Privacy or security incidents involving protected health information (PHI) and personally identifiable information (PII) are more than just probable in healthcare settings–they are inevitabile. And this makes sense, as heavily regulated industries like healthcare rely on highly personal and sensitive data to provide care, and the abundance of such data presents higher risk of unauthorized disclosures – unintentional or malicious. The frequency and types of risks to an organization’s data are growing wider, as well, from a ransomware attack or a breach in your Electronic Health Record (EHR), to a simple misdirected mailing or improper disposal of paper records.
Knowing this, what is the outlook for a healthcare organization working to remain compliant with rapidly evolving data privacy laws? How are federal and state regulators looking at data privacy and compliance? And what steps can be taken to improve healthcare privacy programs moving forward?
An analysis of data gleaned from the assessment of large volume of incidents through the RADAR platform, featured in our ongoing benchmarking article series, provides key insights into the compliance challenges faced by healthcare organizations. Using this anonymized metadata, we are able to identify and share trends, insights, and best practices to aid in healthcare organizations’ continuous efforts in preventing, monitoring, and remediating incidents and mitigating risks to affected individuals.
Below are a few healthcare benchmarking statistics based on this never-before-available dataset.
Prevalence of paper
One of the most relevant data points on healthcare privacy incidents and data breaches is the prevalence of paper. There has been a long-held misconception, partly fueled by the larger and more publicized data breaches, that electronic incidents such as a ransomware attack or phishing scheme are an organization’s greatest risk. In the world of healthcare, the reality is that paper incidents (often caused by human error) are much more commonplace, and more likely to result in a data breach.
According to RADAR metadata spanning 2016 and 2017, paper incidents in the healthcare industry are roughly three times more common than electronic incidents, and that ratio holds true when it comes to comparing paper and electronic data breaches as well.
Sensitivity of data
It’s been widely reported that healthcare experiences more data incidents and breaches than any other industry – not surprising if you think about the nature of the work and the prevalence of sensitive data.
RADAR incident metadata has shown that, across all industries, data pertaining to personal healthcare leads is involved in incidents that are considered a breach more frequently than other types of personal data, such as drivers license number or personal banking account numbers. This information is also typically more easily identified as private, and thus teams are more careful to identify unauthorised disclosures of this data. For example, RADAR metadata reveals that only 13 percent of all privacy incidents involve clinical data or diagnosis information but roughly one third of these incidents with clinical data or diagnosis information will be considered notifiable.
Timeframes to provide breach notification
Under the HIPAA Breach notification Rule, most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of a breach. Notifications of smaller breaches affecting fewer than 500 individuals may be submitted to HHS annually. States have different notification timelines ranging from 15 days in California to 45 or 60 days in the most recently passed breach laws in Alabama and South Dakota, respectively. Compliance with these timeframes requires documentation of discovery date, time to determine if the incident qualifies as a data breach under the applicable regulation, and then time to provide the notification to regulators and affected individuals with the required contents.
RADAR incident metadata provides useful insights into this incident response process for healthcare entities. For organizations regulated by HIPAA, we see that on average it takes organizations 10.7 days to discover an incident, and once discovered, 32.3 days to provide notification. This illustrates the importance of having a streamlined incident documentation and risk assessment process to help ensure compliance with the HIPAA designated breach notification timeframe, and is well below other reported standards. For instance, the 2018 Verizon Protected Health Information Data Breach Report indicates that roughly two-thirds of all incident discovery timelines are measured in months and even years.
Challenges and Opportunities for Compliance with State and HIPAA Breach Notification Requirements
At the end of the day, regulated entities feel the pain of regulatory compliance because they are entrusted with very sensitive data. Patients, employees and customers are all trusting that these organizations will honor their privacy and act in good faith when it comes to how this sensitive data is used, shared, and protected. Doing well in privacy and compliance means proving yourself worthy of this trust. Given the reality of the compliance landscape for healthcare entities, here are a few good places to start:
- Implement reporting and benchmarking. Having access to ongoing, up-to-date privacy data within your organization allows you to identify trends in unauthorized disclosures so you can implement measures to mitigate risks. Privacy programs also benefit from objective benchmarks against which to compare internal metrics or forecast department resource requirements.
- Paper, electronic, big or small – assess every incident, every time. Every incident involving personal data matters, and the presumption of breach requires every incident be consistently and defensibly risk assessed and documented in order to meet your burden of proof. Assess every incident, every time, to demonstrate a culture of compliance and reduce organizational risks.
- Streamline processes to meet notification timelines and lower the risk exposure. Training your staff to recognize incidents – paper or electronic – is a good place to start. Create a centralized method to report incidents internally, so when an unauthorized disclosure of personal data occurs, you are able to quickly assess the risk of what has been allegedly disclosed or made unavailable.
Are you heading to the HCCA 22nd Annual Compliance Institute in Las Vegas this year?
Our team will be at this year’s HCCA Compliance Institute in full force, exhibiting and attending conference sessions. Visit booth 409 for live demos of RADAR.
Let us know you’d like to meet there for a more formal one-on-one meeting: email [email protected] to schedule time.