Take steps to avoid these big mistakes and save yourself from investigations and lawsuits.
Healthcare data breaches in 2022 impacted more individuals than any year so far with the exception of 2015, when the Anthem breach impacted 79 million. Over 49 million records were breached this year, with the top 10 counting for 20.6 million.
All of the following organizations are being investigated by the Office for Civil Rights (OCR) and several of them are defending class action lawsuits. OCR investigates all breaches affecting 500 or more individuals to find out whether the organization followed HIPAA, and whether its conduct may have contributed to the breach. Investigations can lead to civil money penalties, a settlement agreement and a corrective action plan.
- OneTouchPoint – Ransomware Attack Impacted 4.11 Million (originated at business associate)
- Eye Care Leaders – Hacking Incident Impacted 3.65 Million (originated at business associate)
- Advocate Aurora Health – Impermissible Disclosure of up to 3 Million Records (involved third-party tracking pixels; Google and Meta are business associates)
- Connexin Software – Hacking Incident Impacted 2.2 Million (originated at business associate)
- Shields Health Care Group – Hacking Incident Impacted 2 Million
- Professional Finance Company – Ransomware Attack Involving 1.92 Million Records (originated at business associate)
- Baptist Medical Center – Malware Infection Involving 1.6 Million Records
- Community Health Network – Impermissible Disclosure of up to 1.5 Million Records (involved third-party tracking pixels; Google and Meta are business associates)
- Novant Health – Impermissible Disclosure of up to 1.36 Million records (involved third-party tracking pixels; Meta is a business associate)
- Broward Health – Hacking Incident Impacted 1.35 Million
Common themes run through these ten mega breaches. First, three of the top five originated at business associate third-party vendors that handle protected health information (PHI). In addition, three of the ten breaches were caused by the use of third-party (business associate) tracking pixels that transmitted PHI to tech companies like Meta and Google.
Risk Analysis – Risk Management is the Core Strategy
The umbrella protection that addresses all HIPAA risks is the HIPAA Risk Analysis. By far the most common mistake OCR uncovers during its investigations of all types and sizes of organizations is the failure to do a thorough Risk Analysis and security risk assessment. A Risk Analysis should be conducted at least once a year – and all HIPAA documentation needs to be saved for six years. Use this handy checklist.
The value of Risk Analysis can’t be overstated. It is the most reliable way to uncover the risks unique to your organization and helps develop a Risk Management plan to improve security and reduce those risks. Far too many covered entities and business associates do not complete their Risk Analysis or do not follow up to mitigate the risks they find.
Recognized Security Practices Can Help
In January 2021, the HITECH Act was amended, requiring OCR to consider certain recognized security practices that covered entities and business associates have had in place for the previous 12 months when making determinations about penalties and sanctions.
Compliance with the HIPAA Security Rule is mandatory. Although HIPAA does not require organizations to implement recognized security practices, it is strongly advisable. By following recognized security practices you can reduce the risk of a cyberattack and limit the harm caused, but OCR will also reduce the length of audits and investigations and the financial penalties imposed.
Conduct Business Associate Due Diligence
The list of big breaches underscores a theme we’ve discussed before – business associate compliance needs to improve. The sheer size of business associate breaches is massive when you consider that most business associates serve multiple covered entities and handle PHI for all of them.
If you are a covered entity conduct due diligence with each business associate and have business associate agreements in place. If you are a business associate, make sure you are complying with HIPAA, and if you have subcontractors, ensure they also comply and you have subcontractor business associate agreements in place.
Tracking Technology May Endanger PHI
A seismic shift in the use and transmission of PHI has occurred recently with tracking technology employed by big tech companies in partnership with healthcare organizations. Lawsuits have been filed, OCR is investigating and the situation is volatile and changing. Take a close look at any agreements you have with Google and Meta and make sure you are not allowing the transmission of PHI without patient authorization. Shore up your business associate agreements with any tech company that has access to or transmits PHI.
Issue Breach Notifications Promptly
Be sure you’re following the HIPAA Breach Notification Rule. Several of these large breaches involved delays in notifying OCR and the individuals affected. OCR has taken notice.
For review, the Rule:
- for large breaches, requires requires covered entities to report breaches affecting 500 or more individuals to the affected individuals, to OCR, and (in certain cases) to the media without unreasonable delay and no later than 60 calendar days from the discovery of the breach, and
- for breaches affecting fewer than 500 individuals, covered entities are required to report them to the affected individuals without unreasonable delay and no than 60 calendar days from the discovery of the breach and to OCR no later than 60 days after the end of the calendar year in which the breach was discovered.
OCR recently issued a reminder about responding to security incidents and confirmed the breach notification requirements in its October Cybersecurity Newsletter. The newsletter may be indicating that OCR is planning to enforce the Breach Notification Rule more rigorously in the future because lengthy delays in issuing breach notifications are becoming more common.
HIPAA Help You Can Use
Common sense, practical advice is available. HIPAA compliance is easy step-by-step once you know the steps. If you have a question, send it to The HIPAA E-Tool® at email@example.com.