Will Breaches Spike With HIPAA Omnibus?
In the past month, the Department of Health and Human Services has added only a handful of breaches to its "Wall of Shame" website of breaches affecting 500 or more individuals. Most of the 2013 breaches added to the tally so far have been relatively small breaches, at least compared to some eye-poppers of the past.
But don't be misled; there are a few whoppers likely headed to the federal tally soon, based on some recent cases that have surfaced over the past several weeks. Those include:
- A breach at the Texas Health Harris Methodist Hospital Forth Worth, which may have affected up to 277,000 patients; and
- An incident at the Indiana Family and Social Services Administration, which may have impacted up to 188,000 patients.
The HHS Office for Civil Rights adds breaches to the tally once it confirms the details. (Note that the office added a 2012 incident in late June.) So the total number of individuals affected by breaches in 2013 could potentially triple once those incidents in Texas and Indiana are added, assuming the investigations confirm the numbers.
What's surprising is that the two biggest healthcare breaches to grab headlines this year (and likely to grab a spot on the federal tally) aren't the typical lost or stolen un-encrypted laptop or storage disk incidents. Rather, those breaches involved improper disposal of records and improper disclosure. And both involved business associates.
In the Texas Health breach, decades-old microfiche medical records that were slated for destruction by a contractor were found intact in a public dumpster in a park.
And in the Indiana incident, the state agency, which administers Indiana's Medicaid program, notified almost 188,000 clients this month that their personal information may have been inadvertently disclosed in mailings to other clients, apparently as a result of a computer programming error by a business associate.
The Texas breach serves as a reminder about safeguarding old records even when they're slated for destruction. The Indiana incident illustrates how computer errors (including technical glitches or maybe a human mistake) can also result in breaches.
But both incidents should also remind covered entities to be watchful of their business associates and the precautions those partners take in protecting protected health information.
Once the Sept. 23 enforcement deadline for the HIPAA Omnibus Rule hits, business associates will be directly liable for HIPAA compliance, including potential HHS penalties for breaches, which can soar up to $1.5 million per violation.
Business associates have been involved in about 22 percent of the 627 breaches that have made it to the HHS wall of shame from September 2009 through this week. Those breaches have affected a total of about 22.2 million individuals.
In the last month, federal authorities have added only seven breaches affecting a total of 31,000 individuals to that tally. So far, the tally includes 48 breaches in 2013 affecting a total of about 205,000 individuals. By comparison, the tally includes about 150 breaches in 2012 affecting about 1.7 million.
One thing that hasn't changed: The No. 1 cause of breaches continues to be lost or stolen unencrypted devices and media. It's amazing that so many breaches still involve unencrypted devices. The importance of encryption should top-of-mind by now, given all the publicity about breaches since 2009. But perhaps these continuing breaches are proof of just how difficult it is to manage mobile devices, especially as BYOD (bring your own device) proliferates.
What will happen to the breach tally once the beefed-up breach notification requirements under the HIPAA Omnibus Rule are enforced in September? Experts are predicting a spike of reported breaches, at least for a while, especially those involving business associates.