Coming on the heels of the 20th anniversary of HIPAA, the Office for Civil Rights (OCR) has announced they are redoubling their efforts to investigate smaller data breaches, defined as incidents affecting fewer than 500 individuals.
Here is their proposal and how to strengthen the security of your practice or healthcare facility in response.
On August 18, 2016, the OCR sent an email detailing the shift in breach investigations. To date, the OCR Regional Offices have investigated every reported breach affecting 500 or more patients. Smaller breaches were only investigated if resources permitted.
Following the evaluation of a series of smaller breaches and the resulting substantial settlements — such as Catholic Health Care Services ($650,000), Triple-S ($3.5 million), and QCA Health Plan, Inc. ($250,000) — the OCR has "begun an initiative to more widely investigate the root causes of breaches affecting fewer than 500 individuals." Hospice of North Idaho ($50,000), the first small HIPAA breach resulting in a settlement, was also cited in the announcement.
The Regional Offices still retain discretion regarding which of the smaller breaches will be investigated, however, "each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches."
The following four factors will be considered during that process:
1. The size of the breach;
2. Theft of or improper disposal of unencrypted PHI;
3. Breaches that involve unwanted intrusions to IT systems (for example, by hacking); The amount, nature and sensitivity of the PHI involved; or
4. Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.
A 2016 Physicians Practice survey found that 62 percent of practices have failed to conduct a risk analysis thus far and less than half of them were planning to complete one within the next six months. Since healthcare was the "most-attacked" industry in 2015, leading to the compromise of more than 100 million records, delaying such assessments is not recommended.
While an ongoing compliance plan is imperative, a critical first step for these practices would be to perform a thorough HIPAA risk analysis to help identify security weaknesses and vulnerabilities. Beyond that, written HIPAA policy and procedure templates (P&Ps) can be instrumental in ensuring compliance with each of the HIPAA regulations. These templates, once completed, should be easily shareable and accessible so that employees of the organization can refer to them as needed. The implementation of these two processes alone — the risk analysis and P&Ps — can close significant gaps in security and quickly improve overall HIPAA-compliance.
Follow Logan Solutions on LinkedIn and never miss a post.
How will this OCR policy change affect your practice or healthcare facility? Any changes you plan to implement? Please join the conversation below.