Want to Easily Violate HIPAA? Put Patient Data on a Laptop
Want to Easily Violate HIPAA? Put Patient Data on a Laptop
In the past two years, I have done over thirty blogs for Physicians Practice. Many of those blogs have covered HIPAA Security. In fact my first blog for this year was about a HIPAA breach at a small hospice in Northern Idaho. It was reported that a laptop containing 441 patient records was stolen, resulting in a fine of $50,000.
And now, here’s another blog on HIPAA. Really?
Although it is disturbing that we are even still talking about HIPAA breaches, it is even more disturbing to continue to see massive numbers of breaches, and the root causes continuing to result from the most preventable, avoidable, and otherwise bone-headed behaviors. The main issues are not technical, they are caused by humans. And it’s a pretty safe bet that in every case there were written policies and perhaps even formal training on the HIPAA Security Rules, yet these breaches still continue to occur with greater frequency and severity.
HealthcareIT News recently published the top 10 HIPAA breaches of 2012. There are several things about this list that are striking:
1. The total number of records involved in the top 10 breaches was around 2 million records.
2. The organizations spanned the entire spectrum of healthcare, from hospitals, home healthcare, healthcare transportation, healthcare consulting and even two state Medigov agencies. (Can the federal government sue state agencies for HIPAA violations?)
3. The single most common cause (6 out of 10 cases) involved lost or stolen laptops.
4. An HHS employee e-mailing nearly a quarter million patient records using an unencrypted e-mail system accounted for another of the breaches.
5. Even though outside hacking is typically thought of as the greatest risk, that was the root cause in only 1 of the 10 events.
6. Inappropriate internal access (access by individuals who had no valid business or clinical reason) accounted for 1 of the events.
7. Loss of backup tapes was the cause of the last remaining breach.
That was all way back in 2012. Surely by now everyone has figured out HIPAA and has fixed all the issues, right?
WRONG.
Unfortunately the breaches continue, and if January is any indication, this year is going to a record year for the frequency and severity of HIPAA breaches. In addition, unfortunately, it looks like the most common — and completely avoidable — causes are going to continue. And the unfortunate victims are apparently going to run the gamut from high-profile, nationally-recognized healthcare organizations to small, little-known entities in the suburbs. However in light of newly-strengthened breach notification laws, they both are going to end up in the news.
Here are just two recent examples from the start of 2013:
Stanford’s Lucille Packard Children’s Hospital just announced it was notifying 57,000 patients of a massive HIPAA breach. What was the cause? Was it sophisticated hackers? Nefarious identity thieves? No-good internal staffers? Nope. It was a stolen laptop from a physician’s car. If the same parameters are used as in the Idaho hospice breach, Stanford may be looking at a fine of around $6.5 million. Given that this was apparently Stanford’s fourth reported breach, it will very likely be higher. And that doesn’t count the loss of confidence and goodwill and other “soft costs.”
Proving that HIPAA Security breaches are a good way to achieve national recognition for smaller organizations too, Gibson Hospital, a 70-bed facility in Southwest Indiana, just reported a HIPAA breach involving 29,000 patients. The cause in this case? Internet fraud? The Stuxnet Worm? WikiLeaks? A disgruntled ex- IT employee? Nope. It was a stolen laptop from an employee’s home.
HIPAA Security went into effect in April 2005, nearly 10 years after HIPAA Privacy (HIPAA Security governs digital patient records, whereas HIPAA Privacy governs paper records). Both of them were significantly beefed up in 2009, as a part of ARRA/HITECH. (The fines went from a maximum of $25,000 to a maximum of $1.5 million, an increase of 5,900 percent. That’s what I would call significant “beefing up.”) They were significantly beefed up again with the latest round of new HHS regulations (totaling 568 pages).
However you don’t need ARRA/HITECH 2009 or HHS 2012 to solve these problems. You need to never, never, ever, ever, put any kind of patient data of any kind on any laptop, portable drive, tablet, smartphone, CD, DVD, USB key, or any other portable device. Your IT system can have 20 layers of security, and your EHR, EPM, PACS, eRx, lab, or any other healthcare software package can use 2-factor authentication, with 16-character alpha/numeric passwords, but as soon as you or any of your employees put electronic patient health information (PHI) on a laptop, you are just begging to become the next national HIPAA headline.
Theresa:
Check out Ericka Adler's blog on this very topic: http://www.physicianspractice.com/blog/hipaa-final-rule-necessitates-pra...
I'd also recommend checking out Ericka's author page (http://www.physicianspractice.com/authors/ericka-l-adler) and I'm sure Marion and some of our other bloggers will be addressing the omnibus rule more in the coming weeks.
Keith L. Martin
Managing Editor
Physicians Practice
good point, and I'll have an updated blog on it in a few weeks.
the new "modifications" are actually longer than the original Standards, and are still being digested. And the issues highlighted in this blog are not affected by the new regs, except the fines and sanctions are higher.
Encryption
The implementation of EHRs means that, at least at my job, we can no longer write notes as we see the pt; so I use my tablet to write key info....
Is there any way to protect my patients, myself, and the hospital?
