Never Had a Breach?
By Kev Larson
Never had a breach? I find it remarkable that so many on the HIStalk Advisory Panel can answer so swiftly, so confidently, and so authoritatively, “No, we have never had a breach.”
I want to know how they know that. I want to know what they are doing — day in and day out — to monitor, audit, and confirm their operational performance that allows them to make that bold statement – the one that they report to HIStalk and its readers, their boards, and their patients.
I am sure you know the old saying, “The absence of evidence is not the evidence of absence.” For those that are reporting no breaches, just how hard are they looking? Would their staff even know what to report or how to report a potential breach?
I am not saying that a perfect record is not in the realm of possibility. It is just so incredibly improbable that it defies common sense. I would really love to know the secret formula that has gotten those CIOs that report no breaches to the place where they have that level of confidence and certainty. I am sure others would, too.
Along these lines, I finally got a chance to read ISMG’s Healthcare Information Security Today Annual Survey in which 35 percent of the 200 respondents reported that their organizations had not suffered a breach of any size in the past 12 months. I realize that this is a dangerously low sample size, but let’s just take it at face value for the sake of illustration. The trend is not too terribly off from the responses from the HIStalk Advisory Panel.
The question and response that really got me chuckling was this one, though. “What type of breach (of any size) has a BA with access to your organization’s patient information had in the past 12 months?” Can you believe that 59 percent of the respondents answered that their BAs had no breach of any size in the past 12 months? That is downright laughable and borderline reckless.
CEs are doing precious little to evaluate, interrogate, or assess BA risk or compliance performance. Again, the absence of evidence is not the evidence of absence. If a CE responded to this question based on the BA’s self-report to them alone, that should not be enough information to give that BA a clean bill of health. We have to hold them to more rigorous criteria than that.
The certain truth is the universe of BAs is exponentially larger than that of CEs, and BAs have only recently received the formal mandate to fully comply with HIPAA. We have a long way to go in the BA community and CEs should be guarded, probative, and assertive in the management of their BAs. We cannot wait 10 years for our BAs to catch up.
What really matters in this discussion is what has changed under Omnibus. One of the most significant changes is that the Omnibus Rule replaces the “risk of harm” test that was so contentious in the interim final rule with a default presumption that any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule is a breach unless the CE or BA “demonstrates that there is a low probability that the [PHI] has been compromised based on a risk assessment.” [78 Fed. Reg. at 5,695]
Kudos to the organizations that have employed a breach risk assessment process and have implemented it consistently. Interestingly, they seem to be the ones reporting their breaches in real time, even the small ones that they could have reported later. They have a real process and are actively demonstrating a posture of continuous compliance, which is the desired state according to OCR.
However, there are a whole bunch of organizations that are just winging it. They have no process, no criteria, no tools, and no commitment. We see it all too often and it is just not enough.
Take the five-month window before you must comply with Omnibus to shore up this part of your program – all things related to breach risk. Consider working with an expert consulting firm to help you. This is probably an area where a little investment can go a long way.