The threat of data breaches has troubled the healthcare bar since the Health Information Technology for Economic and Clinical Health (HITECH) Act became effective in 2009.
We knew that at some point the boogeyman would come to life. Witness the Target data breach, which dominated the news for several weeks this past December. Target is still reeling from issues caused by the breach. While Target’s difficulties are newsworthy because of the sheer volume of data that the thieves were able to access, in our digital society, security breaches are not uncommon. It could never be said that healthcare has escaped the digital revolution. Indeed, the opposite is true. Because of the increased use of healthcare technology, such as electronic health records (EHRs), healthcare providers treat patients and provide services in ways never imagined 20 years ago. But, with these advances, the healthcare industry has experienced an increased threat to patient health information. In addition to information that may damage one’s reputation, EHRs contain information that, in the wrong hands, can cause serious damage to one’s economic health. The Federal Trade Commission reports that identity thieves use medical information to receive care, obtain prescription drugs, and file insurance claims. Additionally, EHRs contain information that aids thieves in passing security questions.
Given the prevalent use of EHRs, the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has increasingly turned its focus to breach prevention and enforcement under the HIPAA Security Rule and the HITECH Act. Early this year, the OCR reported that since 2009 it has received over 800 reports of breaches that have affected approximately 29.3 million individuals. As part of its enforcement efforts, the OCR has levied civil monetary penalties on providers who have failed to implement appropriate safeguards to protect electronic health information. Notably, in 2013, WellPoint, Inc. agreed to pay $1.7 million to resolve claims that it failed to adequately protect electronic health information stored on an online database such that the public could easily access the information. Additionally, Affinity Health Plan agreed to pay $1.2 million to the OCR following the discovery that it had failed to wipe patient health information from a leased copy machine prior to returning it.
Healthcare providers can expect that the OCR enforcement trend will continue in 2014, if not increase. OCR estimates that it will collect $5.5 million in penalties in fiscal year 2014. Further, the director of OCR, Leon Rodriguez, has stated that he plans to implement an audit program aimed at ensuring providers are complying with the Security Rule. In fact, the OCR recently announced it will randomly survey 1,200 organizations in an effort to determine which organizations are suitable for an audit. Additionally, in its 2014 Work Plan, the HHS Office of the Inspector General (OIG) included initiatives to review the security controls used by hospitals when storing health information on portable devices including laptops, jump drives, and backup tapes. The OIG will also review the security controls of medical devices, such as dialysis machines and radiology systems, that are connected to EHRs and hospital networks to determine whether the health information stored on such equipment is adequately protected. The OIG is not alone in its concerns for the security of medical devices, and developers have created a firewall that medical device users can integrate into their cell phones or wear as a necklace or bracelet.
In response to the ever-growing need to protect patient health information, the technology industry continues to develop methods to efficiently and effectively protect health information. Software aimed at allowing healthcare providers to safely communicate via text and email is becoming more prevalent. For example, Andrew A. Brooks, a surgeon, founded TigerText, a secure mobile messaging platform specifically designed to allow healthcare professionals to safely text one another. Short of implementing new technologies, however, healthcare providers can take certain steps to ensure that they are adequately protecting patient information. Providers should conduct risk analyses annually to determine if there are any weaknesses in their security safeguards as well as their policies and procedures. An effective risk analysis not only determines if there are any gaps in security, but also the level of risk associated with each gap. The provider can then prioritize needed fixes and updates. Additionally, providers should be periodically retraining their workforces to ensure that they are promoting a culture of compliance and that their employees understand the importance of such compliance. Finally, if a breach does occur, then the provider should act quickly and proactively to address the breach. An appropriate response to a breach includes investigating the breach, making any required reports, mitigating any additional harm, and updating security safeguards to prevent the breach in the future.
Technology has changed nearly every facet of society, including healthcare delivery. EHRs improve care and decrease costs, but they also place highly sensitive information at greater risk if not appropriately protected. And likely, as evidenced by recent OCR and OIG initiatives, the government mandate to protect patient health information will only intensify. As such, healthcare providers must continue to adapt and improve the means through which they protect patient health information.
« Back to news