in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Data Encryption: 500 Is A Tragic Number

Colin Zick at securityprivacyandthelaw.com notes that according to the HHS 2012 budget, the Office of Civil Rights (OCR) cannot afford to investigate medical data breaches that involve less than 500 people.  The report also answers an oft-asked question: how many such breaches were reported to the HHS?  Quite a few, it turns out.  (As a side note, I hope these covered entities decided to smarten up and start using laptop encryption software and the like).

A Total of 9,300 Reports

According to the Department of Health and Human Services, Fiscal Year 2012, Justification of Estimates for Appropriations Committees, a total of 9,300 breaches were reported under HIPAA/HITECH between September 23, 2009 and September 30, 2010.

Of the 9,300 braches, "191 impacted more than 500 individuals and 9,109 impact less than 500 individuals."  In other words, roughly 2% of all breaches reported to the HHS are displayed publically at the HHS website.

And of these "hidden" breaches,

Based on OCR’s current HIPAA case load, almost all breach reports that impact less than 500 individuals are not investigated.  Accordingly, OCR requires additional FTE and resources to ensure it is able to conduct investigations of potential small- and mid-sized breaches. [my emphasis]

Silver Lining

Based on the above, Zick writes "count your breaches carefully before reporting, as there seems to be a real benefit to being able to report an impact on less than 500 individuals."

That benefit window will soon start to close, though.  As far as I can tell, the above information was revealed as part of a request for more funds.  The percentage of "500 or less" cases going uninvestigated will decrease substantially in future years to come.  (I'm not enough of a Pollyanna to believe that such occurrences will disappear, however).

HITECH: Encryption for Safe Harbor

I should remark that "counting how many are affected" is not a sustainable tactic for...well, for whatever.  It's certainly not data security: if you're reporting it, the data breach took place.  And, you still have to report the breach even if it affects less than 500 people.  I guess it lowers your overall chances of getting fined by the HHS, maybe?

If you're looking for a surefire method to not have the OCR breathing down your neck, you should look into using encryption software wherever you need to protect PHI.  As detailed in other posts and blogs: "HHS defines 'secure' to mean encrypted. In fact, encryption is really the only way to secure PHI."

The use of encryption is the only way to get safe harbor from sending breach notifications to HHS, the media, and individual patients.


Related Articles and Sites:
http://www.securityprivacyandthelaw.com/2011/02/articles/government-enforcement/500-is-a-magic-number-health-information-breaches-impacting-499-or-fewer-patients-likely-go-uninvestigated-by-ocr/
http://www.phiprivacy.net/?p=5989
http://www.hhs.gov/about/FY2012budget/ocr_cj_fy2012.pdf

 
<Previous Next>

Disk Encryption Software: LOUD Technologies Has Data Breach

Data Protection: Emory Healthcare Alerts Patients Of Hacker Activity, Fraud

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.