HIPAA Breaches: Minimizing Risks and Patient Fears
IndustryView | 2015
Security experts warn 2015 may be the year of the health care hack: In light of recent high-profile security breaches at medical organizations, they anticipate patient data theft will increase. For this report, Software Advice surveyed patients on their fears of a breach, and explored how software solutions can minimize data security risks. Providers will learn best practices for handling health data to build patient trust, defend against a potential security breach and deal with the fallout after one has occurred.
A pair of massive data breaches is making many health care providers across the country reconsider their security policies. In January, health insurance provider Anthem discovered that hackers had broken into a database containing up to 80 million records. And just six months prior, Chinese cyberattackers stole personal information belonging to 4.5 million patients of hospital chain Community Health Systems.
In an attempt to prevent such situations, the government has laws in place protecting patients and guiding providers on how to safeguard medical data. The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act include a series of mandates to uphold the privacy and security of both paper-based and electronic patient records.
The U.S. Department of Health and Human Services (HHS) enforces these mandates through compliance investigations and audits performed by the Office of Civil Rights (OCR). HIPAA violations carry fines from $100 to $50,000, and if a covered entity suffers a data breach affecting more than 500 people, it must be listed in a part of HHS’ website known in the blogosphere as the “wall of shame.”
In this report, we’ll highlight the most effective strategies providers can follow to stay off the “wall of shame” and avoid financial penalties. Of course, there is more at stake than just fines and notoriety—a provider’s privacy and security policies can have a significant impact on patient trust, treatment and retention. As such, this report will also focus on how to mitigate patient concerns.
A combined 45 percent of patients surveyed are “very” or “moderately concerned” about a security breach (which we defined as their medical records and/or insurance information being accessed without their consent, and potentially resulting in identity theft).
We also asked the 45 percent who are very or moderately concerned to list the reasons behind their level of concern, allowing them to express more than one. The highest percentage of respondents (47 percent) say they are concerned about becoming the victim of fraud or identity theft.
Coming in a close second is patient worries about maintaining the privacy of their medical history, followed by a lack of trust in technology’s ability to keep their data safe.
According to Stephen Cobb, a senior security researcher at information technology (IT) firm ESET who blogs about medical data security, these concerns are noteworthy for large health care providers and solo practitioners alike.
“Whether you handle 10 patient records or 10,000, it is important for health care providers to know that patient information is valuable to criminals, and can be sold in criminal markets online,” he explains.
In fact, medical records are reportedly worth 10 times more than credit card information in criminal markets. This is because there are numerous ways these patient records can be used to commit fraud:
Next, we asked respondents whether data security concerns lead them to withhold personal health information from their doctors. We defined “personal health information” as including their own (or their family’s) prescription, mental illness and substance abuse history.
While the majority of our sample (79 percent) say this “rarely or never” happens, it is significant (and unfortunate) that 21 percent of patients withhold personal information from their physicians specifically because they are concerned about a security breach.
Health care lawyer and blogger David Harlow is also troubled by our results. Doctors need to get a full picture of a patient’s health history, he explains. If they don’t, the effectiveness of treatment could suffer—or worse, the patient could be harmed. For example, if a doctor is not told about a patient’s current prescriptions, the doctor could inadvertently prescribe a second medication that has adverse interactions with the first drug.
“That’s an invitation for disaster,” Harlow says. “It means we have a lot of work to do to convince people of the safety and importance of sharing information with physicians.”
Since so many of our respondents are concerned about the privacy and security of their data, we wanted to see how many actually read the Notice of Privacy Practices (NPP) at their doctors’ offices. NPPs are written explanations of how a provider may use and share health information, and how patients can exercise their privacy rights.
Patients usually get NPPs (which typically look like this) during their first visit to a health care provider. HIPAA requires NPPs be presented to all patients, but patients do not necessarily have to read or sign the forms. In fact, 44 percent of our sample tell us they “rarely or never” read NPPs all the way through before signing, and 3 percent simply “never sign” them.
