In the past two years, I have done over thirty blogs for Physicians Practice. Many of those blogs have covered HIPAA Security. In fact my first blog for this year was about a HIPAA breach at a small hospice in Northern Idaho. It was reported that a laptop containing 441 patient records was stolen, resulting in a fine of $50,000.
And now, here’s another blog on HIPAA. Really?
Although it is disturbing that we are even still talking about HIPAA breaches, it is even more disturbing to continue to see massive numbers of breaches, and the root causes continuing to result from the most preventable, avoidable, and otherwise bone-headed behaviors. The main issues are not technical, they are caused by humans. And it’s a pretty safe bet that in every case there were written policies and perhaps even formal training on the HIPAA Security Rules, yet these breaches still continue to occur with greater frequency and severity.
HealthcareIT News recently published the top 10 HIPAA breaches of 2012. There are several things about this list that are striking:
1. The total number of records involved in the top 10 breaches was around 2 million records.
2. The organizations spanned the entire spectrum of healthcare, from hospitals, home healthcare, healthcare transportation, healthcare consulting and even two state Medigov agencies. (Can the federal government sue state agencies for HIPAA violations?)
3. The single most common cause (6 out of 10 cases) involved lost or stolen laptops.
4. An HHS employee e-mailing nearly a quarter million patient records using an unencrypted e-mail system accounted for another of the breaches.
5. Even though outside hacking is typically thought of as the greatest risk, that was the root cause in only 1 of the 10 events.
6. Inappropriate internal access (access by individuals who had no valid business or clinical reason) accounted for 1 of the events.
7. Loss of backup tapes was the cause of the last remaining breach.
That was all way back in 2012. Surely by now everyone has figured out HIPAA and has fixed all the issues, right?
Unfortunately the breaches continue, and if January is any indication, this year is going to a record year for the frequency and severity of HIPAA breaches. In addition, unfortunately, it looks like the most common — and completely avoidable — causes are going to continue. And the unfortunate victims are apparently going to run the gamut from high-profile, nationally-recognized healthcare organizations to small, little-known entities in the suburbs. However in light of newly-strengthened breach notification laws, they both are going to end up in the news.
Here are just two recent examples from the start of 2013:
Stanford’s Lucille Packard Children’s Hospital just announced it was notifying 57,000 patients of a massive HIPAA breach. What was the cause? Was it sophisticated hackers? Nefarious identity thieves? No-good internal staffers? Nope. It was a stolen laptop from a physician’s car. If the same parameters are used as in the Idaho hospice breach, Stanford may be looking at a fine of around $6.5 million. Given that this was apparently Stanford’s fourth reported breach, it will very likely be higher. And that doesn’t count the loss of confidence and goodwill and other “soft costs.”
Proving that HIPAA Security breaches are a good way to achieve national recognition for smaller organizations too, Gibson Hospital, a 70-bed facility in Southwest Indiana, just reported a HIPAA breach involving 29,000 patients. The cause in this case? Internet fraud? The Stuxnet Worm? WikiLeaks? A disgruntled ex- IT employee? Nope. It was a stolen laptop from an employee’s home.
HIPAA Security went into effect in April 2005, nearly 10 years after HIPAA Privacy (HIPAA Security governs digital patient records, whereas HIPAA Privacy governs paper records). Both of them were significantly beefed up in 2009, as a part of ARRA/HITECH. (The fines went from a maximum of $25,000 to a maximum of $1.5 million, an increase of 5,900 percent. That’s what I would call significant “beefing up.”) They were significantly beefed up again with the latest round of new HHS regulations (totaling 568 pages).
However you don’t need ARRA/HITECH 2009 or HHS 2012 to solve these problems. You need to never, never, ever, ever, put any kind of patient data of any kind on any laptop, portable drive, tablet, smartphone, CD, DVD, USB key, or any other portable device. Your IT system can have 20 layers of security, and your EHR, EPM, PACS, eRx, lab, or any other healthcare software package can use 2-factor authentication, with 16-character alpha/numeric passwords, but as soon as you or any of your employees put electronic patient health information (PHI) on a laptop, you are just begging to become the next national HIPAA headline.