Daily news stories about data breaches and enforcement actions seem to be the new norm, so it’s no surprise that people may start to believe that hackers have won the war and that no personal health information is safe. But exactly how many breaches have been reported in the last several years? And were the breaches the result of nefarious plots or just plain incompetence? About how many HIPAA investigations has the government actually launched?
Rest assured, Congress has been asking similar questions as well. The HITECH Act requires the Department of Health and Human Services Office for Civil Rights (OCR) to submit annual reports to Congress that provide contextualized information about incident rates and government action; OCR published its most recent two reports on Breaches of Unsecured Protected Health Information (Breach Report) and HIPAA Privacy, Security, and Breach Notification Rule Compliance (HIPAA Compliance Report). In addition to including cumulative data, the reports cover relevant activities that occurred between January 1, 2011, and December 31, 2012.
Key Findings from the Breach Report
- In 2011 and 2012, OCR received reports of a total of 458 breaches involving 500 individuals or more, which affected nearly 15 million individuals.
- Of the six primary categories—Theft; Loss; Unauthorized Access/Disclosure; Improper Disposal; Hacking/IT Incident; and Unknown/Other (breaches attributable to other causes or breaches where the cause is unknown)—theft continues to be one of the top causes of breaches that affects the most individuals. Theft was the cause of the most breaches in both 2011 and 2012, 49% and 52% respectively.
- In both 2011 and 2012, the majority of healthcare related breaches occurred at healthcare providers (63% in 2011; 68% in 2012), followed distantly by breaches at health plans and business associates.
- The number of incidents of small breaches (or reporting of small breaches) increased considerably from 2009/2010 to 2011/2012. Small breaches reported over the past four years total: 5,521 in 2009; 25,000 in 2010; 25,705 in 2011; and 21,194 in 2012.
- Although breaches involving 500 or more individuals made up only 0.97% of reports, these large breaches accounted for 97.89% of the 15,005,660 individuals who were affected.
- Of those breaches that occurred through the end of 2012, OCR opened investigations into more than 700 of them. In seven cases, the Department has entered into resolution agreements/corrective action plans totaling more than $8 million in settlements.
Key Findings from the HIPAA Compliance Report
- From April 14, 2003 (compliance date of HIPAA Privacy Rule) to December 31, 2012, OCR received 77,190 complaints alleging HIPAA violations. OCR resolved 91% of the complaints as of December 31, 2012.
- OCR experienced a significant uptick in the number of filed complaints over the years. During 2011, OCR received 9,022 new complaints, an increase of 258 complaints from 2010. During 2012, OCR received 10,454 new complaints, which was a notable increase of 1,432 complaints over the previous year.
- Of the complaints investigated in 2012, OCR provided technical assistance to the covered entity and/or required the covered entity to take corrective action in 3,361 instances. OCR found that no violation of the HIPAA Rules had occurred in 979 instances. OCR determined that it did not have jurisdiction under the HIPAA Rules in 5,068 instances.
- OCR addressed the dilemma the agency faces from increased reporting: “Given OCR’s experience with an ever-increasing volume of complaints, without a corresponding increase in resources, OCR is determining ways to ‘work smarter,’ that is, to increase the effectiveness of its allocation of staff time and other resources to achieve the most industry compliance with the HIPAA Rules.”
- More specifically, OCR says it intends to “realign its enforcement efforts to focus its limited resources on cases that present OCR with the maximum opportunity to effect change within the health care industry.” That means it will concentrate on so-called “high-impact cases.” In 2011 and 2012, OCR entered into seven resolution agreements that included monetary settlements and extensive correction action plans to resolve high-impact cases, which is double the number settled from 2008 to 2010.
Practice Tip: Be proactive and review the OCR reports to identify those areas OCR continues to focus on in its investigations and to include in corrective action plans, and ensure that your HIPAA privacy, security and breach policies and procedures are adequate in this enforcement rich environment.