The Office for Civil Rights (OCR) at the Department of Health and Human Services is clearly becoming dispirited and fed up with the several big and small breaches in the healthcare industry.
This sentiment is developed apparent by OCR’s declaration on the day of August 18 that it, through its regional offices, will more aggressively inquire and pursue the so-called “small” breaches or violations, which are those that affect fewer than 500 people.
In the declaration, OCR indicates that it needs to “more widely inquire the root causes of small breaches or violations affecting fewer than 500 people.” Fascinatingly, the agency recommends that it needs to find “entity and systemic noncompliance” regarded to the reported violations.
Attempting to read between the lines, the statements recommend that OCR considers there are fundamental problems regarding HIPAA agreement among entities. If that assessment is true, then it gives a very obvious or clear understanding and basis for the latest declaration and encouragement to more completely investigate the small breaches.
When determining a small breach, OCR will consider the following elements:
- The size of the breach
- The amount, nature and sensitivity of the PHI included
- Breaches that included unwanted intrusions to IT networks
- Theft of unencrypted PHI
- Instance in which various breach reports from a specific entity raise similar problems
Breaking down the components, few are similar to what goes into breach risk assessment when attempting to evaluate whether there is a low probability of compromise. Although, a couple of the elements depict the increasing uncertainties from recent breach settlements.
The 1st such component is theft or disposal including the unencrypted PHI. All too frequently, a thumb drive, laptop or other mobiles that isn’t encrypted leads to the exposure of PHI. Provided the relative convenience with which devices can be encrypted and the rate of attention being concentrated on encryption, it is clear why OCR has uncertainties.
Accordingly, task on the encryption front requires changing. From OCR’s opinion, in the absence of a change in the regulations, it can motivate execution of the addressable encryption by striking entities in their pocketbooks. After all of the initial settlements and latest stories concentrating on the deficiency of encryption, this might be the last warning before money will be owed.
The 2nd component of interest is the concentration on breaches including unwanted intrusions, like hacking or ransomware attacks. It’s no secret that the healthcare industry is hugely observed as very susceptible and ripe for the picking among cybercriminals. The frequency and significance of attacks indicates this reality.
Rather the open season on healthcare, it is very vague that what measures have been taken to step up security. One the other hand, cybercriminals will always be alert of the defensive steps that entities can put into place. Although, that doesn’t mean entities can’t take proactive steps, and it is the basis of those steps, at least from OCR’s view, that is an outworking of the detailed risk analysis called for by HIPAA.
The risk analysis instructs entities in evaluating entire threats and susceptibilities as well as the likelihood of a violation appearing from each of those threats and susceptibilities. If entities honestly observe operations, then arguably entities would be capable to close few of the windows that cyberattacker come in through.
Cyberthreats won’t be going away any time soon, and unless entities need to ignore the double harm of suffering both an attack and enforcement of a penalty from OCR, then entities would be well advised to concentrate on cybersecurity.
Shifting beyond the components of what OCR will inquire with regard to small breaches, the practical effect of these inquiries should also be observed. Curiously, the declaration follows earlier critique that OCR wasn’t doing enough to openly deal breaches impacting a small number of people. The reports faulted the private nature of resolutions as refusing “victims” an understanding of how their loss was sorted out and possibly not doing enough to indicate to entities that there are consequences to not complying with HIPAA agreement.
If the latest plan is a response to those proposed reports, then entities should be wary of what is to come.
Finally, one of the huge points about the declaration is that privacy and security are necessary to trust and the modernization of digital healthcare. Any violation or breach, whether 1 person or millions, affects the real people. Those people might feel betrayed about what will come. If that message is reinforced and a human side to the violations can be forced to the fore, then maybe more visible measure will appear when it comes to securing healthcare data.
Nonetheless how much fines or public settlements are released by OCR, it is up to every business associate, covered entity, and subcontractor managing secured health data to take the essential steps every day to make sure the privacy and security. Agreement with HIPAA isn’t easy and needs ongoing attempt that might not result in clear results. Although, when data remains secure, then everyone will be satisfied.
No comments:
Post a Comment