The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is reporting a significant increase in HIPAA Privacy and Security breaches. OCR data indicates that HIPAA privacy and security breaches compromised the Personal Health Information (PHI) of more than 41 million people. Recent studies report that healthcare now ranks as the second highest sector experiencing data security incidents, after business services. For healthcare providers in particular, the data reveals a 320% increase in the number of hacks in 2016, up from the previous year. The Symantec “2017 Internet Security Threat Report” found that in the healthcare sector (a) over half of emails contained spam; (b) one in 4,375 e-mails was a phishing attempt; and (c) email-borne ransomware increased by 266% during 2016. One such ransomware software resulted in the recent global cyberattack in May, affecting more than 150 countries. In that cyberattack, 45 British hospitals and other medical facilities were hit especially hard as doctors were blocked from gaining access to patient files, causing emergency rooms to divert patients. Breaches involving theft or lost mobile devices also continue to be a major problem, as was evident in the recent case of Lifespan. Lifespan notified 20,000 patients of a privacy breach resulting from a MacBook work laptop being stolen from a locked car. The Ponemon Institute further found that data breaches are likely to cost the healthcare industry an estimated $6.2 billion annually.
Earlier this year, OCR announced their first enforcement settlement resulting from a failure to make a timely breach notification. OCR has issued similar enforcements in the subsequent weeks. This increased enforcement effort aligns with the emphasis OCR placed on compliance with the Breach Notification Rules when launching the Phase 2 audit program last year. In addition to OCR oversight authorities regarding HIPAA Privacy, more states are passing data breach notification laws. The differing rules at the federal and state levels, combined with varying state compliance requirements, notification rules, and non-compliance penalties, makes the protection of PHI and other data increasingly complicated. It is also important to consider that for the same data breach, multiple jurisdictions could impose penalties on top of one another. Accordingly, compliance and privacy professionals should ensure that their organization has a comprehensive HIPAA Breach Response Plan in place.
Practical tips for establishing an effective HIPAA Breach Response Plan include the following:
- Ensure that the breach response plan outlines all necessary action steps;
- Designate the responsible authority to lead the response team when a breach occurs;
- Notify upper management after gathering the facts;
- Define steps to remove all breaches to systems and prevent the breach from spreading;
- Define how any intrusion of the system’s integrity or the network can be eliminated;
- Include a notification plan for the following parties: internal parties, patients, appropriate government agencies, and possibly the media;
- Establish steps to determine how the breach occurred, what data was compromised, and who might be responsible for the breach;
- If required, consult with digital trained forensic experts to determine how and why the breach occurred;
- Outline action steps to determine the security state of all laptops, and mobile and electronic devices; and
- Ensure how documentation of all actions will be maintained to evidence that all the proper actions were taken promptly, especially if governmental authorities may become involved.