One way to reduce the number of health information data breaches is for the chief federal enforcement agency overseeing Health Insurance Portability and Accountability Act security violations to share its investigations, a new research report concludes.
Greater transparency by the HHS' Office for Civil Rights (OCR) would go a long way toward driving a national conversation about the massive problem of medical-records exposure, according to Niam Yaraghi, a fellow with the Brookings Institution's Center for Technology Innovation.
The OCR also should conduct more prospective security audits rather than relying on data-breach investigations, and the healthcare industry should embrace cyber insurance as a private-sector way to address security shortfalls.
“The culture out there is very, very punitive about this,” Yaraghi said. That culture made it difficult for him to find people willing to talk about security issues and their experiences with the OCR, even when Yaraghi assured potential sources of anonymity.
“Some of them were very honest; they said part of their job was to reduce the impact and media scrutiny. It signals how they feel," he said.
Yaraghi and his colleagues initially invited 123 healthcare providers, 66 insurance companies and 94 business associates to be interviewed for their research, funded by the California Health Care Foundation. They were selected from organizations on the public “wall of shame” data breach website.
Just 14 providers, two health plans and six business associates provided interviewees.
Yaraghi said he did not begin his research intending to be critical of the OCR. But he said a common thread in his interviews was the OCR's punitive culture.
“They are the only entity that could effectively have an impact on the culture,” he said. “They could put more information out there, whether they're sure this type of information was exposed, and whether they're guilty or not, and (explain) what corrective actions were proposed.”
Yaraghi said several providers admitted they didn't take the rules too seriously until the OCR stepped up enforcement and penalties. With that in mind, he is not advocating for the elimination of breach investigations and penalties.
He does, however, advocate for bolstering the insurance industry's role.
“I think cyberinsurance is going to solve many of the fundamental problems we have,” he said. “It will do these audits and do them according to the latest advances in technology."
Cyberinsurance would have an impact similar to malpractice coverage, in which there is an incentive to keep premiums low. Insurance companies could help their clients avoid security breaches and encourage information sharing, he said.
So far, there are 1,541 breaches on the OCR list involving the medical records of nearly 116.6 million individuals. But tens of thousands of smaller breaches have also been reported.
In March, the OCR began its second round of prospective privacy and security audits. Its initial set of 115 audits was completed in late 2012, and concluded with a final report, but details about individual audits weren't made public.