The risks associated with data breaches for healthcare organizations are becoming greater and ever more complex. Katherine Keefe of Beazley Breach Response Services explores the challenges health bodies face and how to address them.
For healthcare organizations, the Department of Health and Human Services (DHHS) Annual Report to Congress on Breaches of Unsecured Protected Health Information for 2009 and 2010 makes alarming reading. Breaches of protected health information (PHI) have occurred in a bewildering range of ways. And it’s getting worse.
The Healthcare Information and Management Systems Society’s (HIMSS) Analytics Report: Security of Patient Data shows that the number of respondents reporting data breaches has increased to 27 percent in 2012, up from 13 percent in 2008. More than 21 million individuals, or almost 7 percent of the US population, have been affected by large health data breaches since the DHHS’s Office for Civil Rights (OCR) began publicly reporting such incidents in September 2009.
Figures for 2010 show theft as the leading cause of large healthcare data breaches, both by number of incidents and numbers of individuals affected.
WHY DOES HIPAA MERIT RENEWED ATTENTION NOW?
The original source of what has become a significant legislative push to protect personal health information is the Health Insurance Portability and Accountability Act (HIPAA) privacy rule, which in 2003 established national standards to safeguard PHI. The privacy rule was quickly followed by the HIPAA security rule which targeted electronic PHI.
Now is a good time for healthcare providers and health plans to refocus on and assess their HIPAA-related exposure, for several reasons. The costs and consequences of non-compliance have increased. We are seeing more enforcement actions, audits, and even criminal indictments. More specifically, companies should be aware of:
• Increased fines: The Health Information Technology for Economic and Clinical Health (HITECH) Act has raised the ceiling on HIPAA penalties, expanding the range of potential fines from $100 per violation with a $25,000 annual cap for identical violations, to $50,000 per violation up to a $1.5 million annual cap for identical violations.
• State attorneys general are now actively prosecuting HIPAA cases due to a grant of enforcement authority under HITECH.
• Audits: The HITECH-mandated audit process is now in high gear as KPMG, on behalf of the OCR, has begun to audit many covered entities to assess compliance with HIPAA.
• Breach notification investigations: HITECH amended HIPAA to require covered entities to notify individuals of breaches of PHI. Breaches affecting 500 or more individuals must be reported to OCR and disclosed to the news media. Such notifications are triggering regulatory investigations and media scrutiny.
• Criminal indictments: In 2011, the federal government indicted several individuals for alleged criminal violations of HIPAA, further evidence of the greater enforcement and monitoring underway.
STAKES ARE ALSO HIGH FOR BUSINESS ASSOCIATES
The HITECH Act made clear that business associates are subject to direct regulation under HIPAA, meaning that they are just as vulnerable to HIPAA enforcement as covered entities. This was underscored this summer, when the Minnesota attorney general announced the first ever settlement with a business associate. This business associate—a debt collector who also managed revenue operations for hospital clients—had a laptop that allegedly contained unencrypted sensitive data on 23,000 patients stolen from an employee’s rental car.
In addition to pursuing violations of state consumer protection and debt collection laws, the attorney general used HITECH’s expanded enforcement authority and business associate requirements to pursue HIPAA violations against the business associate. The case was ultimately settled with the business associate paying approximately $2.5 million and agreeing to stop doing business in Minnesota for two years.
WHAT SHOULD HEALTHCARE ORGANIZATIONS AND THEIR SERVICE PROVIDERS DO TO MITIGATE THIS EXPOSURE?
While the following steps are not all-encompassing, they are a good starting line for businesses working to ensure HIPAA compliance.
• Be clear on where the organization stands with regard to HIPAA and the HITECH Act. ‘Covered entities’ under HIPAA include healthcare providers and health plans; ‘business associates’ include organizations that provide services to health care providers or health plans and access customer PHI in the course of providing those services.
• Before any PHI is disclosed, covered entities need to be sure that they have HIPAA-compliant business associate agreements in place with vendors; business associates need to be clear on their obligations under these agreements.
• Covered entities and business associates must implement robust HIPAA policies and procedures. This includes educating and training employees on policies and procedures to safeguard both paper and electronic PHI.
• Consider encrypting PHI—on all devices, including mobile devices. Appropriately encrypted data does not trigger HITECH’s breach notification rules.
• Stay attuned to changes in law and regulations. New HIPAA regulations are expected to be issued soon by OCR which will address many compliance obligations such as business associate agreement requirements, enforcement issues and breach notification requirements.
Healthcare organisations, Patient data, Health Insurance Portability and Accountability Act (HIPAA) privacy rule, Business Associates,