At the 2018 HCCA Compliance Institute HIPAA Policy and Enforcement Update, it was reported that since September 2009 through the end of 2017 there were 2178 reports filed with the HHS OCR involving breaches affecting 500 or more individuals. In addition to large breaches, there were over 300,000 reports of breaches of protected health information (PHI) affecting fewer than 500 individuals. Individuals affected by the large breaches were about 177 million. So far, OCR’s website has posted 38 breaches as of April 2018. In all, nearly one million patients may have had their PHI put at risk by these incidents with the number continuing to grow. The breakdown of type of large breaches includes:
- Loss/Theft continues as the most often reported problem; nearly half of the cases.
- Laptops and other portable storage devices represented one fourth of large breaches.
- Hacking/IT Incidents account for about one in five reported incidents.
- Paper records accounted for another fifth of the large breaches
10 largest 2018 incidents to date by number of patient records affected
- 582,174 – California Department of Developmental Services, 4/06/2018, Unauthorized Access/Disclosure Incident
- 279,865 – Oklahoma State University Center for Health Sciences, 1/05/2018, Hacking Incident
- 134,512 – St. Peter’s Ambulatory Surgery Center LLC- d/b/a St. Peter’s Surgery & Endoscopy Center, 2/28/2018, Hacking Incident
- 70,320 – Tufts Associated Health Maintenance Organization, Inc. reported on 2/16/2018 an Unauthorized Access/Disclosure Incident
- 63,551 – Middletown Medical P.C., 3/29/201 an Unauthorized Access/Disclosure
- 53,173 – Onco360 and CareMed Specialty Pharmacy, 1/12/2018, Hacking Incident
- 36,305 – Triple-S Advantage, Inc., 2/02/2018, Unauthorized Access/Disclosure Incident
- 35,136 – ATI Holdings, LLC and its subsidiaries, 3/12/2018, Hacking Incident
- 34,637 – City of Houston Medical Plan reported on 3/22/2018 a Theft of Laptop Incident
- 30,799 – Mississippi State Department of Health, 3/26/2018, Unauthorized Access/Disclosure
Top 10 Recurring Compliance Issues
- Pattern of disclosure with sensitive paper PHI
- Business Associate Agreements
- Risk analysis issues
- Failure to manage identified risk, e.g. Encryption of data
- Lack of transmission security
- Lack of appropriate auditing
- No patching of software
- Insider threats from employees and contactors
- Improper disposal of data
- Insufficient data backup and contingency planning
HHS OCR calls for health care organizations to establish contingency plans to keep patient data secure and mandate that covered entities and business associates have such plans. In their March newsletter, OCR officials urged health care organizations to figure out which IT systems are critical, to understand how to function in a disaster, and to back up PHI so it can be retrieved if the original data are lost or taken offline. Once developed, the plan should be routinely tested to identify gaps and ensure updates for plan effectiveness and increase organizational awareness. The plan should be reviewed and updated on a regular basis when there are changes: technical, operational, or in personnel.