Lessons Learned from Recent

HIPAA Breaches

HHS Office for Civil Rights

“Breach:” Impermissible acquisition, access, use, or disclosure of PHI (paper or

electronic), which compromises the security or privacy of the PHI.

Safe Harbor: If the PHI is encrypted or destroyed.

Breach is Presumed and Must Be Reported, UNLESS:

• The CE or BA can demonstrate (through a documented risk assessment) that

there is a low probability that the PHI has been compromised based on:

– Nature and extent of the PHI involved (including the types of identifiers and

the likelihood of re-identification);

– The unauthorized person who used the PHI or to whom the disclosure was

made;

– Whether the PHI was actually acquired or viewed; and

– The extent to which the risk to the PHI has been mitigated.

Focus on risk to the data, instead of risk of harm to the individual.

BREACH NOTIFICATION RULE

OCR NIST 2015 2

500+ Breaches by Type of Breach

as of 8/28/2015

OCR NIST 2015 3

Theft

48%

Loss

9%

Unauthorized

Access/Disclosure

21%

Hacking/IT

10%

Improper Disposal

4%

Other

8%

Unknown

1%

OCR NIST 2015 4

500+ Breaches by Location

as of 8/28/2015

Paper Records

22%

Desktop Computer

12%

Laptop

20%

Portable Electronic

Device

10%

Network Server

13%

Email

8%

EMR

4%

Other

11%

5

BREACH HIGHLIGHTS

September 2009 through August 28, 2015

• Approximately 1,310 reports involving a breach of PHI affecting 500 or more individuals

– Theft and Loss are 57% of large breaches

– Laptops and other portable storage devices account for 30% of large breaches

– Paper records are 22% of large breaches

• Approximately 179,000+ reports of breaches of PHI affecting fewer than 500 individuals

OCR NIST 2015

CLOSED INVESTIGATED CASES

6OCR NIST 2015

RECURRING ISSUES

OCR NIST 2015 7

• Business Associate Agreements

• Risk Analysis

• Failure to Manage Identified Risk, e.g. Encrypt

• Lack of Transmission Security

• Lack of Appropriate Auditing

• No Patching of Software

• Insider Threat

• Improper Disposal

• Insufficient Data Backup and Contingency Planning

RECENT ENFORCEMENT ACTIONS

OCR NIST 2015 8

• St. Elizabeth’s Medical Center (electronic)

• Cornell Prescription Pharmacy (paper)

• Anchorage (electronic)

• Parkview (paper)

• NYP/Columbia (electronic)

• Concentra (electronic)

• QCA (electronic)

• Skagit County (electronic and paper)

http://www.hhs.gov/

ocr/privacy/hipaa/un

derstanding/covered

entities/contractprov.

html

BUSINESS ASSOCIATES

OCR NIST 2015 9

• http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/

rafinalguidance.html

• http://scap.nist.gov/hipaa/

• http://www.healthit.gov/providers-professionals/security-risk-

assessment

RISK ANALYSIS GUIDANCE

OCR NIST 2015 10

http://www.healthit.

gov/mobiledevices

MOBILE DEVICES

OCR NIST 2015 11

OCR Security Rule Resource Center: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html

SECURITY RULE RESOURCES

OCR NIST 2015 12

http://www.hhs.gov/

ocr/privacy/hipaa/un

derstanding/covered

entities/index.html

DISPOSAL

OCR NIST 2015 13

QUESTIONS?

OCR NIST 2015 14