With all the talk about HIPAA over the past decade, most people in the U.S. now expect their confidential health care information and records (collectively “PHI”) to be just that…confidential. We expect our providers to assure its privacy and security. But this is not always the case. Read about this incident.

In September 2008, Parkview Hospital in Ohio took custody of approximately 5,000 to 8,000 patient records pertaining to a retiring physician’s medical practice. Parkview was considering purchasing some of the physician’s practice and was assisting the retiring physician to transition her patients to new providers. By taking custody of the PHI, Parkview assumed the responsibility for the private and secure management of the retiring physician’s PHI. However, on June 4, 2009, despite having custody of the records and with knowledge that the retiring physician was not at home at the time of the incident, Parkview employees left 71 cardboard boxes of medical records on the driveway of the physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue. This action exposed the PHI to unauthorized access and constituted a HIPAA breach.¹

The retiring physician reported the breach to the Department of Health and Human Services (HHS), resulting in an investigation by its Office of Civil Rights (OCR). Parkview cooperated with the OCR investigation. The outcome was an $800,000 civil money sanction and a corrective action plan requiring the revision of Parkview’s policies and procedures, staff training and regular reports to OCR on compliance with the corrective action plan. The extended regulatory oversight and related costs for auditors can be a greater sanction and intrusion into daily operations than any sanction check that has to be written.

HIPAA and HITECH mandate that healthcare providers and managing healthcare entities are responsible for the privacy and security of PHI from the time it is created until the time it is securely destroyed. This includes implementing and monitoring PHI policies and procedures as well as training and monitoring staff compliance with them. Failure to do so can subject healthcare providers or entities to sanctions and regulatory oversight through corrective action plans. HIPAA regulations have been in effect since 2003. HITECH regulations, enacted in 2009, have heightened sanctions for failing to protect PHI, including added sanctions up to $1.5M per year for willful neglect levied against covered entities that can demonstrate no reasonable efforts towards HIPAA/HITECH compliance.

It’s hard to believe that breaches such as the above incident are still taking place. But the OCR confirms that it is quite busy with similar investigations. It is starting up its random audit program again in October 2014 to get the message across that HIPAA/HITECH compliance is mandatory. The message from HHS is that sanctions will increase when non-compliance is identified such as in the case cited above and those noted on its Wall of Shame at www.hhs.gov.

¹See $800,000. HIPAA Fine- Blatant Violations Continue to Occur, www.Medlaw.com, posted June 25, 2014

Data thieves are feasting at the healthcare information and data buffet. The healthcare industry needs to act quickly to manage this problem.

Last year, the healthcare industry experienced more data breaches than any other industry. There were 269 incidents reported with more than 8.8 million healthcare records compromised, equaling 43.8% of breaches reported across relevant industries, according to the Identity Theft Resource Center (ITRC). So far in 2014, ITRC found that healthcare organizations are trending even higher representing 45.8% of breaches industrywide. And these statistics are only for breaches that have been reported.

The vulnerability of healthcare information and data is increasing. The FBI warned healthcare providers that their data security systems lag behind other industry sectors. This warning asserts that the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors. Therefore, the possibility of increased cyber intrusions is likely.

The results of risk analyses performed across the healthcare industry, including the results of the initial Office of Civil Rights (OCR) audit program, point to a lack of investment by healthcare in privacy and data security, a lack of attention to these issues at the executive level, and a tendency to spend only minimal resources to implement HIPAA/HITECH compliance plans. As the above statistics confirm, healthcare remains not only vulnerable but a preferred target for cyber criminals.

Why are cyber criminals focused on healthcare? Quite simply, that’s where the money is. The value of medical data is proving to be far more lucrative than other types of personal data. For example, a single person’s medical identity information can fetch hundreds of dollars compared to just a dollar or two or even less for a Social Security or credit card number, according to experts. Such medical identity information can provide access to prescriptions for drugs that can be re-sold, and can cover expensive medical treatment for the wrong party.

Healthcare data breaches are not only the work of shadowy hackers working out of foreign countries. In as many cases, the breaches are the work of healthcare providers’ own employees. Failure to invest in and implement verifiable privacy and security programs within the organization itself which include meaningful and appropriate workforce training programs is costing healthcare providers millions of dollars in sanctions and corrective action settlement agreements to combat carelessness such as loss of laptop computers and other devices with unencrypted data and unauthorized snooping into or copying patient records and data. Breach reports and complaints are patient and consumer driven and can be made directly to the Department of Health and Human Services (HHS) by disgruntled individuals. Breaches can also result from criminality by an employee acting on his or her own to steal healthcare data outright for personal gain.

Also, as electronic health records systems (EHRs) become more prevalent and sophisticated, the risk of medical identity theft continues to grow. Providers are accountable for data security efforts to remain on top of current threats, identify emerging problem areas and stay ahead of the myriad of new threats. Further, HITECH has pulled Business Associates and Business Associate sub-contractors into the HIPAA/HITECH regulatory realm.

Healthcare, as an industry, has a long way to go to match their counterparts in the financial and banking sectors, which have invested heavily in data privacy and security. These industries experienced only 3.7% of data breaches and less than 1% of compromised records. Excuses are no longer being tolerated by HHS, willful neglect (failure to demonstrate any effort at HIPAA/HITECH compliance) is being sanctioned at a rate of $1.5 M per year on top of corrective action settlements, and random audits by OCR are beginning again in October of 2014. Now is the time to act.

For assistance with your HIPAA/HITECH compliance efforts, contact Jim Wynne at jwynne@meritcd.com or by phone at 610-225-0193.