On May 20, 2014, then Secretary of the Department of Health and Human Services (HHS), Kathleen Sebelius, transmitted to Congress the required HITECH Act document: Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2011 and 2012, which is available online at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachreport2011-2012.pdf. Much of this document analyzes the characteristics of breaches that the HITECH Act requires be reported to the HHS Office for Civil Rights (OCR), which prepared the report.
In the first five and this final posting in this series, we reproduce from the report each lesson learned, from a total of six lessons learned in the following areas for securing protected health information (PHI) in electronic (ePHI) or hard copy format:
Here is the lesson learned pertaining to 6. Training that appears on page 27 of the report:
“Ensure employees are trained on the organization’s privacy and security policies and procedures, including the appropriate uses and disclosures of PHI, and the safeguards that should be implemented to protect the information from improper uses and disclosures; and ensure employees are aware of the sanctions and other consequences for failure to follow the organization’s policies and procedures.”
For the convenience of the reader and to give context to the lessons learned, we also reproduce a portion of the Summary and Conclusion of the report from pages 27-28 of the report:
“For breaches occurring in 2011 and 2012, breaches involving 500 or more individuals made up 0.97 percent of reports (458 reports affecting 500 or more individuals out of 47,357 total reports), yet accounted for 97.89 percent of the 15,005,660 individuals who were affected by a breach of their PHI…. In 2011, theft and loss of PHI affected the largest numbers of individuals. In 2012, theft and hacking/IT incidents affected the largest numbers of individuals. Of all of the categories of causes of breaches, theft continues to be one of the top causes that affects the most individuals.
“The breach notification requirements are achieving their twin objectives of increasing public transparency in cases of breach and increasing accountability of covered entities and business associates. The reports submitted to OCR indicate that millions of affected individuals are receiving notifications of breaches. To provide increased public transparency, information about breaches involving 500 or more individuals is available for public view on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html…. Additionally, the website provides brief summaries of the enforcement cases, including cases stemming from a breach report, that OCR has investigated and closed.
“At the same time, more entities are taking remedial action to provide relief and mitigation to individuals and to secure their data and prevent breaches from occurring in the future. In addition, OCR continues to exercise its oversight responsibilities by reviewing and responding to breach notification reports and establishing investigations into all breaches involving 500 or more individuals, as well as into a number of breaches involving fewer than 500 individuals. For breaches occurring through the end of 2012, OCR had opened investigations into over 700 breaches, including the 458 breaches affecting 500 or more individuals that occurred in 2011 and 2012. OCR has closed some of these cases after investigation when OCR determined that the corrective action taken by the covered entity appropriately addressed the underlying cause of the breach so as to avoid future incidents and mitigated any potential harm to affected individuals.
“In addition, in seven cases resulting from a breach report, the Department has entered into resolution agreements/corrective action plans totaling more than $8 million in settlements. As of the date of this report, OCR has over 500 open investigations that were opened as the result of a breach report. In these remaining open investigations, OCR continues to investigate the reported incidents and to work with the covered entities to ensure appropriate remedial action is taken to address and prevent future incidents and to mitigate harm to affected individuals, as well as to ensure full compliance with the breach notification requirements.”
Training is addressed in the policies and procedures available for download on this HIPAA Safeguard Web site. Also provided are guidance and references related to training and all other HIPAA Security Rule safeguard standards and implementation specifications, as modified by the HITECH Act on January 25, 2013, and requiring compliance no later than September 23, 2013. A covered entity or business associate can readily tailor these policies and procedures to its specific business operational environment based on findings from its risk analysis. Training courses required of all workforce members that cover all security safeguard policies and procedures—as well as those pertaining to privacy and breach notification safeguard policies and procedures—are available at: www.HIPAASchool.com. HIPAA School courses also are accredited by AMA, AHIMA, PAHCOM, and AAPC for continuing education.