October 15-16, 2018 | Boston, 2018 x2, MA

Mission Control: We Have a Breach Problem

Security and compliance teams are your organization’s “mission control centers” for ensuring that the mission of healthcare delivery is conducted safely and effectively. Mission control has been raising alarms of late to notify leadership that information security breaches are on the rise.

In the U.S. and abroad, regulatory agencies are also exercising their power in fining organizations deemed to not be within compliance of data security regulations.  States’ regulations have also increased in frequency and severity over the last few years. 

2017 OCR Audit Findings on Healthcare Data Security

OCR recently performed its own reconnaissance mission.  In 2017, OCR issued results from its Phase 2 Audits. The results indicated that a large majority of entities are still lacking adequate data privacy, security risk analysis and data risk management processes to meet HIPAA compliance standards. 

The reported Security Risk Analysis Ratings show that 57% of audited organizations scored below average, and no organizations audited received the highest score in this area. Similarly, the Risk Management Ratings show that 73% of audited organizations scored below average (below the level 3 of a scale of 1-5).

Privacy areas did show some improvement over previous OCR audits; however, participating organizations were still perceived to be weak in meeting privacy compliance requirements.  The audit revealed that for many organizations, policies and implementation procedures did not sufficiently address privacy access request response processes, breach notification and notice of privacy practices. 

There are several actionable steps healthcare providers, health plans and Business Associates can pursue in bolstering security compliance measures and documenting their progress. Some examples include:

  1. Creating and Maintaining a Security Risk Register
  2. Updating Business Associate (BA) Inventories
  3. Improving Privacy Programs


Creating and Maintaining a Security Risk Register

Creating and maintaining a risk register is a fundamental activity every organization should build into their data security programs.  A risk register is a method of documenting each identifiable risk event or 

vulnerability point in the organization and throughout the extended data network (which includes Business Associates). OCR recommends that risk registers be used to track continual monitoring and remediation of identified security risks.


Updating Business Associate Inventories

OCR has indicated an expectation that organizations maintain an up-to-date inventory of Business Associate Agreements (BAAs) including specific data fields such as contact information and website details for the BA.

Managing third-party BA security risk is a complex, ongoing task and should have oversight by stakeholders including Legal, IT and Compliance areas.  As part of this inventory, it is important to document how well vendors are meeting data security requirements.  While some BAs can and do obtain security certifications, the majority of BAs still have not achieved relevant security certifications such as HITRUST and SOC 2 Type 2 reports. 

The workload involved in auditing and documenting vendor data security often merits the use of a third-party vendor data management services firm and/or some data automation services.


Privacy Program Improvements

Privacy programs were determined to be lacking across the healthcare industry in the 2017 OCR audit results.  Moving forward, organizations should establish the following Privacy policies and processes:

  • Access to records must be provided to patients in a timely basis.
  • Records must be provided to designated third-parties upon patient request.
  • Multiple format options for patient records should be made available (e.g. paper or electronic options).


For Breach Notification processes, organizations should include these response measures:

  • Breach notification should include specific details on the dates breaches occurred and what was breached.
  • Notify patient community of the response actions taken by the organization following a breach.
  • Provide information to affected individuals of future mitigation strategies to address data vulnerabilities and properly secure data.


Finally, the Notice of Privacy Practices (NPP) should be posted publicly on the organization’s website and must be easy to access for site visitors.  

These simple steps can improve the organization’s stance with their patient base, satisfy important aspects of the HIPAA requirements and increase public trust for the handling of sensitive information.

Mission Control (the Information Security and Compliance teams) for healthcare entities must also stay up to date on the evolving threats and regulatory enforcement trends to help navigate their organizations to safety.

Brian Selfridge leads Meditology’s IT Risk Management Services practice which is dedicated to delivering expertise and leadership in information privacy and security, compliance, and audit, specifically for healthcare. He advises the federal government including OCR and HHS and is a frequent presenter and sought-after leader in the healthcare security and compliance industry.  Contact Brian directly at or follow him on LinkedIn.

Learn more about the 2020 Event


Subscribe for updates