HIPAA has been around now for nearly 20 years. The HIPAA Privacy Rule, which governs paper health records, has been around since the late 90s. The HIPAA Security Rule, which governs the collection, transmittal, and storage of electronic patient records, has been around for nearly a decade. So one would think that reported HIPAA breaches would be on the decline. Unfortunately, that’s not the case:
A recent article by FierceHealthIT, “New year, same old health data breaches,” shows that — unfortunately — the number and severity of HIPAA security breaches are still going strong. The most common causes continue to be due to loss or theft of portable media: laptops, portable media, and related devices. Many of those thefts occur off-premise — in an employee’s home or car, for example. In one case reported, an inside billing department employee was accused of identity theft, and in another, the breach was enabled by an employee of a Medicaid contractor falling for a “social engineering” scam by an outside hacker.
Many of the breaches occur with large, presumably well-equipped and sophisticated healthcare organizations. One would think that such organizations would be prepared for and take the necessary precautions to prevent or avoid such breaches. Unfortunately that is not the case, and some of the figures are astronomical.
As noted by Becker’s Hospital Review, Sutter Healthcare in California faces billions of dollars in lawsuits, with one class-action suit alone seeking damages of $1,000 per record. Given that the Sutter episode involved theft of a workstation that contained over 4 million patient records, the potential financial impact is devastating. And the secondary financial impact due to the public relations fallout can be many times greater.
The potential damage is not limited to large metropolitan hospitals or organizations with millions of patient records, or facilities with high public exposure. According to SecurityInfoWatch, an Idaho hospice agreed to pay $50,000 recently for a breach involving the theft of a laptop, and only about 400 patient records. This shows that even a small organization with limited public exposure and relatively few patients can be negatively impacted. And we recently worked with a small three-provider group who was reported to HHS by a former disgruntled employee. Fortunately in that case we were able to help the organization avoid any fines and sanctions because the HIPAA security holes were already identified, and remediation planning was already underway.
What do these episodes have in common, and what can be done to make sure your organization is not faced with a potential “HIPAA cliff” episode? The steps to follow are surprisingly straightforward, and it does not take a million dollar consulting engagement to avoid multi-million dollar fines and sanctions. In fact, most issues can be avoided by implementing procedures that actually represent IT best practices anyway, along with employee policies that are just plain common sense:
1. Become familiar with the HIPAA Security rules and do a complete assessment of all hardware, software, networking, and data storage systems. This is actually one of the primary HIPAA requirements anyway, and it forms the basis for evaluating your organization’s compliance/non-compliance.
2. HIPAA Security (which governs electronic records and IT systems) is completely different from HIPAA Privacy (which governs paper records). You need to have a completely separate assessment and compliance plan, by an organization with specific HIPAA Security expertise.
3. Do not assume that the stated HIPAA compliance of your EHR vendor/system (or PACS or any other healthcare software system) is sufficient. Virtually every reported breach actually involved a HIPAA-compliant software package, and virtually none of the breaches was a function of the software; it was a failure of other aspects of the Covered Entities’ system and/or processes. In other words, the EHR system worked as advertised, it was something else that caused the breach.
4. Do not put any data on laptops or any other form of portable media. This should not only be a function of written policy and training — you should set up your IT systems to not allow it. The vast majority of breaches occurred when employees were doing some form of “sneaker-net,” downloading, or making a local copy of protected healthcare data to work on it locally. The irony is that most times the use and access of such data was theoretically legitimate, such as a manager or director making a local copy to work on billing or reports. The data should be left behind a secure firewall and accessed remotely and securely, and never copied to a local device or media drive.
HIPAA Security is actually a good thing, and compliance will make your organization — and your business — more secure and functional. It will also keep your organization out of the courtroom and out of the newspaper.