Lessons Learned from Breach Reports: A Cautionary Tale for Achieving HIPAA Compliance in Six Parts – (I) Risk Analysis and Risk Management

On May 20, 2014, then Secretary of the Department of Health and Human Services (HHS), Kathleen Sebelius, transmitted to Congress the required HITECH Act document:  Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012, which is available online at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreport2011-2012.pdf.  Much of this document analyzes the characteristics of breaches that the HITECH Act requires be reported to the HHS Office for Civil Rights (OCR), which prepared the report.


In this and five subsequent postings in this series, we reproduce from the report each lesson learned, from a total of six lessons learned in the following areas for securing protected health information (PHI) in electronic (ePHI) or hard copy format:


  1. 1.    Risk Analysis and Risk Management
  2. Security Evaluation
  3. Security and Control of Portable Electronic Devices
  4. Proper Disposal
  5. Physical Access Controls
  6. Training.


Here is the lesson learned pertaining to 1.  Risk Analysis and Risk Management that appears on page 26 of the report:

Ensure the organization’s security risk analysis and risk management plan are thorough, having identified and addressed the potential risks and vulnerabilities to all ePHI in the environment, regardless of location or media. This includes, for example, ePHI on computer hard drives, digital copiers and other equipment with hard drives, USB drives, laptop computers, mobile phones, and other portable devices, and ePHI transmitted across networks.”

For the convenience of the reader and to give context to the lessons learned, we also reproduce a portion of the Summary and Conclusion of the report from pages 27-28 of the report:

“For breaches occurring in 2011 and 2012, breaches involving 500 or more individuals made up 0.97 percent of reports (458 reports affecting 500 or more individuals out of 47,357 total reports), yet accounted for 97.89 percent of the 15,005,660 individuals who were affected by a breach of their PHI…. In 2011, theft and loss of PHI affected the largest numbers of individuals. In 2012, theft and hacking/IT incidents affected the largest numbers of individuals. Of all of the categories of causes of breaches, theft continues to be one of the top causes that affects the most individuals.

“The breach notification requirements are achieving their twin objectives of increasing public transparency in cases of breach and increasing accountability of covered entities and business associates. The reports submitted to OCR indicate that millions of affected individuals are receiving notifications of breaches. To provide increased public transparency, information about breaches involving 500 or more individuals is available for public view on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html…. Additionally, the website provides brief summaries of the enforcement cases, including cases stemming from a breach report, that OCR has investigated and closed.

“At the same time, more entities are taking remedial action to provide relief and mitigation to individuals and to secure their data and prevent breaches from occurring in the future. In addition, OCR continues to exercise its oversight responsibilities by reviewing and responding to breach notification reports and establishing investigations into all breaches involving 500 or more individuals, as well as into a number of breaches involving fewer than 500 individuals. For breaches occurring through the end of 2012, OCR had opened investigations into over 700 breaches, including the 458 breaches affecting 500 or more individuals that occurred in 2011 and 2012. OCR has closed some of these cases after investigation when OCR determined that the corrective action taken by the covered entity appropriately addressed the underlying cause of the breach so as to avoid future incidents and mitigated any potential harm to affected individuals.

“In addition, in seven cases resulting from a breach report, the Department has entered into resolution agreements/corrective action plans totaling more than $8 million in settlements. As of the date of this report, OCR has over 500 open investigations that were opened as the result of a breach report. In these remaining open investigations, OCR continues to investigate the reported incidents and to work with the covered entities to ensure appropriate remedial action is taken to address and prevent future incidents and to mitigate harm to affected individuals, as well as to ensure full compliance with the breach notification requirements.”

Risk analysis and risk management are addressed in the policies and procedures available for download on this HIPAA Safeguard Web site.  Also provided are guidance and references related to risk analysis and risk management and all other HIPAA Security Rule safeguard standards and implementation specifications, as modified by the HITECH Act on January 25, 2013, and requiring compliance no later than September 23, 2013.  A covered entity or business associate can readily tailor these policies and procedures to its specific business operational environment based on findings from its risk analysis.  Finally, HIPAA Safeguard also includes a concordance that maps Stage 1 and Stage 2 Meaningful Use Security measures to appropriate HIPAA Security Rule standards and implementation specifications.




  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)