Four Years Since HIPAA Omnibus: What's Changed?Has Rule Had Impact on Breach and Enforcement Trends?
It's been four year since the HIPAA Omnibus Rule went into effect. So what have been the most significant changes in compliance and breach trends since then?
The HIPAA Omnibus Rule, which went into effect on Sept. 23, 2013, and has been enforced by federal regulators since September 2014, mandated several key HIPAA compliance changes.
Most notably, the rule made business associates directly liable for HIPAA compliance and also stated that security incidents involving protected health information are presumed to be reportable HIPAA breaches unless organizations can demonstrate using a four-factor assessment that risks of PHI compromise are low.
"Although many organizations did not immediately grasp the omnibus rule changes in determining whether an incident is a breach, industry understanding has improved along with better reporting," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
Then and Now
One thing is certain: The number of breaches reported - and the number of impacted individuals - have soared in the past four years. But that's not necessarily due to the rule going into effect, but rather the healthcare sector becoming a bigger target of cyberattacks.
As of late September 2013, when HIPAA Omnibus went into effect, there were approximately 674 major breaches affecting a total of about 27 million individuals listed on the Department of Health and Human Services' HIPAA Breach Reporting Tool website - commonly called the "wall of shame" website, which lists health data breaches impacting 500 or more individuals.
Since then, the number of breaches listed on the wall of shame has more than tripled to 2,068 as of Monday. Plus, the number of individuals impacted by breaches has grown more than six-fold, to nearly 176 million individuals.
One of the biggest contributors to the surge in the number of individuals affected by reported breaches are massive hacker attacks.
Four years ago, lost and stolen unencrypted devices were the most common culprit in the largest breaches listed on the wall of shame.
But as of Monday, a total of 378 hacker breaches are responsible for 132 million individuals affected by major health data breaches, or 75 percent of all those affected since September 2009, when HHS' Office for Civil Rights began keeping a tally.
"The bad guys have known that PHI really holds the keys to the kingdom and have exploited the vulnerabilities that exist in the healthcare sector and they show no signs of letting up," says Susan Lucci, senior consultant and chief privacy officer at the security consultancy Just Associates.
The surge in ransomware attacks is not accurately reflected in the official federal breach tally. Only 12 of all breaches that have completed investigations listed on the wall of shame mention ransomware as a factor. That's just a portion of the ransomware attacks that have made the news.
"Since the HHS guidance on ransomware and breach, healthcare organizations are more likely to treat ransomware attacks as reportable breaches," Borten says. "But it's complicated and not all such attacks are alike. It's important to remember that although it can be costly for organizations, the omnibus rule requires CEs to presume an incident is a breach unless there is strong evidence it is not."
OCR's ransomware guidance isn't always clearly understood by organizations, says Tom Walsh, president of consulting firm tw-Security. "The OCR's position [that] assumes all ransomware incidents are breaches unless proven otherwise has created confusion - and in some cases extra work - for organizations in building their case out of fear that their organization may be penalized by the OCR," he notes.
"Resources would be better spent in preventing or protecting against attacks in the first place rather than trying to prove - through extensive documentation - that PHI had been accessed, used, and/or disclosed by the hackers."
Privacy attorney Kirk Nahra of the law firm Wiley Rein notes: "Entities of all kinds are certainly getting better at evaluating the [breach] notice rule and their obligations under it." However it's possible that some incidents are potentially being over-reported, he notes.
"We continue to see - generally - companies giving notice consistent with the presumptions of the rule, which in certain situations leads to notice in situations where you wonder why or wonder what the purpose of the notice is - even if the rule tells you to give notice," he says. "There always will be difficult situations. Ransomware is a category of difficult situation, as the ransomware often 'locks down' the data, making it inaccessible to the covered entity, rather than 'stolen' by the hacker. While the OCR guidance points toward notice, we can legitimately debate why notice makes sense."
Breaches This Year
So far in 2017, 247 breaches impacting about 4.3 million individuals have been added to the Wall of Shame.
Of those, 109 were reported as hacking incidents, which in total, affected about 3 million individuals.
Business Associate Breaches
Business associates are listed on the wall of shame as being involved in 324 breaches impacting a total of nearly 29 million individuals since 2009.
Prior to the HIPAA Omnibus Rule going into effect on Sept. 23, 2013, business associates were reported as being involved in 180 breaches impacting 13.1 million individuals.
Although the omnibus rule made BAs directly liable for HIPAA compliance, so far, OCR enforcement actions, such as fines, for such cases have been exceedling rare.
OCR has issued only one settlement in a breach case involving a business associate. In June 2016, OCR signed a $650,000 financial settlement and corrective action plan with Catholic Health Care Services of the Archdiocese of Philadelphia, a business associate, following an investigation into the 2014 theft of an unencrypted smartphone that was not password protected.
"We haven't seen much business associate enforcement yet, and that isn't too surprising, given the time lags," Nahra notes. "I do think it is going to be challenging for OCR to evaluate all the different situations involving business associates. They know how to evaluate doctors and hospitals, because they have a lot of experience doing that. The range of business associates is enormous in terms of company size, focus on health care clients, volume of health data, etc. That will present real ongoing challenges."
Nevertheless, Walsh says the biggest change he's seen as a result of the HIPAA Omnibus Rule is increased awareness about compliance among business associates. And that has resulted, he says, "mainly from covered entities stepping up their activities to obtain validation or proof of compliance from their business associates - usually in the form of a security questionnaire."
But many covered entities and business associates alike still are struggling to determine whether a breach should be reported under HIPAA, Borten notes.
"Some organizations still struggle with seeing an unintended lapse that exposes PHI of only one or two patients as a breach that must be promptly reported to the affected patients," she says.