OCR Director Predicts Data Breach Notifications to Increase Before Leveling Off

Bloomberg BNA's Health IT Law & Industry Report brings you concise, comprehensive, and timely news and analysis of the regulatory, legal, and compliance issues surrounding our nation’s...

By Genevieve Douglas  

Department of Health and Human Services Office for Civil Rights Director Leon Rodriguez told attendees of the IAPP Privacy Summit March 8 that reports of breach notifications will continue to grow in the foreseeable future, but that the agency's goal is to receive fewer notifications as breaches decline over time.

“The goal of our enforcement is not to have breach notifications grow, but we are learning that there is still a tremendous amount of security vulnerability,” Rodriguez said.

Prior to the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act (ARRA), there was no federal mechanism to identify and report health data security vulnerabilities, and breach notification has become a great vehicle for doing so, he said.

Rodriguez told conference attendees that the majority of data breaches reported are still physical breaches—not electronic breaches—such as thefts of laptops, smartphones, and paper records. A small number of reported breaches are due to unauthorized electronic access to records, he said.

Rodriguez recommended that covered entities and business associates under the Health Insurance Portability and Accountable Act (HIPAA) focus on encrypting data, adequately training employees in privacy and security practices, and continuing these efforts over time.

Omnibus Still Being Drafted

Rodriguez said OCR is finalizing the long-awaited omnibus HIPAA rule that will include updates to the HIPAA Privacy and Security rules, breach notification rule, HIPAA enforcement rule, and the Genetic Information Nondiscrimination Act rule.

In addition to the omnibus rule, Rodriguez said, OCR is working on rules for data breach restitution, security and privacy aspects of the Common Rule, and requirements under the Patient Protection and Affordable Care Act to extend anti-discrimination rules.

Protecting Electronic Data

Widespread adoption of health information technology and electronic health record systems has led to an increased focus on electronic personal health information and safeguards organizations must employ to protect that information, Rodriguez said.

A major difference between electronically stored data and paper records is that a breach of electronic data is more likely to affect larger numbers of individuals, David Holtzman, health information privacy specialist at OCR, told conference attendees.

According to Holtzman, best practices for ensuring the privacy and security of electronic health information require evaluating the risk to PHI when at rest on removable media, mobile devices, and computer hard drives, and taking “reasonable and appropriate” measures to safeguard PHI. Examples of these measures include:

  •  storing all PHI to a network;
  •  encrypting data stored on portable, movable devices and media;
  •  having the ability to remotely remove data from a lost or stole device; and
  •  training employees how to effectively safeguard data and timely reporting of incidents.
OCR Audit Program Pilots

OCR is in the process of conducting the first round of its audit program pilots at 20 organizations, Rodriguez said. The agency plans to conduct audit program pilots at 115 organizations overall, a decrease from the original estimate of auditing 150 organizations.

“As the audit program matures and becomes a permanent fixture, it will become part of the overall picture of our enforcement activities,” Rodriguez said.

The audit program was launched in November, and OCR contracted with KPMG to conduct the pilot phase. The pilot will run through December, Holtzman said.

While the pilot audits are intended to be a compliance learning tool and not punitive in nature, there may be instances where OCR opens compliance reviews based on audit findings, Holtzman told conference attendees. This would happen in extreme circumstances of negligence, he said.

For More Information

More information on OCR enforcement activities is available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html.