“Gartner Listed - mobile application security guide”

September 20, 2016

OCR keeps a close eye on HIPAA breaches

According to an email on 18th of August, 2016 by the U.S. Department of Health and Human Services: Office for Civil Rights (OCR), minor breaches at covered entities and third parties like business associates and subcontractors are now a cause of concern, including HIPAA app security incidents, showing the need for HIPAA mobile app security testing.

From August 2016, breaches resulting from poorly secured Protected Health Information (PHI) will be investigated under HIPAA. This also means that entities need to cater to HIPAA mobile app security testing for mobile and report any resulting small breaches.

The OCR has been investigating and providing assistance to breaches that affect more than 500 individuals. The regional offices of OCR has the choice whether to investigate small breaches (breaches that affected less than 500 individuals) or not at their own discretion.

There is no public record on the percentage of small breaches investigated and assisted by OCR, however, it has received more than 230,000 reports on small breaches from September 2009 to June 2016. During the same time period, large breach reports received by OCR were estimated to be circa. 1600.

To ensure HIPAA app security for mobiles, regional offices of Health and Human Services will decide if they have to investigate a reported breach or not. Their decision will be based upon the following factors:

  • Breach size
  • Certain aspects related to the breach such as, inappropriate disposal or theft of unencrypted PHI, or detection of undesirable intrusion into the network.
  • Volume and nature of sensitivity of PHI data
  • Occurrence of similar concerns resulting from breach reports by covered entities or business associates in the past
  • Absence of sufficient data on small breaches for comparing a covered entity or business associate to its likes.

This initiative will allow OCR to understand what usually results in breach of unsecured PHI data and how it relates to HIPAA compliance issues. Covered entities and third parties now have increased responsibility of ensuring HIPAA mobile app security testing by not only reporting small breaches but also preparing themselves to respond to investigations with supporting documentation of corrective actions. Furthermore, they also need to show record of updated risk analysis and management plan.

Those who do not report any incidences of small breaches will also be taken notice of, and in that case, they will need to provide proof of not discovering any breaches despite having an effective system for breach detection in place.

It is notable that the OCR is scrutinizing these breaches more closely and raise questions about the security measures of covered entities and third parties.

 Codified Security will help you to do HIPAA mobile app security testing.