HHS Organization Restructuring and Study on Effectivity of Email Warning to Deter Insider Breach

HHS Restructuring Needed to Increase Efficiency of HIPAA Enforcement

The U.S. Department of Health and Human Services (HHS) has restructured its Office for Civil Rights (OCR) and has established new divisions that are going to help enhance the observance of HIPAA and civil rights regulations and take care of the present backlog of complaints and inspections. OCR is the primary law enforcement organization of the HHS and is in charge of enacting 55 civil rights, conscience, and privacy statutes, which include the HIPAA (Health Insurance Portability and Accountability Act) and the HITECH (Health Information Technology for Economic and Clinical Health) Act.

In a new report submitted to Congress, OCR revealed that it has significantly higher caseload recently, although appropriations have not increased, which has put the division under great stress. There were 58% more reported data breaches from 2017 to 2021. Complaints regarding potential HIPAA violations likewise increased by 25% year-over-year up to 34,077 cases in 2021. Complaints regarding civil rights violations furthermore rose by 69% from 2017 to 2022. In 2022, OCR received 51,000 complaints, 66% of which were alleged HIPAA violations, 27% were alleged violations of civil rights, and 7% were alleged conscience/religious freedom violations.

To ensure the prompt investigation of complaints, the HHS has established three new departments inside OCR: a Policy Division, a Strategic Planning Division, and an Enforcement Division. The work of the enforcement division is to investigate HIPAA complaints, concentrating on cybersecurity breaches that have rocketed recently to more than 660 in 2020 and over 700 in 2022. Hacking is the cause of around 80% of all reported data breaches.

The new name of the Health Information Privacy Division (HIP) is the Health Information Privacy, Data, and Cybersecurity Division (HIPDC). It reflects the part it takes on in the cybersecurity, investigating data breaches associated with hacking. OCR will additionally reorganize the duties of other divisions into different, crosscutting divisions to enhance performance, with employees in those divisions using their expertise and their appropriate abilities to implement the law. The new divisions are going to give a more integrated functional structure for civil rights, conscience security, and cybersecurity/privacy defenses, with the department’s new framework showing their government civil rights offices, for example, the Office for Civil Rights of the Department for Education.

OCR still seriously needs extra funding to better accomplish its tasks; nevertheless, the restructuring will enable the department to efficiently utilize its minimal resources. OCR has stated that the Enforcement Division is going to be a separate division operating under the leadership of Luis Perez, who was OCR’s Deputy Director for Conscience and Religious Freedom for 4 years. The Enforcement division, with Perez’s leadership, will give critical integration between the regional offices and headquarters of OCR to make sure complaints are quickly looked into.

HHS’ Office of Civil Rights Director, Melanie Fontes Rainer stated that the new structure will make it possible for OCR employees to take advantage of its rich experience and skills to make sure that it is keeping people safe with the variety of federal regulations being enforced.

Email Warning is 95% Effective at Blocking Further Unauthorized Access to Medical Records

Defenses must be set up to identify and prohibit cybercriminals’ attempts to gain access to healthcare systems, however, not all threats are from the outside. Every year, hospitals and medical practices report a lot of data breaches that entail unauthorized access to health data by staff members. These data breaches involve non-malicious viewing of the health records of co-workers, friends, loved ones, and well-known patients, and insider wrongdoing occurrences where patient information is taken for identity theft and scam or to bring to a different company. The healthcare sector has traditionally had a much greater issue with insider data breaches compared to other industries.

The study, lately publicized in the JAMA Open Network, was performed at a big university medical center and looked into the usefulness of email warnings in stopping recurring unauthorized access to protected health information (PHI) by workers. Over a period of 7 months in July 2018, the PHI access tracking system of the medical center flagged 444 cases where workers viewed the health data of patients without authorization. 49% of the workers (219) were picked at random and were given an email notice on the evening of identifying the unauthorized access. The other workers got no notifications and were considered the control group.

The email messages mentioned that the programmed system had discovered unauthorized health record access and told the workers that this was a privacy breach since the medical center has a tight policy set up that forbids viewing the health data of people including friends, loved ones, co-workers, and contacts except if they possess written consent to do so. There was no disciplinary action done against the workers throughout the research, however, all workers were afterward disciplined as required by the medical center’s sanctions guidelines.

The study discovered that just 2% or 4 of the 219 workers who got an email warning did the offense again, in comparison to 40% or 90 workers in the control group. In the group with email warning, the 4 repeat offenses happened from 20 to 70 days following the first unauthorized access. 88% of repeat wrongdoing by the control group happened in just 10 days of the first offense, and 17% happened following 90 days. On-the-spot involvement was observed to be 95% useful at stopping more unauthorized access, and the medical center continues to use email warnings as a crucial measure to control access.

The co-author of this study- Effectiveness of Email Warning on Reducing Hospital Employees’ Unauthorized Access to Protected Health Information are Nick Culbertson, CEO and Co-Founder of Protenus; Dr. Ge Bai, Ph.D., CPA, Professor of Accounting at Johns Hopkins Carey Business School; and John Xuefeng Jiang, Ph.D., Professor, Plante Moran Faculty Fellow, Department of Accounting & Information Systems at Michigan State University.


About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA