Emerging Trends Illustrate HIPAA Compliance Risk : Articles : Resources : CLA (CliftonLarsonAllen)
Computer work late night

Two significant information security trends are converging that will increase the risk of non-compliance with the HIPAA security and breach notification rules for small and medium size providers.

Navigating health reform

Emerging Trends Illustrate HIPAA Compliance Risk

  • 1/31/2013

Emerging Trends Illustrate HIPAA Compliance Risk

On January 17, 2013, the U.S. Department of Health and Human Services (HHS) released its final omnibus rule designed to strengthen the privacy and security protections for health information contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Two significant information security trends are converging that will increase the risk of non-compliance with the HIPAA security and breach notification rules for small and medium size providers. The first trend relates to an increase in malicious hacker activity resulting in both data loss and HIPAA-related fines. The second is the increased audit oversight mandated by HHS and administered by the Office of Civil Rights. This is the first in a series of three messages designed to provide health care entities with key information about this important topic.

Increase in malicious activity

The HIPAA rules focus primarily on electronic protected health information (ePHI), which has seen a dramatic increase in malicious hacking activity. This is clearly evident in national information security surveys, including intrusion analysis performed by Verizon Business Services and Trustwave. We have also seen an increase in health care data breaches noted in HHS’s ongoing tabulation of data breaches.

Malicious hackers use stolen ePFI to commit identity theft, wire fraud, and electronic check processing (automated clearing house or ACH) fraud. As the methods used by these hackers mature, businesses that never before considered themselves at risk are now high-value targets. This clearly includes health care entities.

The cost of such breaches goes beyond the direct cost of data loss and includes fines (sometimes very steep) and penalties related to HIPAA violations that are exposed by the breach methods. There are many cases from the past year that required providers to pay penalties to the HHS for failure to comply with HIPAA rules.

Smaller entities are now targets and exposed to fines. We recently noted the first settlement with the HHS for unsecured ePHI affecting less than 500 individuals. Hospice of North Idaho (HONI) reported an unencrypted laptop that was stolen in June of 2010. The OCR’s investigation determined HONI had no policies and procedures in place to minimize the risk for mobile devices or conducted the required risk assessment. This breach exposed 441 records—the fine was $50,000.

Increase in audit oversight

For the first time since the inception of the HIPAA rules, significant audit oversight is being undertaken at the federal level. During 2012, the Office of Civil Rights engaged KPMG to audit 115 covered entities to determine the status of industry compliance efforts. During the first half of 2012 the first 20 audits were completed. Of the 20 entities selected, over half were considered small providers. The providers were broken down depending on their level of electronic record sophistication and gross annual revenues. Most audits were performed at entities with less than $50 million in revenues.

The results of the audits indicate significant compliance issues in these smaller entities. Two graphs from KPMG’s initial report bear this out. The vast majority of findings were in smaller entities, and most of those findings were related to the HIPAA security compliance rules.

The following graph illustrates the number of findings broken down by entity size, where Tier 1 entities are the largest, Tier 4 are the smallest. Tier 4 entities are those with revenues of $50 million or less.

Analysis findings by tier

The graph below illustrates that of the three separate HIPAA rules, the vast majority of audit findings involved information security.

Analysis finding by rule

How we can help

These trends have the potential to impact all health care entities, including smaller entities. In an environment of increased malicious hacking activity and increased regulatory scrutiny, smaller entities appear significantly less secure than their larger counterparts. We recommend all covered entities conduct a thorough risk/gap assessment related to HIPAA compliance and determine their overall information security posture as well.

Mark Eich, Information Security Partner
mark.eich@cliftonlarsonallen.com or 612-397-3128

Juli Ochs, Health Care Consultant
juli.ochs@cliftonlarsonallen.com or 612-376-4500