Lessons Learned from HIPAA Compliance Breaches

Originally published by BARR Advisory.

Written by Claire McKenna.

According to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), there has been a considerable upward trend in healthcare data breaches since the office began tracking data breach statistics in 2009. You may remember some of the most notable data breaches—such when Anthem Inc. suffered the largest healthcare incident ever in 2015, or the more recent St. Joseph Health System incident.

What lessons can we learn from these incidents, and how can we use them to improve security and compliance posture? We sat down with Kyle Helles, attest practice leader and partner at BARR. Take a look at our interview below.

What policies and procedures can healthcare organizations implement in order to prevent unauthorized disclosure of protected health information (PHI)?

“Effective controls begin with assessing the risks within your organization and creating policies that address those risks. As a first step, healthcare organizations need to include HIPAA as an input to their risk assessments and determine if their existing policies and procedures meet each HIPAA requirement and mitigate related risks.

Some specific policies that should be put in place to prevent the unauthorized disclosure of PHI and ensure patient data is protected include those that establish procedures for safeguarding access to PHI, responding to HIPAA violations and privacy breaches, and implementing HIPAA training for everyone who has access to PHI as part of their day-to-day roles.”

How can healthcare organizations train their staff to ensure HIPAA compliance?

“HIPAA training is absolutely critical. Training programs that translate HIPAA requirements into plain language, and that enforce understanding through exercises, will always be best. When possible, provide training in multiple formats to meet varied learning styles and help ensure everyone working at the organization has a clear understanding of their role in maintaining compliance.”

How do data breaches impact patient trust? Following a breach, what can organizations do to rebuild trust?

“Following a brief spike in breaches over the summer, the number of reported data breaches in healthcare has fallen over the last few months, which is a positive trend. However, each breach impacts patient trust, and rebuilding that trust requires an appropriate and timely response.

Data breaches are now a part of everyday life; people are used to the idea that the organizations they interact with are frequently targeted by cybercriminals. It’s how organizations prepare for and respond to those breaches that sets them apart. If an organization can implement its incident response procedures to contain the breach quickly, get its systems securely back online with its backup and business continuity processes, and communicate with a high level of transparency about the nature and extent of the breach—and the steps they’ve taken to respond—then people will have more trust in the organization’s ability to manage current and future risks involving sensitive information.

Another step that organizations can take to proactively build trust before a breach occurs is to undergo a security or privacy audit performed by an independent third party. Audits like SOC 2 + HIPAA provide stakeholders with valuable information about the controls that are in place at an organization and any gaps that may increase the risk of unauthorized users gaining access to sensitive information.”

Looking back at some of the major healthcare data breaches, what are the top lessons organizations should learn from to avoid making future mistakes?

“Looking back at past breaches, these incidents reinforce the importance of being proactive and not waiting for a breach to happen before (1) creating policies that cover HIPAA requirements and (2) training your workforce on those policies. In the world we live in, where systems are being targeted by cybercriminals around the clock, why wait?”