The Healthcare Insurance Portability and Accountability Act (HIPAA) was adopted in 1996. It seeks to ensure the secure management of healthcare information and outlines guidelines that all healthcare organizations and employees must follow to manage protected healthcare information (PHI). Under HIPAA, PHI is any information that can be used to identify an individual, including:
Contact information
Demographic information
Lab test results
Insurance information
Medical history
As technology continues to evolve, the risks facing PHI also grow. It’s now more important than ever for players in the healthcare industry to comply with HIPAA to avoid costly penalties. To understand the significance ofHIPAA compliance, it’s best to revisit past cases relating to violations. These cases will provide crucial lessons on how to avoid common HIPAA-related mistakes.
Case #1: Allergy Associates of Hartford, Conn.
Hartford-based Allergy Associates was fined $125,000 after a patient complained to the Department of Health and Human Services about the disclosure of her PHI by a physician at the facility to a reporter. An investigation revealed that the physician disregarded advice from the hospital’s privacy officer not to respond to the media regarding claims that the woman had been turned away from the facility for bringing along her service animal. Following the disclosure, Allergy Associates failed to take any corrective or disciplinary action towards the physician.
Lesson Learned
Allergy Associates should have disciplined the physician besides taking corrective action to prevent similar incidents from occurring. Had it done so, the facility would probably not have been penalized. This highlights why healthcare entities should take immediate remediation action when such incidents occur and hold employees responsible for their behavior. Likewise, employees should be trained on media protocols to ensure that PHI is not intentionally or unintentionally disclosed to the media as it happened with Allergy Associates.
Here’s what we know. In the Anthem hack, it is estimated that approximately 80 million records were stolen. The Anthem hackers stole information of both employees and customers, which included names, address, emails, birth dates, medication history, employment details, family relatives and more. But while most hackers steal financial data for spending sprees – these hackers had next-step intentions with the stolen data serving as the basis for phishing emails with attachments for the purposes of installing malware using their official email accounts, gathering even more personal information, and then it was propagated across entire networks. So now what?
Know the facts. According to Privacy Rights Clearinghouse, up until Anthem, since 2006, about 6.6 million records have been exposed from 79 medical-related breaches of hacking or malware type. Last year, Community Health Systems Inc. announced a large data breach of its health system compromising data for 4.5 million patients and now Anthem at the 80 million mark. Attackers like targeting EHRs because the records are highly profitable compared to other forms of information. For example, each credit card data is valued about $1 in the black market. However, according to various sources, a partial or complete EHR can generate $50 to $100 on the black market. The high price is because of the healthcare data includes personal identity information and sometimes carries credit card information along with insurance and personal health information. So, while financial information can be tracked and secured following a breach — the healthcare information cannot be as easily tracked and resolved.
Current mandates. Every EHR provider should safeguard data and information with HIPAA-complaint communication protocols, 128-bit encryption and public key authentication. As per the HIPAA norms of strong grade encryption and authentication, providers should meet all the regulatory requirements enabling security and confidentiality. Scheduled backups of the data are essential to keeping records and information from being lost or destroyed.
Two healthcare organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated Sept. 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.
NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center.” NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.
The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the Internet.
Guest post by Scott Walters, client services, INetU.
Whether they are cloud providers, EHR services firms or SaaS providers, technology companies that market to healthcare organizations are considered “business associates” under HIPAA. In the past, that meant customers often asked them to sign agreements assuring that they were employing best practices and would provide breach notifications to help customers maintain compliance.
As of September 13, 2013. however, changes to the guidelines were implemented that mean technology providers are now directly liable to the U.S. Department of Health & Human Services (HHS) for securing any PHI that they’re entrusted with. In addition to the increase in accountability, this first-hand responsibility also brings technology providers under the threat of fines that can now reach well into the millions of dollars.
The Cost of a Breach
The HHS Office for Civil Rights (OCR), the main enforcement body for HIPAA, has been gradually increasing fines for organizations that violate HIPAA compliance. The penalties have totaled well into the millions, with several organizations in the past few years receiving fines in excess of $1.5 million from OCR. In fact, according to data from the Department of Health and Human Services, HIPAA-covered entities and now business associates have paid more than $18.6 million to date to settle alleged federal HIPAA violations with $3.7 million of that coming from organizations in the last year alone. On top of this, there are often state and private legal settlements involved.
The Massachusetts Eye and Ear Infirmary (MEEI) is among the organizations that have experienced dramatic penalties firsthand, incurring fines of $1.5 million in 2012 after the theft of a laptop from an MEEI doctor who was traveling to Asia ended up exposing PHI. Blue Cross Blue Shield of Tennessee also paid $1.5 million in the same year following a breach of 1 million patient records stemming from the theft of 57 unencrypted hard drives from a leased training facility.
These two examples not only show the potential cost of a breach, they also demonstrate another quality that reaches across many of the violations to date – the fact that many of the biggest healthcare and HIPAA breaches are caused by unencrypted data and local storage of PHI. As technology providers offer services to manage this type of data, the onus to meet HIPAA regulations is more frequently falling on their shoulders. The upside to this is that, with some forethought, SaaS and EHR providers have the opportunity to make their cloud services even more HIPAA ready than their customers’ on-premise solutions.
Guest post by Darren Leroux, senior director of product marketing, WinMagic.
Gone are the days where all personal health information solely lived in giant filing cabinets behind a receptionist’s desk or in the administrative office of a hospital. Today, patient data resides everywhere – desktops, laptops, smartphones, tablets and USB drives. Understandably so – given the rise of mobile computing and bring-your-own-device (BYOD) policies in healthcare, the once straightforward process of protecting patient’s personal health information has since evolved into a complex and overwhelming undertaking.
Just the Facts
According to a recent study, 81 percent of healthcare organizations are now allowing employees and medical staff to use their personal laptops and mobile devices to connect to provider networks or access company email. Interestingly enough, the same study found that of that 81 percent of healthcare institutions enabling a BYOD strategy, 54 percent did not believe that those devices were secure enough in the workplace; 65 percent of data breaches reported to the Ponemon Institute occurred on laptops and mobile devices over the last five years — it’s no wonder that more than half of those surveyed aren’t confident in the security of their devices
When we refer to personal health information at risk, we’re not just talking about historical health records – the potential for a data breach casts a much wider net, including patient billing information, clinical trial data and even employee information like payroll numbers. With so much sensitive, unprotected data up for grabs, we’re inclined to ask ourselves – how? How is this significant rise in healthcare data breaches even possible, and how do we stop this from continuing?
Below are the top three gaping security holes in remote healthcare data practices that are answering our question of how is this rise in breaches in possible:
With the mandate of electronic health records (EHR) across the nation, hospitals and physicians are researching, evaluating and purchasing EHR Systems. These systems range in price from affordable with minimal investment to the Rolls Royce version.
Many hospitals are investing large capital dollars for EHR programs. Hospitals must choose a vendor that will meet the organization’s needs. Physicians may choose systems that are more narrowly focussed to the needs of their offices and their specialization. In other words, interoperability may be addressed for hospital EHR systems with their more diverse internal users and may not be a major consideration for a non-network physician. Even with anEHR system in place, they do not necessarily make information sharing easier since many of them do not have interoperability outside of their networks.