Sometimes you have to look back to know how to plan forward.

Recent corrective actions by the Office for Civil Rights (OCR) illustrate there is no such thing as a small breach. Even minor breaches that seem as though they should be “old news” are generating major penalties when the breach signals a systemic problem, or appears to result from not taking basic steps to safeguard data, such as encrypting laptops and other mobile devices.

During Clearwater’s upcoming HIPAA-HITECH Blue Ribbon Panel – Thursday, May 1 at 3:30 p.m. CDT – we will be focused on helping attendees prepare for privacy and security enforcement actions. Our panel of industry experts will specifically discuss recent enforcement trends from OCR, including what seems to be a growing focus on smaller breaches.

Federal regulators are aggressively levying fines on breaches — big and small — when lack of encryption is identified as an issue. Case in point: QCA Health Plan and Concentra Health Services. Both organizations recently agreed to hefty settlements for breaches occurring back in 2011 – 2012. Combined, the breaches affected just over 1,000 patient records. Both were the result of stolen unencrypted laptops.

In a statement, the Department of Health and Human Services noted, “These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.”

In the case of QCA, the organization notified OCR in February of 2012 of a 2011 breach that affected only 148 individuals. Their eventual settlement for $250,000 was dated April, 2014! Both the size of this breach, and the fact that it occurred almost three years ago, suggest that everything is currently on the table when it comes to federal enforcement of reported breaches.

It seems small breaches can be big business when it comes to filling budget coffers. OCR will collect $2 million in settlement fines from QCA and Concentra combined. The extra funds create more opportunities for the agency to step up enforcement efforts and get even more aggressive.

Whether or not your organization “sweats the small stuff” is up to you, but it’s clear that as far as OCR is concerned, they plan to do just that, as they continue to look through old annual breach reports for more examples of noncompliance.

A small breach from your past could be a big headache tomorrow! Have you taken a pro-active look at the small breaches from your past  — that are basically ”old news” — to get a handle on the kind of resources you need to have on hand to prevent problems like that from re-occurring? Are you prepared for this level of risk analysis and risk management?

In addition to Clearwater’s HIPAA-HITECH Blue Ribbon Panel event mentioned above, you can also gain additional insight on how to get prepared by attending “Healthcare Information Security Today: 2014 Survey Results and Analysis” a web event sponsored by HealthcareInfoSecurity. Panelists will be responding to research sponsored by (ISC)² and answering key questions such as:

  • What are the top challenges in complying with the HIPAA Omnibus Rule?
  • What steps are healthcare organizations taking to prevent breaches?
  • What are the top data security priorities for the year ahead?

Attendees have two options to participate. The first web event is April 30th with a follow up presentation scheduled for Monday, May 12. Register by clicking here.

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.