- As 2015 comes to an end, it can be beneficial to review the top issues that covered entities and their business associates encountered on a daily basis.
Understanding HIPAA compliance will be critical for 2016, especially as the Office for Civil Rights (OCR) begins to conduct the next round of HIPAA audits. Moreover, learning from the healthcare data breaches of the past year will help organizations create stronger and more comprehensive data security plans.
HealthITSecurity.com reviewed some of the top stories from 2015, highlighting key issues and what organizations should potentially look for in the new year.
HIPAA compliance, violations
Several OCR HIPAA settlements were finalized this past year, ranging in fines from thousands of dollars to millions of dollars.
For example, Brighton, Massachusetts-based St. Elizabeth’s Medical Center (SEMC) agreed to $218,400 after potential HIPAA violations stemming from 2012.
OCR received a complaint on November 16, 2012, alleging that SEMC workforce members had used an internet-based document sharing application to store documents containing ePHI of nearly 500 individuals. This was done without having analyzed the risks associated with such a practice, OCR stated.
On the heftier end of fines, Triple-S Management Corporation (TRIPLE-S) agreed to pay $3.5 million to settle HIPAA violations from 2012. Numerous data breaches taking place from 2010 to 2015 helped lead to the decision. OCR added that the case underlined the importance of not only adhering to the Security Rule, but also risk analysis and “compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”
Another key issue was understanding HIPAA compliance as it related to cloud technology. Cloud service providers are now considered business associates under the HIPAA Omnibus Rule, which means that they must adhere to the same rules as other BAs.
“For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis,” the rule states. “Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.”
Anthem data breach affects 78.8 million individuals
The largest healthcare data breach of the year was the incident that took place at Anthem, Inc. Approximately 78.8 million individuals had their information exposed in a cyber attack.
Patient names, dates of birth, medical IDs or Social Security numbers, street addresses, and email addresses. Employment information, some of which included income data, might also have been exposed.
A multi-pronged approach that includes a proper incident response plan is critical to help prevent these incidents, Patrick Wilson, Contra Costa County Health Services CISO and Assistant Director of EHR said in an interview with HealthITSecurity.com.
Following the Anthem data breach, Wilson explained that one of the best things that a facility can do is to de-value the data from an infiltration perspective. This includes encrypting all databases and ensuring that there is a segmentation of the data.
However, there were potential data security issues to watch out for after the Anthem data breach as well. Consumers were warned against possible phishing scams, trying to get individuals to click on links in the email, or respond to the email with personal information.
“This outreach is from scam artists who are trying to trick consumers into sharing personal data,” Anthem said. “There is no indication that the scam email campaigns are being conducted by those that committed the cyber attack, or that the information accessed in the attack is being used by the scammers.”
The importance of data breach response
Working toward data breach prevention was another key issue in 2015.
For example, The Department of Justice’s (DOJ) Cybersecurity Unit released a data breach response guide to help facilities better prepare for data security incidents before they occur and how to respond after the fact.
Regardless of an organization’s size, the DOJ stated that the guide could be beneficial.
“It reflects lessons learned by federal prosecutors while handling cyber investigations and prosecutions, including information about how cyber criminals’ tactics and tradecraft can thwart recovery,” the DOJ explained. “It also incorporates input from private sector companies that have managed cyber incidents.”
State data breach notification practices also continued to evolve. California adopted statewide regulations for data breach notification, which included a three-bill package with standards for data encryption, the language with which an entity provides data breach notification, and standards for defining personal information.
For example, properly encrypted data must be “rendered unusable, unreadable or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”
Looking ahead to 2016
It is important to learn from each healthcare data breach, and understand that technology will only continue to evolve. As organizations work toward staying current with the latest trends, HIPAA compliance and data security cannot be overlooked. Moreover, it is essential to regularly run risk assessments and adjust data security as necessary. This will not prevent data breaches from ever occurring, but it will help organizations stay aware and work toward keeping patient data secure.