HIPAA Security Has Teeth, So Locate and Secure Your Healthcare Data

The HIPAA Security Rule has gone through two major modifications since it first came out in 2005. As part of the 2009 ARRA/HITECH act, the maximum fines were increased to $1.5 million. In early 2013, the HIPAA Omnibus Bill added significantly to breach reporting and business associate requirements, plus it considerably increased enforcement, including unannounced random audits.

Even with the revisions, most technical requirements have not changed since the original rule went into effect. One of the most important and basic specifications is the very first one:

Section 164.308(a)(1)(ii)(A) "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."

The assessment description seems pretty straightforward. However, most practices assume if they are using a certified EHR that meets meaningful use, they are compliant with the HIPAA specifications. However, most of the reported breaches have resulted from ignorance of this first specification, coupled with user behavior that is unfortunately all too common in medical facilities.

The first step is to identify where all your electronic protected health information (ePHI) is located, and then to eliminate the ways users can inadvertently expose this data with risky behaviors. Many people assume their ePHI is just in the EHR or practice management system. To our knowledge, there has never been a reported HIPAA breach involving the failure of an EHR’s software database or security. So you need to take a hard look at all the other places where your ePHI might be lurking:

Laptops: The convenience and portability of laptops makes them a virtual "data magnet" for storing ePHI locally. Many times, managers will download patient data out of their EHR onto a laptop to run reports after hours. Physicians frequently purchase laptops with their own funds, so they don’t perceive they are part of the overall practice’s IT infrastructure, and not subject to HIPAA oversight. One of the most recent HIPAA breaches concerned a physician who had his laptop stolen from his vacation condo in Hawaii. Since this was the third HIPAA breach for this organization, all of which involved the theft of portable, unencrypted devices containing ePHI, the fines are likely to be in the millions.

Workstations: Technically, workstations are not portable like laptops, so you typically wouldn’t think of them walking out the door with ePHI. However, workstations should never be a storage place for ePHI, even temporarily. Users frequently store documents such as patient letters, billing information, spreadsheets, and other items on their workstations - a very bad idea. In one of the largest breach reports to date, a multi-billion dollar lawsuit has resulted from a smash-and-grab theft of a workstation from a locked office of a hospital foundation in California. The workstation contained medical records on millions of patients. Patient data should never be on a user device like a workstation or a laptop. It should be on a secure server in a hardened data center, accessed using thin- or zero-client technology or over a Virtual Private Network (VPN). That way the ePHI is never actually on the local device. Encrypting local hard drives is better than nothing, but the ePHI should not be there in the first place.

Practice websites: To provide more access and information to patients, most practices have set up custom websites. Most of them are just "brochure-ware," with static content that provides general information about the practice for patients and families. If you are going to provide online access to ePHI, generally we have found that EHR-provided web portals are sufficiently secure. However, an ambulatory surgery center in Arizona allowed patients to access their surgery schedule on a custom web site. The problem was that it showed the entire schedule online, including all patients, and the result was a $100,000 fine.

Portable media – USB keys, portable hard drives, backup tapes, etc.: Similar to the laptop situation above, managers and providers alike frequently play "sneaker-net" by downloading patient data onto portable media to transport it from one machine or location to another, rather than accessing it over a secure network. A recent case involving USB key reported it had been lost somewhere between Salt Lake City, Denver, and Washington D.C. That’s quite a haystack in which to find a needle, and it resulted in the termination of a "terrific employee." While transporting backup tapes to offsite storage facilities, there have been many examples of HIPAA breaches when backup tapes have been lost or stolen, either in transit or in storage. This last scenario is ironic, since one of the requirements of HIPAA Security is creating and preserving backup copies of ePHI data, so in the process of complying with HIPAA, it enabled a breach to occur in a different way.

E-mail: This represents a big risk. When we do HIPAA assessments, and in normal communications with practices and clinics, we frequently find healthcare workers using free ISP email addresses such as Gmail, Comcast, Yahoo, AOL, etc. These are not secure at all, and should never be used to communicate with or about patients. Secure, encrypted e-mail tools are readily available for healthcare, and most EHR-provided patient portals have secure ways for practices to communicate and exchange information with their patients. Unfortunately many providers and staff also use e-mail to send documents from one system or location to another - or even to themselves. In the Hawaii laptop breach mentioned above, it was determined that one of the methods the ePHI got on the laptop in the first place was via e-mail - many of the documents containing ePHI were PDF attachments in the physician’s e-mail folder.

In summary, the first and most important step in avoiding the ever-increasing and potentially massive HIPAA fines is to identify every possible location and device where ePHI might exist, and then eliminate the ability for users to store or transmit ePHI in an unsecure way. You cannot rely on policies, procedures and user behavior to protect your ePHI. You must appropriately set up and properly maintain your IT systems to keep your ePHI secure, never allowing ePHI to be stored or transmitted insecurely.

Having the best and most secure EHR in the world will not protect you from the much bigger risks resulting from bad user behavior and poor IT system design.