lessons learned from recent hipaa breaches...lessons learned from recent hipaa breaches hhs office...
TRANSCRIPT
Lessons Learned from Recent
HIPAA Breaches
HHS Office for Civil Rights
“Breach:” Impermissible acquisition, access, use, or disclosure of PHI (paper or
electronic), which compromises the security or privacy of the PHI.
Safe Harbor: If the PHI is encrypted or destroyed.
Breach is Presumed and Must Be Reported, UNLESS:
• The CE or BA can demonstrate (through a documented risk assessment) that
there is a low probability that the PHI has been compromised based on:
– Nature and extent of the PHI involved (including the types of identifiers and
the likelihood of re-identification);
– The unauthorized person who used the PHI or to whom the disclosure was
made;
– Whether the PHI was actually acquired or viewed; and
– The extent to which the risk to the PHI has been mitigated.
Focus on risk to the data, instead of risk of harm to the individual.
BREACH NOTIFICATION RULE
OCR NIST 2015 2
500+ Breaches by Type of Breach
as of 8/28/2015
OCR NIST 2015 3
Theft
48%
Loss
9%
Unauthorized
Access/Disclosure
21%
Hacking/IT
10%
Improper Disposal
4%
Other
8%
Unknown
1%
OCR NIST 2015 4
500+ Breaches by Location
as of 8/28/2015
Paper Records
22%
Desktop Computer
12%
Laptop
20%
Portable Electronic
Device
10%
Network Server
13%
8%
EMR
4%
Other
11%
5
BREACH HIGHLIGHTS
September 2009 through August 28, 2015
• Approximately 1,310 reports involving a breach of PHI affecting 500 or more individuals
– Theft and Loss are 57% of large breaches
– Laptops and other portable storage devices account for 30% of large breaches
– Paper records are 22% of large breaches
• Approximately 179,000+ reports of breaches of PHI affecting fewer than 500 individuals
OCR NIST 2015
CLOSED INVESTIGATED CASES
6OCR NIST 2015
RECURRING ISSUES
OCR NIST 2015 7
• Business Associate Agreements
• Risk Analysis
• Failure to Manage Identified Risk, e.g. Encrypt
• Lack of Transmission Security
• Lack of Appropriate Auditing
• No Patching of Software
• Insider Threat
• Improper Disposal
• Insufficient Data Backup and Contingency Planning
RECENT ENFORCEMENT ACTIONS
OCR NIST 2015 8
• St. Elizabeth’s Medical Center (electronic)
• Cornell Prescription Pharmacy (paper)
• Anchorage (electronic)
• Parkview (paper)
• NYP/Columbia (electronic)
• Concentra (electronic)
• QCA (electronic)
• Skagit County (electronic and paper)
http://www.hhs.gov/
ocr/privacy/hipaa/un
derstanding/covered
entities/contractprov.
html
BUSINESS ASSOCIATES
OCR NIST 2015 9
• http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/
rafinalguidance.html
• http://scap.nist.gov/hipaa/
• http://www.healthit.gov/providers-professionals/security-risk-
assessment
RISK ANALYSIS GUIDANCE
OCR NIST 2015 10
http://www.healthit.
gov/mobiledevices
MOBILE DEVICES
OCR NIST 2015 11
OCR Security Rule Resource Center: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html
SECURITY RULE RESOURCES
OCR NIST 2015 12
http://www.hhs.gov/
ocr/privacy/hipaa/un
derstanding/covered
entities/index.html
DISPOSAL
OCR NIST 2015 13
QUESTIONS?
OCR NIST 2015 14