In the endless conflict over the protection of PHI — Protected Health Information — the good guys appear to be losing more battles, but winning the overall war, at least for the moment.
According to a study released early this year by IT security auditing vendor Redspin, "large" (more than 500 records) breaches of PHI jumped 21.5 percent, 121 to 146, from 2011 to 2012. But, the total number of individual records compromised dropped 77 percent, from 10.6 million to 2.4 million, during the same period.
Dan Berger, president and CEO of Redspin, cautioned that this could be misleading — that it takes only one catastrophic breach to skew those numbers in the other direction. "While that looked like a trend earlier this year, it has been essentially negated by the Advocate Health breach of more than 4 million patient records as a result of the theft of a desktop computer this past July," he said.
That made the largest breach of 2012 — 780,000 records from the Utah Department of Health — look paltry by comparison.
There was yet another major breach on Oct. 12, when two password-protected laptops containing 729,000 patients' data were stolen from the administrative offices of AHMC Healthcare Inc. Still, the total remains well below the number of individual records breached in 2011.
And at least some experts say the downward trend could continue, or even accelerate, with the implementation last month of the latest update of the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule.
The biggest change is that the update vastly expands the number of organizations directly responsible for compliance with HIPAA requirements, which also makes them liable for failure to secure PHI. Instead of those regulations applying only to health care providers, known as "covered entities," the list of responsible and liable parties now includes their Business Associates (BA) as well — dozens or even hundreds of vendors, contractors and consultants they hire — and even the subcontractors of those BAs, if they handle PHI.
Rachel Seeger, of the federal department of Health and Human Services (HHS) Office of Civil Rights (OCR), which enforces the HIPAA regulations, said BAs and subcontractors are now "directly liable" for compliance with certain HIPAA privacy and security rules, including:
- Impermissible uses and disclosures (including more than the minimum necessary)
- Failure to provide breach notification to the covered entity (such as a health care provider), or, if a subcontractor, to the BA
- Failure to provide an individual with electronic access to his or her PHI
- Failure to make internal practices, books, and records available to the HHS secretary to determine compliance with the HIPAA Rules
- Contractual liability for requirements of the business associate agreement
- Liability for actions of agent subcontractors
Sign up for CIO Asia eNewsletters.