Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office...
Transcript of Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office...
![Page 1: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/1.jpg)
Lessons Learned from Recent
HIPAA Breaches
HHS Office for Civil Rights
![Page 2: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/2.jpg)
“Breach:” Impermissible acquisition, access, use, or disclosure of PHI (paper or
electronic), which compromises the security or privacy of the PHI.
Safe Harbor: If the PHI is encrypted or destroyed.
Breach is Presumed and Must Be Reported, UNLESS:
• The CE or BA can demonstrate (through a documented risk assessment) that
there is a low probability that the PHI has been compromised based on:
– Nature and extent of the PHI involved (including the types of identifiers and
the likelihood of re-identification);
– The unauthorized person who used the PHI or to whom the disclosure was
made;
– Whether the PHI was actually acquired or viewed; and
– The extent to which the risk to the PHI has been mitigated.
Focus on risk to the data, instead of risk of harm to the individual.
BREACH NOTIFICATION RULE
OCR NIST 2015 2
![Page 3: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/3.jpg)
500+ Breaches by Type of Breach
as of 8/28/2015
OCR NIST 2015 3
Theft
48%
Loss
9%
Unauthorized
Access/Disclosure
21%
Hacking/IT
10%
Improper Disposal
4%
Other
8%
Unknown
1%
![Page 4: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/4.jpg)
OCR NIST 2015 4
500+ Breaches by Location
as of 8/28/2015
Paper Records
22%
Desktop Computer
12%
Laptop
20%
Portable Electronic
Device
10%
Network Server
13%
8%
EMR
4%
Other
11%
![Page 5: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/5.jpg)
5
BREACH HIGHLIGHTS
September 2009 through August 28, 2015
• Approximately 1,310 reports involving a breach of PHI affecting 500 or more individuals
– Theft and Loss are 57% of large breaches
– Laptops and other portable storage devices account for 30% of large breaches
– Paper records are 22% of large breaches
• Approximately 179,000+ reports of breaches of PHI affecting fewer than 500 individuals
OCR NIST 2015
![Page 6: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/6.jpg)
CLOSED INVESTIGATED CASES
6OCR NIST 2015
![Page 7: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/7.jpg)
RECURRING ISSUES
OCR NIST 2015 7
• Business Associate Agreements
• Risk Analysis
• Failure to Manage Identified Risk, e.g. Encrypt
• Lack of Transmission Security
• Lack of Appropriate Auditing
• No Patching of Software
• Insider Threat
• Improper Disposal
• Insufficient Data Backup and Contingency Planning
![Page 8: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/8.jpg)
RECENT ENFORCEMENT ACTIONS
OCR NIST 2015 8
• St. Elizabeth’s Medical Center (electronic)
• Cornell Prescription Pharmacy (paper)
• Anchorage (electronic)
• Parkview (paper)
• NYP/Columbia (electronic)
• Concentra (electronic)
• QCA (electronic)
• Skagit County (electronic and paper)
![Page 9: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/9.jpg)
http://www.hhs.gov/
ocr/privacy/hipaa/un
derstanding/covered
entities/contractprov.
html
BUSINESS ASSOCIATES
OCR NIST 2015 9
![Page 10: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/10.jpg)
• http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/
rafinalguidance.html
• http://scap.nist.gov/hipaa/
• http://www.healthit.gov/providers-professionals/security-risk-
assessment
RISK ANALYSIS GUIDANCE
OCR NIST 2015 10
![Page 11: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/11.jpg)
http://www.healthit.
gov/mobiledevices
MOBILE DEVICES
OCR NIST 2015 11
![Page 12: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/12.jpg)
OCR Security Rule Resource Center: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html
SECURITY RULE RESOURCES
OCR NIST 2015 12
![Page 13: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/13.jpg)
http://www.hhs.gov/
ocr/privacy/hipaa/un
derstanding/covered
entities/index.html
DISPOSAL
OCR NIST 2015 13
![Page 14: Lessons Learned from Recent HIPAA Breaches...Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights “Breach:” Impermissible acquisition, access, use, or disclosure](https://reader034.fdocuments.us/reader034/viewer/2022042407/5f21aeecf646e81dbf0b204d/html5/thumbnails/14.jpg)
QUESTIONS?
OCR NIST 2015 14