The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) has issued two reports to Congress required by Section 13402(i) of the Health Information Technology for Economic and Clinical Health (HITECH) Act:

• “Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012” (the Breach Report), and
• “Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012” (the Compliance Report).

Both reports (as well as previous annual reports) may be accessed here.  This post discusses the Breach Report, and a separate article will be posted later addressing the Compliance Report.

The Breach Report offers valuable insight into OCR’s priorities with respect to healthcare data breaches and gives an excellent summary of many recent settlements. OCR (the office responsible for administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules) has prepared this Breach Report describing the numbers and types of healthcare data breaches occurring for calendar years 2011 and 2012.  The Breach Report is compiled from breach reports that HIPAA requires be provided to OCR by covered healthcare providers, health plans, healthcare clearinghouses and their business associates.  The raw data upon which these reports is based is available here. OCR also provides some cumulative data on breaches reported since the breach notification law went into effect on September 23, 2009. OCR then slices and dices this data in a variety of different and useful ways, sorting it by: cause, location of affected protected health information (PHI), types of entities involved, number of individuals affected, remediation steps taken, etc.

OCR received 236 reports of large breaches (those involving 500 or more individuals) that occurred in calendar year 2011, and these breaches affected more than 11 million individuals that year. It received about the same number of reports (222) of large breaches for 2012 but affected far fewer individuals (approximately 3 million individuals). Cumulatively, OCR received 710 reports of large breaches affecting a total of approximately 22.5 million individuals from September 23, 2009 through December 31, 2012.

For calendars years 2011 and 2012, OCR groups the causes of breaches into the following six general categories:

• theft of electronic equipment/portable devices or paper containing PHI;
• unauthorized access or disclosure of records containing PHI;
• loss of electronic media or paper records containing PHI;
• hacking/IT incident of electronic equipment or a network server;
• improper disposal of PHI; and
• unknown/other causes of breaches of PHI.

By far, theft is the leading cause of reported healthcare data breaches. In 2011 and 2012, almost half of all breaches resulted from thefts of PHI, with unauthorized access/disclosure and loss a distant second and third, respectively. OCR warns, “In most reported theft cases, laptop computers, desktop computers, and other portable electronic devices, such as hard drives and USB drives, either were stolen from a covered entity’s facility during a break-in that occurred after the entity’s regular business hours, or from an employee’s vehicle.” Even though less common, loss of PHI affected more individuals than theft. This makes sense when you consider that the largest breach in 2011 was the result of a loss of back-up tapes and affected approximately 4.9 million individuals.

Health care providers experienced the bulk of breaches. Business associates and health plans reported far fewer breaches, while there was only one breach reported at a healthcare clearinghouse in both 2011 and 2012 together. Breaches by business associates affected more individuals than breaches involving health care providers, but, again, the data is skewed because it was a business associate that lost the back-up tapes affecting approximately 4.9 million individuals.

The Breach Report drills down breaches by location of the PHI. Even with the race to achieve meaningful use of electronic health records, breaches involving paper records still top the lists. Paper records were listed as the #1 location for breaches in 2011 and #2 in 2012. OCR notes: “Most of the improper disposal cases involving paper records were the result of an employee mistakenly putting medical records in the trash or recycling bins rather than the covered entity’s shred bins.” Other incidents often involved mailing of PHI to incorrect addresses or PHI being visible through envelope windows. Laptop computers also top the list, at #2 in 2011 and #1 in 2012. Desktop computers, portable electronic devices and network servers were also vulnerable locations for breaches.

The Breach Report notes that “more entities are taking remedial action to provide relief and mitigation to individuals and to secure their data and prevent breaches from occurring in the future.” Covered entities commonly reported taking one or more of the following steps to mitigate the potential consequences of the breaches and prevent future breaches (from most to least frequent):

• Revising policies and procedures;
• Improving physical security by installing new security systems or by relocating equipment or records to a more secure area;
• Training or retraining workforce members who handle PHI;
• Providing free credit monitoring to customers;
• Adopting encryption technologies;
• Imposing sanctions on workforce members who violated policies and procedures for removing PHI from facilities or who improperly accessed PHI, among other issues;
• Changing passwords;
• Performing a new risk assessment; and
• Revising business associate contracts to include more detailed provisions for the protection of health information.

OCR opened investigations into all large breaches reported in 2011 and 2012 as well as investigations into some of the smaller, reported breaches. OCR has closed investigations resulting from breach reports after achieving voluntary compliance, through corrective action and technical assistance, through resolution agreements, and as no violation. Many investigations resulted in corrective action, but only a small number of breaches actually resulted in settlement agreements. By December 31, 2013, OCR has entered into resolution agreements with seven covered entities as the result of investigations opened in response to breach reports submitted to OCR for breaches that occurred through the end of 2012 totaling more than $8 million in settlements. Four of these cases involve the theft of laptops or other electronic devices containing unsecured electronic PHI. The Breach Report discusses each settlement in great detail, and the facts of those cases may guide covered entities in what not to do. In many cases, OCR notes that adequate risk assessments were not performed.

This report also offers some illustrative thoughts on what everybody should prioritize for the upcoming random audits.

Finally, the Breach Report summarizes the lessons covered entities should learn from the breaches reported to OCR to help covered entities avoid some of the more common types of breaches:

• Risk Analysis and Risk Management. Ensure the organization’s security risk analysis and risk management plan are thorough, having identified and addressed the potential risks and vulnerabilities to all ePHI in the environment, regardless of location or media. This includes, for example, ePHI on computer hard drives, digital copiers and other equipment with hard drives, USB drives, laptop computers, mobile phones, and other portable devices, and ePHI transmitted across networks.
• Security Evaluation. Conduct a security evaluation when there are operational changes, such as facility or office moves or renovations, that could affect the security of PHI, and ensure that appropriate physical and technical safeguards remain in place during the changes to protect the information when stored or when in transit from one location to another. In addition, conduct appropriate technical evaluations where there are technical upgrades for software, hardware, and websites or other changes to information systems to ensure PHI will not be at risk when the changes are implemented.
• Security and Control of Portable Electronic Devices. Ensure PHI that is stored and transported on portable electronic devices is properly safeguarded, including through encryption where appropriate. Have clear policies and procedures that govern the receipt and removal of portable electronic devices and media containing PHI from a facility, as well as that provide how such devices and the information on them should be secured when off-site.
• Proper Disposal. Implement clear policies and procedures for the proper disposal of PHI in all forms. For electronic devices and equipment that store PHI, ensure the device or equipment is purged or wiped thoroughly before it is recycled, discarded, or transferred to a third party, such as a leasing agent.
• Physical Access Controls. Ensure physical safeguards are in place to limit access to facilities and workstations that maintain PHI.
• Training. Ensure employees are trained on the organization’s privacy and security policies and procedures, including the appropriate uses and disclosures of PHI, and the safeguards that should be implemented to protect the information from improper uses and disclosures; and ensure employees are aware of the sanctions and other consequences for failure to follow the organization’s policies and procedures.

Stay tuned to the Wyatt HITECH Law blog for our upcoming article on OCR’s Compliance Report.