With 2017 having drawn to a close, it is once again time for HIPAA covered entities to complete their annual breach reporting obligations to the U.S. Department of Health & Human Services Office for Civil Rights (“OCR”). Whereas covered entities must report breaches involving 500 or more individuals no later than 60 calendar days from the discovery date, for breaches affecting less than 500 individuals, entities have the option of submitting the year’s incident notifications 60 days after the end of the respective calendar year.[1]

Even as entities work to meet this deadline, certain trends are becoming apparent. To assist with identifying trends and mitigating risks, this post explores a brief overview of current OCR activity and 2017 breach reports. Because breaches can be reported until February 28, 2018, the figures herein are not yet final. Nevertheless, the 2017 statistics to date provide insight into the healthcare industry’s current challenges, general trends in data security, and considerations for 2018 OCR compliance.

To date, the annual figures of HIPAA privacy breaches of unsecured protected health information (“PHI”) reveal network servers, emails, and other information technology (“IT”) events continued to challenge the healthcare industry in 2017. OCR data shows that HIPAA privacy breach reports affecting 500 or more individuals remained relatively stable when compared to 2016, increasing slightly from 327 to 345. Hacking and IT incidents, however, rose by 25%, with 142 in 2017 compared to 113 in 2016. Other events, such as unauthorized access/disclosures, theft, and improper disposal saw more modest fluctuations. Breaches occurring via portable electronic devices in the workplace (e.g., smartphones and tablets) remained stable, with 22 in 2017 and 21 in 2016. The increase in email based breaches, however, rose by 60% — up to 85 in 2017 from 50 in 2016.

The healthcare industry obviously still has work to do, particularly with larger data sets. The numbers show an increase in hacking and email related breaches, which makes the need for email and software safety measures more apparent.

There are several key lessons gleaned from the 2017 statistics on protection measures that a covered entity may take in 2018 to help mend current gaps and minimize risk of the increasingly commonplace hacking and email incidents:

  1. Work force training and education that emphasizes the identification of suspicious emails and links that may allow hackers into a covered entity’s network remain vital compliance tools.
  2. From an administrative and management perspective, as well as OCR enforcement perspective, updating risk analyses of systems is more important than ever.
  3. Following a management plan, created from the identification of threats to PHI through the risk analysis, can significantly minimize risk exposure and avoidable attacks.
  4. Investment and implementation of advanced intrusion detection systems can identify malicious activity or software more quickly, creating real-time alerts.
  5. Continued auditing and monitoring of systems and the workforce further assist entities with identifying abnormalities or weak points in its safeguards.
  6. Software updates can help shut out malicious and expansive attacks. As seen with the global “WannaCry” security breach and the most recent “Meltdown” and “Spectre” hardware glitches, potential hacks, phishing schemes, and viruses may be easily mitigated with the appropriate patches and operating system updates.

The 2017 numbers regarding data breaches show the need for HIPAA entities to remain vigilant against large breaches, especially as they are growing increasingly malicious and difficult to anticipate. Large and small solutions exist, each of which can make a significant impact on protecting against breaches in the coming year.

[1] 45 C.F.R § 164.408(b),(c); Submitting Notice of a Breach to the Secretary, U.S. Dep’t Health & Human Servs. (Jan. 5, 2015), https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html;