More Individual Records Exposed in First Six Months of 2018 than in All of 2017: The State of Healthcare Data Breach Response

This article by RADAR CEO Mahmood Sher-Jan originally appeared on the Compliance and Ethics blog. Click here to view it in its original format.

If you’re familiar with the recent trend in breach reporting, you might not be surprised to learn that there has been significant growth in the number of breaches reported to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). According to the OCR Breach Portal, as of June 30th, 175 cases were reported to OCR in the first 6 months of 2018. Compare that 6 months of activity with 193 cases reported for all of 2017, and you begin to see the significant uptick in reported cases.

The number of individuals affected by the breaches has grown significantly year over year, as well. On the OCR Breach Portal, over 3.7M individual records were exposed in the first 6 months of 2018. Compare that to the 2.68M individuals affected in all of 2017.

Enforcement actions from the OCR this year have been significantly fewer and farther between than in previous years – and there is some debate as to if this is a temporary result of a change in the administration, or a trend overall. Iliana Peters, former senior adviser at OCR, has pointed out that the growing number of breaches under investigation by the OCR is larger than ever before, and “so potential cases for this type of enforcement are, in fact, increasing, and not decreasing.”

Beyond the Breach Portal: Growing Complexity in State Breach Notification Laws

All 50 states have data breach notification laws, no two exactly the same – which makes compliance with multijurisdictional incidents difficult without investing in incident response tools. And these laws continue to evolve. Seven states had new or amended data breach notification laws go into effect this year alone. Four more states have signed bills that will go into effect later this year, and well over a dozen proposed and pending pieces of state legislation remain active.

One recently passed piece of legislation seems to be capturing attention across the country – the California Consumer Privacy Act of 2018 allows consumers more control over their personal data collected by businesses, including increased transparency into what data is being collected, for what purpose, and who has access to the data as a third-party processor. For those working to comply with the breach notification rules under HIPAA and state regulations, this new law adds possibilities of lawsuits by affected individuals and more fines. While the act specifically calls out that companies regulated by the California Confidentiality in Medical Information Act or HIPAA should continue to comply with those rules when it comes to protected health information, that isn’t the only information entrusted to healthcare organizations. Outside of medical information, healthcare organizations may collect additional personal information such as IP addresses, employment information, education, etc. In a recent article, Dominique Shelton, co-chair of Perkins Coie’s ad tech privacy and data management group, wrote that “healthcare provider organizations need to start thinking about what data they have and whether or not it is covered by HIPAA and what data they might be getting from other sources that may not be covered by HIPAA.” This creates further complications when it comes to technology in healthcare.

It’s not all Doom and Gloom: What Healthcare Organizations Can Do to Button Up Privacy Practices and Improve their HIPAA Compliance

In the paragraphs above, we went over a few facts that would get any privacy professional’s heart palpitating. Breaches are growing in frequency and size. The hurdles to regulatory compliance are increasing on a state level, and the enforcement of penalties and fines seems likely to increase on both a federal and state level.

Privacy professionals who have been in this business long enough will know that none of this is that new. Ours is a challenging profession – and will continue to be. Whenever the odds seem insurmountable, I find that it’s a good practice to return to the basics and find approachable, systems-based improvements that are within your control. Below are a few places to start.

Streamline how incidents are reported internally to your organization.

Do you hold regular trainings so individuals outside of the privacy and compliance office are able to recognize an incident when it occurs, and know how to get the details of that incident escalated to the proper people? This is one of the best ways to expand the reach of your overworked privacy program, by training regularly and effectively deputizing your own employees in the name of privacy stewardship. And bonus points if you are able to implement a web form or automation to facilitate reporting.

Improve efficiency and consistency in your incident response assessment results.

OCR has long emphasized the concept that, unless a multi-factor risk assessment has been performed to prove that there is a low probability that PHI was compromised or that proper risk mitigation has taken place, an incident will be considered a data breach. This means that every incident – big or small – must be consistently assessed and investigated in order to make a breach determination, or organizations risk over or under reporting. With the number of incidents growing, this means an ever-increasing caseload for privacy professionals in healthcare. The only way to stay ahead of this tsunami of work is to button up processes and bring efficiencies to bear wherever possible.

Continuously measure the effects of your efforts.

A recent study found that 40% of large healthcare organizations don’t measure how well their HIPAA compliance processes and policies are working. This means that incredibly valuable learnings are lost, from where incidents are originating and what mitigation efforts are proving most effective, to higher level trend analysis and critical executive or board reporting that might lend itself to an argument for more budget for the department. Data is a powerful tool in the hands of privacy professionals, as it can inform improvement efforts, point out trends, and be a hub for real-time and data-driven insights. Real-time reporting and dashboards provide data-driven and actionable insights into your organization’s privacy program, making it easier to identify trends and uncover issues important for continuous improvement of your incident response process.