Ever wonder about those HIPAA breaches that affect less than 500 individuals and don’t get posted on the government website known as the “Wall of Shame”? In a recent presentation to the Hospital Council of Western Pennsylvania, officials from the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) provided detailed information on all breaches including the agency’s enforcement and auditing activities.

The presentation revealed that the publicly-posted breaches represent only the tip of the iceberg, less than 1% of all reported breaches. During the period September 2009 through May 31, 2012, there were 435 reports involving a breach of 500 individuals or more, and over 57,000 reports of breaches involving under 500 individuals.

Of the breaches exceeding 500 individuals, the most common cause is theft and loss, representing 65% of large breaches (and about 70% of these incidents involved ePHI). Chart 1

The location of the compromised data was spread broadly over a variety of media, with a quarter of the breaches represented by paper records, another quarter by laptops, and 15% by portable devices such as phones, iPads and USB flash drives.  Network servers represent 11%, perhaps due to tighter institutional control over firewalls and malware protection; and email is comparably secure at only 2% :

These statistics suggest that organizations should prioritize establishing and effectively implmenting policies addressing the highest-risk media and breach circumstances, without ignoring the lower frequency risks.

Keep in mind that breaches involving less than 500 individuals have been among the most prominent and high-impact cases, including the UCLA snooping case and the recent Phoenix Cardiac Surgery P.C. settlement.

The presentation also summarized OCR’s enforcement efforts over the past two calendar years. Of the 9,032 privacy complaints and compliance reviews opened in 2011 (up from 8,770 in 2010), 8,370 were closed: 2,595 after corrective action; 4,472 were resolved after intake and review, and in 1,303 cases the investigations found no violation.  Security complaints are less frequent – 203 closed in 2011, 158 after corrective action, 15 without determination of a violation, and 30 closed at the intake stage without investigation.

The OCR representatives also described the agency’s pilot audit program which will target up to 115 covered entities for audit before the end of 2012 as required by the HITECH Act.  The first 20 audits involved 8 health plans, 10 providers and 2 clearinghouses (Business Associates will be audited later):

The OCR presentation was led by Verne Rinker, a 13-year veteran of HHS who was also one of the presenters in last year’s comprehensive series entitled “HIPAA Training for State Attorneys General,” which is publicly available and would be an excellent training resource for covered entities and business associates.

In a welcome move toward transparency, OIG has been sharing more “inside” information than ever before. For instance, in this blog my partner Elizabeth Litten previously reported on the program OCR’s Linda Sanches recently presented on OCR’s audit efforts.  Further, the official OCR summaries of breaches posted on the Wall of Shame often contain valuable insights into the enforcement process and those actions and factors considered relevant by the regulators, as noted in my partner Michael Kline’s recent post.

In another nod toward transparency, just this week, OCR also published its Audit Protocol, a comprehensive document that contains the requirements OCR’s team will assess through its performance audits. The audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification.

The audit protocol covers Privacy Rule requirements for

  • notices of privacy practices for PHI,
  • rights to request privacy protection for PHI,
  • access of individuals to PHI,
  • administrative requirements,
  • uses and disclosures of PHI,
  • amendment of PHI, and
  • accounting of disclosures.

The protocol also covers Security Rule requirements for administrative, physical, and technical safeguards, and requirements for the Breach Notification Rule.

The protocol is both a useful guide to compliance and a valuable tool for preparing for and surviving an OCR audit.