Each quarter Alan Davis at Proteus Consulting, LLC, disperses the Northwest’s Security Bulletin: HIPAA Safe. While typically focusing on the HIPAA Security Rule in particular, the spring issue of HIPAA Safe focuses on preparing for a data breach.
Before diving into Davis’ recommendations for pre-breach activities and processes, let’s examine the breaches that occurred during 2014.
ePHI Data Breaches: 2014
Over the 12 months of 2014, approximately 9 million patients were affected by ePHI data breaches. That’s over 1000 patients per hour! Below you’ll find the table outlining 2014’s 164 ePHI data breaches, included in this quarter’s HIPAA Safe.
While theft accounted for the most frequent number of breaches at 67, hacking or IT incidents caused the highest number of patient records lost. Even though there were just 23 incidents over the year, nearly 5 million patient records were compromised.
Key Takeaway for Covered Entities: CEs need to ensure that their networks are secure and free from vulnerabilities.
Devices You May Miss
Most often when we think of patient data, we envision a record located somewhere inside a typical desktop computer. However, patient data doesn’t only exist here. Davis points out that medical devices are one of the most often-overlooked facet in a CEs typical risk assessment process. Almost all medical devices either store or transmit patient information and some even connect with billing systems. This means that omitting any medical device from a security risk analysis almost surely will result in vulnerabilities.
Key Takeaway for Covered Entities: Identify and note each system that stores or transmits ePHI, place appropriate controls on those that meet standards and replace those that cannot be fully protected.
Security Incident & Breach Planning
Knowing what to do immediately after you suspect a breach occurrence is essential, regardless of the amount of safeguards you may have in place. The best approach for incident management is to craft a detailed and comprehensive process. Davis suggests that the goal shouldn’t be to have a specific plan for every single breach possibility, but to have a broad approach and sequential steps that can be applied in every situation. Having a Security Incident Plan in place will allow CEs to respond to and even avoid potentially dangerous threats to ePHI.
Key Takeaway for Covered Entities: Formulate a comprehensive Security Incident Plan that is maintained and reviewed by the CEs HIPAA Security Officer.
The Breach Notification Rule (§164.402) is a facet of HIPAA regulations that most CEs want to avoid thinking about. But as we said before, knowing what to do after a breach is essential! That includes reporting a breach to the proper entities. It’s important to note that both Covered Entities and their Business Associates must have procedures in place to exhibit compliance to this rule.
To aid in the facilitation of reporting breaches, The Office of Civil Rights (OCR) updated its online portal where CEs must report all breaches (CFR-45 §164.408). The new portal is “significantly different” from the previous and offers many more functions and more specific recommendations.
Key Takeaway for Covered Entities: CEs and BAs must have policies and procedures in place that comply with The Breach Notification Rule, and must also report any and all breaches to the OCR.
Here at HIPAA One, we look forward to Alan Davis’ HIPAA Safe bulletin every quarter. Each one is full of countless actionable items for Covered Entities and Business Associates alike. To read the entire issue as well as archived issues, be sure to head to over to Proteus Consulting.