New rules could mean hell to pay for small healthcare breaches

Government widens compliance net, will now more aggressively investigate breaches of less than 500 records
Written by John Fontana, Contributor

The federal government is increasing its commitment to investigate small healthcare breaches, those involving less than 500 patient records, a move that has already cost some violators up to $650,000.

Late last month, the Department of Health and Human Services' Office for Civil Rights (OCR) announced it was re-prioritizing smaller breaches and would commit more effort to investigate these incidents. OCR investigates all incidents of more than 500 records. In the past, limited resources prevented many of these smaller breaches from being examined.

"Now is an opportune time to proactively shore up your organization's compliance with the HIPAA privacy, security, and breach notification rules," wrote the law firm Ice Miller on its blog after the OCR made its announcement.

Health records are valuable to cyber criminals. Providers are defrauded when the data is used to create fake IDs to buy medical equipment or drugs that are resold. Patient data can be used to file fake claims with insurers. As far back as 2014, Reuters reported that healthcare records on the black market are worth 10 times more than a credit card number.

The rising number of breaches and the new OCR initiative could force smaller clinics, health care providers, and insurers into expensive security system upgrades or risk breach costs that can easily run into the hundreds of thousands of dollars.

In June, Catholic Health Care Services of the Archdiocese of Philadelphia paid $650,000 as part of a settlement with the OCR over a HIPAA Security Rules violation that involved a stolen iPhone that contained 412 electronic Protected Health information (PHI) records.

Other settlements in small breach cases include Triple-S, St. Elizabeth's Medical Center, and Hospice of North Idaho.

In a press release, the OCR said its regional offices will still use discretion in investigating small breaches, "but each office will increase its efforts to identify and obtain corrective action to address entity and systemic noncompliance related to these breaches".

The OCR said it would consider the size of the breach, theft of or improper disposal of unencrypted PHI, breaches that involve hacks into IT systems, and the amount, nature, and sensitivity of the PHI involved.

The enforcement changes apply to healthcare providers, health plan administrators, healthcare clearinghouses, and other third-party businesses that provide services to these entities.

Breaches are growing in size and scope and hackers are finding a foothold in an industry that has a reputation for weak IT security

In early, August, a Ukranian hacker uploaded 156GB of data from an Ohio clinic to a Google Drive. A security researcher verified it contained personal patient information, as well as, internal documents. The attack was allegedly carried out by an SQL injection, an often easy-to-execute attack for out-of-date systems.

Editorial standards