Home » Readers Write » Currently Reading:

Readers Write: Never Had a Breach?

May 1, 2013 Readers Write 2 Comments

Never Had a Breach?
By Kev Larson

Never had a breach? I find it remarkable that so many on the HIStalk Advisory Panel can answer so swiftly, so confidently, and so authoritatively, “No, we have never had a breach.” 

I want to know how they know that. I want to know what they are doing — day in and day out — to monitor, audit, and confirm their operational performance that allows them to make that bold statement – the one that they report to HIStalk and its readers, their boards, and their patients.

I am sure you know the old saying, “The absence of evidence is not the evidence of absence.” For those that are reporting no breaches, just how hard are they looking? Would their staff even know what to report or how to report a potential breach? 

I am not saying that a perfect record is not in the realm of possibility. It is just so incredibly improbable that it defies common sense. I would really love to know the secret formula that has gotten those CIOs that report no breaches to the place where they have that level of confidence and certainty. I am sure others would, too.

Along these lines, I finally got a chance to read ISMG’s Healthcare Information Security Today Annual Survey in which 35 percent of the 200 respondents reported that their organizations had not suffered a breach of any size in the past 12 months. I realize that this is a dangerously low sample size, but let’s just take it at face value for the sake of illustration. The trend is not too terribly off from the responses from the HIStalk Advisory Panel. 

The question and response that really got me chuckling was this one, though. “What type of breach (of any size) has a BA with access to your organization’s patient information had in the past 12 months?” Can you believe that 59 percent of the respondents answered that their BAs had no breach of any size in the past 12 months? That is downright laughable and borderline reckless.   

CEs are doing precious little to evaluate, interrogate, or assess BA risk or compliance performance. Again, the absence of evidence is not the evidence of absence. If a CE responded to this question based on the BA’s self-report to them alone, that should not be enough information to give that BA a clean bill of health. We have to hold them to more rigorous criteria than that. 

The certain truth is the universe of BAs is exponentially larger than that of CEs, and BAs have only recently received the formal mandate to fully comply with HIPAA.  We have a long way to go in the BA community and CEs should be guarded, probative, and assertive in the management of their BAs. We cannot wait 10 years for our BAs to catch up.

What really matters in this discussion is what has changed under Omnibus. One of the most significant changes is that the Omnibus Rule replaces the “risk of harm” test that was so contentious in the interim final rule with a default presumption that any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule is a breach unless the CE or BA “demonstrates that there is a low probability that the [PHI] has been compromised based on a risk assessment.” [78 Fed. Reg. at 5,695] 

Kudos to the organizations that have employed a breach risk assessment process and have implemented it consistently. Interestingly, they seem to be the ones reporting their breaches in real time, even the small ones that they could have reported later. They have a real process and are actively demonstrating a posture of continuous compliance, which is the desired state according to OCR. 

However, there are a whole bunch of organizations that are just winging it. They have no process, no criteria, no tools, and no commitment. We see it all too often and it is just not enough.

Take the five-month window before you must comply with Omnibus to shore up this part of your program –  all things related to breach risk. Consider working with an expert consulting firm to help you. This is probably an area where a little investment can go a long way. 

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Currently there are "2 comments" on this Article:

  1. Good point, but I think the safer answer would be;
    Never had a breach that ‘hurt’.

    So if it didn’t hurt does it still count? Probably, but as the old sales dictum goes, no pain, no change.

  2. The equivalent notion in clinical medicine is the documentation of “WNL”—which can mean “within normal limits”, but more accurately means ” we never looked”

Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Vince Ciotti’s HIS-tory of Healthcare IT

Founding Sponsors


Platinum Sponsors


















































Gold Sponsors
















Reader Comments

  • Eddie T. Head: Coffee Talk: ZDogg MD is neither a real dog, nor a real MD. Discuss amongst yourselves......
  • Eddie T. Head: Anyone entering and exiting China would have the appropriate stamps in their passport. The travel restrictions wouldn't ...
  • JT: HIMSS is allowing registrants from Level 3 alert countries (China and South Korea) to cancel. NICE OF THEM! Orlando I...
  • ZDogg and SnoopDog: Both seem to be jerk this year. Why doesn't he stay in the business and create a revolution with something actually b...
  • Brendan: From Takeoff U. Hoser: “Re: UCSF Health. Has sent a letter to HHS supporting the proposed interoperability rule. The s...
  • Grant: "Because in 14 years of attending, I never once saw actual research, just a bunch of cherry-picked stats provided by a ...
  • Dr. Z: If you want to hear a physician's response to the CBS Epic Story, here it is: https://www.youtube.com/watch?v=qoQs162Yw...
  • Kermit: Wow, that's some first class writing, Mr. H. Thanks for an entertaining morning read. The tips are pretty good too....
  • Woodstock Generation: Re: Give me some advice Absolutely this is a conflict of interest! Shame on the state health system hiring Vendor A...
  • HIT Girl: Holding HIMSS during what is normal flu season seems like a bad idea generally. Last year all but I think three of the p...

Sponsor Quick Links