like to highlight this paragraph (my own emphasis added):
“… Regions may also consider THE LACK OF BREACH REPORTS affecting fewer than 500 individuals when comparing a specific covered entity or business associate to like-situated covered entities and business associates…”
At the end of each calendar year, every covered entity and business associate is required to submit details of smaller breaches (less than 500 individuals). OCR knows that virtually every healthcare provider has, at least, a handful of incidental breaches during the course of a year. For example, many SOS customers have emailed unencrypted screenshots or reports that include PHI. These things happen and you are supposed to report them. The quote above suggests that auditors may flag providers if they are NOT reporting the kinds of common breaches that are expected and reported by other similar practices. Any practice striving for full compliance should be reporting *something* by way of breaches each year. Failure to report anything is almost like a working person not filing taxes, and could be interpreted as suspicious lack of compliance.
Kathy says:
I agree with you, Seth. I think this is the way that small organizations will find themselves in difficulty. Failing to report small, incidental data breaches may be the way that OCR spots flagrant failure to have and apply appropriate Privacy and Security practices in an organization.