Security Awareness Ranks 3rd Among Most Investigated Compliance Issues

In the HHS annual report to Congress for years 2009 & 2010, Security Awareness made the department's Top 6 list of compliance issues investigated.  The report outlined many of the enforcement activities including complaint investigations, compliance reviews and audits.  From the original compliance date through December 31, 2010, the compliance issues investigated most by OCR with regard to the Security Rule, compiled cumulatively in order of frequency, were:

1. Failure to demonstrate adequate policies and procedures or safeguards to address
2. Response and reporting of security incidents
3. Security awareness and training
4. Access controls
5. Information access management
6. Workstation security

The most common types of covered entities that have been required to take corrective action to achieve voluntary compliance with regard to the Security Rule, in order of frequency, were:

1. Private practices
2. General hospitals
3. Outpatient facilities
4. Health plans, which include group health plans and health insurance issuers
5. Pharmacies

Also cited were several actual instances involving breaches of ePHI.  Two cases mentioned involved the theft of computer data backup tapes stolen from a vehicle, and a laptop (with ePHI) stolen right from the receptionist's desk while she had stepped away.

More Than One Reason To Address Security Awareness

As I read this report, it reinforced the concerns I have about the exposure private practices have with the Security Awareness aspect of HIPAA Security Rule compliance.  And the issue is two fold.

First, and obviously, there's the liability from a compliance standpoint.  The Security Rule requires covered entities to provide effective security awareness training.  While it could be argued that security awareness may be one of the easiest HIPAA citations to address, the problem comes from the fact that it is...well, "awareness".  That implies an ongoing, regular program that keeps security on the mind of the organization's workforce.  It's definitely easy to let this one slip.

Second, there's the practical standpoint.  The two cases involving theft were preventable with a better trained workforce.  Granted, who would expect someone to be so bold as to steal a laptop right from the receptionist's desk in broad daylight?  And certainly, there were other steps that could have been taken in advance to reduce the opportunity for the thief.  However, an employee who is "aware" and actively thinking about security, may have asked a co-worker to help rather than leave the station unattended.  As it happened, not only was the laptop stolen and many patients' health information potentially breached, but the organization had to endure an investigation which certainly probed deeper than simply the circumstances around the front desk.

The More Likely Threat 

There are many risks to ePHI that covered entities and business associates must consider.  Yes, there are definitely those who would seek to hack your network and silently steal all your patient data, and you must address that.  But to not address your biggest threat, a poorly equipped employee, is a breach and an investigation just waiting to happen.

If you found this article helpful, use the links located at the top and bottom of this page to follow us on LinkedIn, Facebook and Twitter.

  Phil Cooper is the co-founder of Skysail Software, makers of affordable HIPAA Security Rule compliance management software solutions.  HIPAA FLIGHTPLAN is web-based software that provides centralized documentation of your HIPAA Security Rule compliance program.  HIPAA TIPS is web-based software that delivers Security Awareness training to your entire staff, every month, without impacting your daily operations.