Home » Readers Write » Currently Reading:

Readers Write: Never Had a Breach?

May 1, 2013 Readers Write 2 Comments

Never Had a Breach?
By Kev Larson

Never had a breach? I find it remarkable that so many on the HIStalk Advisory Panel can answer so swiftly, so confidently, and so authoritatively, “No, we have never had a breach.” 

I want to know how they know that. I want to know what they are doing — day in and day out — to monitor, audit, and confirm their operational performance that allows them to make that bold statement – the one that they report to HIStalk and its readers, their boards, and their patients.

I am sure you know the old saying, “The absence of evidence is not the evidence of absence.” For those that are reporting no breaches, just how hard are they looking? Would their staff even know what to report or how to report a potential breach? 

I am not saying that a perfect record is not in the realm of possibility. It is just so incredibly improbable that it defies common sense. I would really love to know the secret formula that has gotten those CIOs that report no breaches to the place where they have that level of confidence and certainty. I am sure others would, too.

Along these lines, I finally got a chance to read ISMG’s Healthcare Information Security Today Annual Survey in which 35 percent of the 200 respondents reported that their organizations had not suffered a breach of any size in the past 12 months. I realize that this is a dangerously low sample size, but let’s just take it at face value for the sake of illustration. The trend is not too terribly off from the responses from the HIStalk Advisory Panel. 

The question and response that really got me chuckling was this one, though. “What type of breach (of any size) has a BA with access to your organization’s patient information had in the past 12 months?” Can you believe that 59 percent of the respondents answered that their BAs had no breach of any size in the past 12 months? That is downright laughable and borderline reckless.   

CEs are doing precious little to evaluate, interrogate, or assess BA risk or compliance performance. Again, the absence of evidence is not the evidence of absence. If a CE responded to this question based on the BA’s self-report to them alone, that should not be enough information to give that BA a clean bill of health. We have to hold them to more rigorous criteria than that. 

The certain truth is the universe of BAs is exponentially larger than that of CEs, and BAs have only recently received the formal mandate to fully comply with HIPAA.  We have a long way to go in the BA community and CEs should be guarded, probative, and assertive in the management of their BAs. We cannot wait 10 years for our BAs to catch up.

What really matters in this discussion is what has changed under Omnibus. One of the most significant changes is that the Omnibus Rule replaces the “risk of harm” test that was so contentious in the interim final rule with a default presumption that any acquisition, access, use, or disclosure of PHI in a manner not permitted by the HIPAA Privacy Rule is a breach unless the CE or BA “demonstrates that there is a low probability that the [PHI] has been compromised based on a risk assessment.” [78 Fed. Reg. at 5,695] 

Kudos to the organizations that have employed a breach risk assessment process and have implemented it consistently. Interestingly, they seem to be the ones reporting their breaches in real time, even the small ones that they could have reported later. They have a real process and are actively demonstrating a posture of continuous compliance, which is the desired state according to OCR. 

However, there are a whole bunch of organizations that are just winging it. They have no process, no criteria, no tools, and no commitment. We see it all too often and it is just not enough.

Take the five-month window before you must comply with Omnibus to shore up this part of your program –  all things related to breach risk. Consider working with an expert consulting firm to help you. This is probably an area where a little investment can go a long way. 

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Currently there are "2 comments" on this Article:

  1. Good point, but I think the safer answer would be;
    Never had a breach that ‘hurt’.

    So if it didn’t hurt does it still count? Probably, but as the old sales dictum goes, no pain, no change.

  2. The equivalent notion in clinical medicine is the documentation of “WNL”—which can mean “within normal limits”, but more accurately means ” we never looked”

Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Founding Sponsors


Platinum Sponsors































































Gold Sponsors















Reader Comments

  • Cindy Gagnon: Excellent article -- I 100% agree. Thank you for consistently articulating the realities of the healthcare informatics ...
  • Randy Bak: Re: Biden's remarks-- I've been letting slide all this talk of patient "data" and access to it, feeling it isn't worth t...
  • Brian Too: It's eerie to hear a healthcare vendor story about Lake Mary, FL. We used to get McKesson support for our Series produc...
  • Janice Willingham: As a recent new reader of this excellent site and former IT worker now on the quasi tech side of the "business side" of ...
  • Another Dave: Orwellian Aeron chair: If sitting is the new smoking, I sure this exercise motivator will have some real health benefit...
  • Art_Vandelay: The instability of the Operating and Capital budgets from year-to-year. Understanding where dollars are sourced, how, fr...
  • SoCal grunt: I for one did select Meditech. The people were welcoming and seemed to be the only ones insterested in having a discussi...
  • Annon: 100% agree, this is vaporware, they are not doing anything remotely close to interoperability. Not the only ones though,...
  • Brian Too: Wait... I thought that any voids in the brain automatically filled up with cerebro-spinal fluid? Wouldn't an air void c...
  • Ophelia: Where are you seeing the 97% MIPS claim? I'm aware of their claimed 97% attestation rate for MU, but I haven't seen anyt...

RSS Industry Events

  • An error has occurred, which probably means the feed is down. Try again later.

Sponsor Quick Links