The only way to protect your patients, yourself and the hospital is encryption. Whether that is practical is another question altogether!
Beth Anne Jackson, Esq.
your EHR doesn't provide means to do notes within the patient record? that would be the best.
this is a sticky subject because if you put notes on a wordpad type of app and then delete it yesterday the data can still be retrieved off the device.
if I access patient data in the EHR (cloudbased) from a laptop (for example updating allergy information), logging in and out again, is there also a risk for HIPAA security breach ?
patient data on a laptop is the biggest - but not the only - HIPAA risk. There are many other ways, such as using "weak" user names and passwords (we recently had a HC client with "receptionist" as a user and "password1" as the password and they got hacked). Also writing the user/pw on a sticky note (that's incredibly common in medical practices, unfortunately).
If the practice uses an online records or patient chart service, like Cerner, then they should be safe, as the data isn't on the laptop, but is stored at the Electronic Records and Chart corperation, correct? Since you have to log in via Secure connection (256 bit encryption via web) using Citrix security protocols for logging into a "mainframe" envirnment", this should be secure for the data transmission, correct? This should also ensure that no data is kept on the "laptop" for unwanted access, correct?
based on what you said, yes. the problem arises when someone uses an otherwise secure system like the one you describe to "download" data to work on locally, like reports.
Can anyone point to an instance of evil occurring when this patient data is lost? My guess is there have been none.
Why is the "bank" being punished, not the "bank robber."
I have a mobile office, with one laptop as the ONLY site of my EMR. with being a solo practitioner with no employees, your categorical statement of NEVER using a laptop seems pretty impractical.
Fines (if any) should correlate with the actual harm done
so how do telecommuters such as myself (NP, make house calls to nursing homes)-I must carry a laptop and I do my work remotely and on site. How do we best protect with this? We encript out files too-but if it's lost, stolen, taken during a robbery-these are things you can mitigate, but in this world of working from home and on the go-I am perplexed as to how we can truly immune from this.
best to have a system where the data is sitting in a secure facility behind a firewall and the data never goes "out" to the local device. using thin-client technology or a secure hardware VPN.
when you access your bank or brokerage records online, you are just viewing them, not downloading them.
What if your office sends/mails out xray or ultrasound studies on a USB drive to a local radiologist? We do not have digital imaging at this time. We are just starting up our office and in the early process of determining how we should deal with this situation, but any recommendations are appreciated. Thank you in advance.
any kind of portable media use is asking for trouble. even encrypting the device is still problematic because if someone gets hold of it and has long enough they can defeat the encryption. you should set up a secure, encrypted network connection such as a hardware VPN. even "secure" couriers have had drives stolen while under their control and in transport between locations.
What about all of the facebook stuff, isn't that an obvious breech, to have any patient interaction there? Shouldn't those be an almost automatic penalty. I can't believe that there should even be a discussion about Facebook Twitter and communication with patients.
I'm curious about patient ramifications regarding HIPAA. For example, the patients in our waiting room talk openly and candidly about their conditions with other patients seemingly without care or knowledge of each other, as well as, the people who do the same thing in the pharmacy while waiting in line. Patients are able to have diarrhea of the mouth when it comes to their spouses cheating, explosive diarrhea, litany of medications that they will tell anyone in ear shot, why aren't they fined? They often talk about other patients when they are not even in the room disclosing all sorts of information about their friends, husbands, adult children..etc. I'd also like to hear more about how perverted the "Information" and "Portability" part of this important law has become. I wonder how many people realize that this law was supposed to guarantee a patient's right to be able to access and transfer their patient files; before a physician could refuse or charge a fee to transfer and the patient had little recourse. It repulses me that this law has morphed into what is now just a governmental agency money laundering scheme targeting the individuals and organizations that are attempting to at least grow with the times. I'd like to see more "Mouth Meter Maids" in Pharmacies and grocery store lines handing out thousand dollar fines anytime Aunt Martha wants to talk about her 'poor sister's cancer condition' spilling all sorts of private health information that has obviously led to such serious injuries, thefts and deaths. Those people need to be stopped!!!! *rolls eyes and decides to scrap EMR and go back to writing undecipherable paper records that only I can understand. PROGRESS!!
If you see patients in private setting and write progress notes on iPad and save it on icoud...is this HIPAA violation???
it could very well be a big problem.
generic/public cloud services like iCloud typically have exclusions in their Terms of Use that absolve them from any ramifications of commercial use and compliance with regulations, including HIPAA
Semi-related HIPAA question. So I've been thinking about blogging and sharing interesting hospital stories. I would use scrubbed and de-identified images, change the stories up slightly, etc. It will be a personal blog, though, and the stories would be written on a layman's level, so not really "education." While I will blog pseudo-anonymously, I could easily be "doxxed" and someone could pretty easily find out where I live and practice, and therefore imply back patient identity, especially if the cases are particularly unique. I'm uncomfortable putting images up in these circumstances but I'm unclear if it would be a technical HIPAA violation. Any ideas?
Your blog really should be about the new omnibus regulation that just came out and all the new requirements.