Breaches: Taking Corrective ActionReport to Congress Provides Insights
That update is contained in a report from the Department of Health and Human Services' Office for Civil Rights. The report to Congress, mandated under the HITECH Act, states that the office has completed its investigations for only 30 percent of the 252 major breaches that were added to its tally from September 2009 through the end of 2010 (see: Congress Gets Health Breach Update).
OCR says it has closed its investigations for about 76 major breach incidents after determining "that the covered entity properly complied with the breach notification requirements and that the corrective action taken by the covered entity appropriately addressed the underlying cause of the breach so as to avoid future incidents and mitigated any potential harm to affected individuals."
Let's hope that the Office for Civil Rights makes sure that 100 percent of organizations experiencing a breach of electronic information adopt encryption.
That means that for another 176 incidents in 2009 and 2010, OCR has yet to confirm corrective action and notification compliance. (And keep in mind, so far in 2011, another 62 major cases have been added to the OCR list of major health information breaches).
It's troubling that many organizations that experienced breaches dating back many months may have not yet completed all appropriate action to prevent another breach from happening.
EncryptionBecause so many of the major breaches have involved the theft or loss of electronic devices or media, encryption is certainly an important "corrective action." Here's what the OCR report has to say about that topic:
"With respect to large breaches involving the theft or loss of electronic protected health information, of the approximately 131 reports of such breaches in 2009 and 2010, about 50 percent of the reports indicated that encryption technologies were being implemented as a remedial step to avoid future breaches."
Let's hope that OCR, as part of its continuing investigations, makes sure that 100 percent of organizations experiencing a breach of electronic information adopt encryption as appropriate to their situation.
The HITECH breach notification rule contains a "safe harbor" that states breaches of information that was properly encrypted do not have to be reported. Yet we're continuing to learn of breaches involving unencrypted laptops, thumb drives and other devices and media. So if your organization stores protected health information on mobile devices or media, it's certainly a best practice to make sure that information is encrypted.
Fraud crackdownAlso in the news this week, federal authorities announced charges against 91 individuals in eight cities for Medicare fraud schemes. Given that the financial viability of Medicare is a major concern, it's good to see a major crackdown on fraud. Let's hope it continues.
And as we mark the 10th anniversary of the 9/11 attacks, it's a good time to reflect on the security lessons learned in the past decade. Consultant Mac McMillan laments that while the attacks provided a strong catalyst for disaster recovery and business continuity planning, most healthcare organizations sill have a lot of work to do.