I wasn’t the only one celebrating a birthday last week. It’s been exactly two years since the breach notification rule, mandated by the HITECH Act, took effect. Since then, 330 major health information breaches affecting 11.8 million individuals have been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). And while major breaches are those that impact the largest number of Americans (500 or more per incident), it is worth noting that another 30,500 smaller incidents have also occurred in 2009 and 2010. Smaller incidents tend to involve 1 or 2 people and are most often the result of a misdirected communication caused by human error. The large breaches are of the most concern and with two years of data under our belt, here’s the upshot –
- Historical statistics show that the greatest risk to date (more than 50% of violations) has come from theft or loss of laptops, smart phones, and other electronic media and devices.
- 20% of all incidents took place at business associates (BA’s), showing the need for a covered entity to have deeper involvement with their vendors’ information security policies, procedures and a say in how frequency they conduct security testing and audits.
Adam Greene, a former OCR official who I met at last May’s Annual HIPAA Security Rule Conference, recently recommended that healthcare organizations focus more on their employees and how they physically safeguard hardware. Encryption is almost always brought up in this context as the potential damage caused by stolen or lost devices that have been encrypted can be minimized. But mandatory encryption still remains a controversial topic within the health care security rule-making bodies in D.C. The official position has been that the need for providers to have flexibility in their workflow to deliver optimal patient care has to be balanced against security risks, at least for now.
Let’s look deeper at the issue of business associates. If you sort the online breach notification database by number of individuals affected, you’ll find that 9 of the top 20 incidents occurred at the hands of business associates. This is a significant problem for covered entities today – as their responsibility and liability extends to companies and organizations that are beyond their direct control. At Redspin, we strongly recommend that hospitals adopt a stronger business associate oversight program. We’ve provided HIPAA Risk Analysis services for dozens of hospitals and we almost always cite risk and vulnerabilities in their business associate management programs. I’m not as confident as my friend Adam that they solution is simply that hospitals must take greater precautions in this area. Hospitals and their vendors have a business relationship – by definition, the business associate needs access to protected health information to perform its duties and fulfill its contractual obligation. To prompt real change in a third-party organization, hospitals need to insist, cajole, negotiate, discuss etc. within the bounds of an arm’s length relationship.
One thing we’d suggest is that hospitals point to their own Security Risk Analysis efforts and share with their vendors some of their findings and recommendation, and recommend companies like Redspin to do BA’s own IT security audits. OCR will soon provide some regulatory help in this regard as directly liability for breach will extend to business associates by the end of 2012. At that time, hospitals may even find their business associates coming to them, proactively asking for direction and guidance in the area of data privacy and security. In our opinion, it won’t be long before covered entities insist that business associates conduct an annual IT security assessment as part of the obligations of their business associate contract.