News Feature | August 31, 2016

Small-Scale Data Breaches Get New Focus From Feds

By Megan Williams, contributing writer

Small-Scalle Data Breaches

Almost exclusively, the news around healthcare data breaches focuses on mass — only the biggest and most broadly impactful violations receive much attention. According to an Information Management article, this might all soon be changing thanks to new action from the HHS Office for Civil Rights and its enforcement of rules surrounding HIPAA.

New Attention On Small Breaches

HHS officially announced it would begin investigating PHI breaches that impacted fewer than 500 individuals. This announcement comes after the HHS OIG recommendation in September of last year that OCR begin including smaller breaches on its public website. Previously the site only included breaches over 500 individuals.

The announcement included the citation of recent settlements of smaller breaches that included financial fines and corrective action plans. Many of them though, were a year old and older. Some of the settlements included:

  • Catholic Healthcare Services of the Archdiocese of Philadelphia — $650,000 on June 29 2016
  • Triple-S Management Corp. — $3.5 million on Nov. 30 2015
  • St. Elizabeth’s Medical Center in Brighton, MA — $218,400 on July 10 2015
  • QCA Health Plan — $250,000 on April 22 2014
  • Hospice of North Idaho — $50,000 on Jan. 3 2013

An Expected Change

Many in the industry were unsurprised of this new focus. Thad Phillips, a principal consultant at tw-Security for example, was unsurprised by the formal announcement since OCR had warned that providers of all sizes should better protect patient information. He added, “They’re sending another warning shot, but a lot louder,” also explaining that he wouldn’t be surprised if OCR started outsourcing some of its investigations.

Margret Amatayakul, President at MargretA Consulting, a security firm, notes the new focus marks a completely different path for many in the industry, saying, “I have HIPAA risk analysis clients that have never had or at least never reported small breaches, whereas I believe they probably have had small breaches and may not be aware of them or the reporting requirement, I have a couple of clients who report every single breach throughout the year — even in cases where I don’t think they are breaches and don’t need to report them.”

MSPs working with security solutions will want to keep these changes in mind as they seek new opportunities to market to smaller providers who’ve flown under the radar of HHS attention in the past as well as larger providers who may be incorrectly focusing on only the most serious breaches they experience.