We sat down with data privacy and security expert William J. Roberts of Shipman & Goodwin LLP to discuss the proliferation of data breaches across the health care industry in recent years, and what organizations can do to protect themselves ahead of his upcoming Managing HIPAA Data Breaches webinar on Wednesday June 15th, 2:00 pm Eastern.
How common are data breaches?
Data breaches are becoming a scary and increasingly common occurrence across the health care industry. In 2015 alone, over 112 million records were compromised based on HHS figures of breaches affecting 500 individuals or more–and that doesn’t take into account the myriad of smaller breaches that HHS doesn’t publicly list.
Are there any common trends among previous data breaches?
Unfortunately, there aren’t many. Data breaches, by their nature, are unexpected occurrences with serious consequences. Breaches can be caused by physical or digital lapses in security, so to say that any one trend exists among them would be misleading. However, you can identify common behaviors that cause data breaches and put safeguards in place to prevent them. In most instances, these kinds of safeguards are mandated by HIPAA regulation and consist of policies and procedures that all covered entities and business associates should implement in order to protect their patients’ or customers’ data from being breached.
Do breaches only affect the “big players” in the industry or should everyone be concerned?
That’s a great question because it raises a few of the major misconceptions that many health care professionals have about how common data breaches are. Many people think that big names like Blue Cross, Blue Shield, Anthem, or hospital systems like UCLA Health are the only ones at risk of a breach. It’s true that massive organizations like these usually receive more press simply because the scope of their breaches–each of these affected millions. With so much attention from national media outlets, it’s natural that many people have come to associate data breaches with these “big players” in the industry. But the truth is that any organization is at risk of a breach. These misconceptions give people a false sense of security that their practice is safe–and that’s where the trouble begins.
What should an organization do if it suspects a breach?
The easiest thing to do would really be to seek out an advisor–now, whether that’s an IT professional or a privacy counsel is up to you and your organization. I can’t speak to the efficacy of IT services, but I know from experience that a health care or data privacy attorney can make a huge difference when it comes to mitigating the effects of a breach.
Any organization that suspects a breach should definitely check in with federal and state Breach Notification Rules. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has specific instructions that outline two categories of breaches. If the breach has affected fewer than 500 individuals, covered entities have 60 days from the end of the calendar year to report the breach to HHS. However, if the breach has affected 500 individuals or more, the covered entity needs to notify all affected parties within 60 days of the breach itself. Many states have local media notification requirements as well, which require that covered entities notify appropriate media outlets with news of the breach so that it can reach a wider audience–a benefit afforded to breach victims that can prove disastrous for the reputation of small to mid-size practices and organizations.
What can a company do to prepare for a breach?
The most disappointing thing about a majority of these breaches is that they’re so often avoidable. With effective policies and procedures and the proper security and privacy safeguards in place, organizations can significantly limit the risk of a data breach. To find out more, tune in to our discussion on Managing HIPAA Data Breaches on Wednesday June 15th, 2:00 pm Eastern. We’ll be covering the fundamentals of data security and information privacy with specific examples from past breaches and fines in HIPAA investigations. The best way to avoid a breach is to have strong, proactive measures in place to limit your exposure to these increasingly common events–and we’ll give you all the information you need to do just that.