Breach Rule Enforcer Offers AdviceSecurity Awareness a Key to Preventing Health Info Breaches
Holtzman, health information privacy specialist at the Department of Health and Human Services' Office for Civil Rights, notes that the theft or loss of various electronic devices or paper records account for a majority of the major breaches reported to OCR so far under the breach notification rule.
Organizations that successfully create a culture of compliance and promote good data stewardship will "be at lower risk of having a breach or having your data sitting on a laptop that's unprotected in the airport or in somebody's car while it's parked at the grocery store," Holtzman says. His comments came at a HIPAA Security conference co-sponsored by OCR and the National Institute of Standards and Technology.
"When we investigate organizations that have reported large breaches, we find that many are very responsive," Holtzman says. "Those organizations that have good foundations of policies and procedures respond better to incidents."
Other Breach Prevention TipsBased on the breach incidents reported so far, Holtzman advises healthcare organizations to:
- Make widespread use of encryption, especially for data stored on various devices, including laptops.
- "Do not neglect physical safeguards for areas where paper records are stored and used."
- Consider reducing risk by using network or enterprise storage rather than storing protected health information on devices, such as laptops or desktops.
- "Create clear and well-documented administrative and physical safeguards for storage devices and removable media" that are used to store protected health information.
Breach StatisticsAs of May 12, OCR's list of major health information breaches affecting 500 or more individuals totaled 272 incidents affecting nearly 10.9 million. The list reflects major breaches reported since September 2009, when the HITECH Act's interim final breach notification rule took effect.
Holtzman says theft and loss account for 67 percent of these major breaches. In contrast, hacking incidents account for only 7 percent of incidents.
In addition to the reports of major breaches, OCR had received 31,000 reports of breach incidents affecting less than 500 individuals through March.
HIPAA AuditsOne of the HITECH Act's provisions to help prevent breaches is a mandate that OCR create a HIPAA compliance audit program, which is now long overdue.
At the conference, Susan McAndrew, OCR's deputy director for health information privacy, revealed that the agency plans to soon hire a contractor "to help us pilot one auditing model proposed to us."
McAndrew declined to offer any specifics about the model, and she wouldn't say when the pilot would be completed nor when the audit program might begin.
She also noted that a final version of the breach notification rule will be included in an omnibus package of regulations coming out sometime this year (see: HITECH Mandated Regs Still in Works). Meanwhile, the interim final version of the rule remains in effect.