Despite the concerns patients express over privacy, we aren’t terribly shocked to see that only 8 percent of patients “always” read NPPs all the way through before signing. Neither is blogger Casey Quinlan, a health care advocate who has collaborated with the World Health Organization on patient engagement strategies.
“When a patient arrives at a practice, you’re handed a form that is usually written in language that is kind of impenetrable to the average person,” she explains. “You sign it so the practice will deal with you, but half the time you don’t even know what you’re signing.”
Making matters murkier, only 10 percent of our respondents say they are “very confident” they understand their health care providers’ privacy and security policies.
Newer NPP templates are available for providers hoping to guide patients through this important information more effectively. These HHS-recommended templates are more visually appealing and easier to understand than typical, paper-based guidelines.
Harlow says physicians can go the extra mile by proactively educating patients (through newsletters or during office visits) about why security is important and what systems the practice has in place to maintain it.
For example, electronic health record (EHR) software vendor HealthFusion’s MediTouch EHR has information on their secure EHR available online breaking down the specific security features it has in place. Providing patients with similar content on the practice’s own security measures can help build trust in the safety of their data.
A combined 54 percent of respondents say they would be “very” or “moderately likely” to change providers as a result of their personal health information being accessed without their permission.
Digging deeper, we asked patients in that 54 percent if there would be anything their provider could do to retain them in spite of a breach. (Respondents were allowed to list multiple reasons.)
While 28 percent say there is nothing their provider could do that would convince them to stay, the greatest percentage of our respondents (37 percent) would stick with their doctor if they provided specific examples of how the practice’s security policies and procedures had improved after the breach. Many of those same patients (13 percent) specifically say they would want the provider to purchase new software that protects patient data.
For security reasons, Harlow says providers should strongly consider investing in certified EHR software—that which meets the HITECH Act’s specific criteria for EHR interoperability, functionality and security. In a previous Software Advice report analyzing HHS data on breaches impacting 500 or more individuals, we found that, between January 2010 and August 2013, only 3 percent of all breach incidents reported involved EHRs.
Harlow advises smaller practices to consider cloud-based systems (hosted by the vendor and accessed by users through the Internet) over on-premise ones (hosted on the user’s own servers).
Not only do cloud-based systems typically come with lower upfront costs relative to on-premise systems (you can download a pricing guide here), they also offer data storage protections: For example, patient data cannot be physically stolen, as may be the case with on-premise servers, paper-based records and laptops or mobile devices.
Harlow also recommends providers invest in encryption technology. “Every month, we hear stories about laptops being lost or stolen that were not encrypted,” he says.
Encryption is a security process that obscures sensitive information to make it unreadable unless the user has special technologies to decipher the data. This process can be as simple as enabling login passcodes, or as thorough as hiring third-party companies that regularly encrypt devices (see our report on how practices can use software to encrypt mobile devices for more information).
Digging deeper, we wanted to know if patients would react differently based on the type of breach their provider suffered. We assessed how likely patients would be to change providers as a result of various security-breach scenarios:
It should be noted that these breach types are not mutually exclusive. For example, a cyberattacker could gain access to patient records by targeting a third party associated with a provider. However, these findings provide a good baseline for gauging how damaging respondents perceive each type of breach to be.
We find that the likelihood of switching providers depends considerably on the type of breach. A combined 69 percent of patients say they would be “extremely” or “moderately likely” to change providers if staff misconduct were to blame for a breach, compared to just 45 percent who say the same if a cyberattack were the cause.
Cobb, ESET’s security expert, says this is encouraging news for anyone who believes it’s not possible for a practice to bounce back after a data breach.
“You could almost infer sympathy,” he says. “Health care providers get something of a break when it comes to cyberattacks. [Security] issues involving staff and theft register more strongly among patients.”
Indeed, patients might reason that a practice has more control over its staff and their training than it does over hackers. And not only do staff-related breaches appear to be more preventable than cyberattacks, it seems they might also be more common.
Survey results from a 2013 Healthcare Information and Management Systems Society (HIMSS) study showed that 80 percent of “individuals directly involved in maintaining a secure environment for patient data” consider the biggest data-breach threat to be “work force members snooping on [the] information of others, such as a spouse, co-worker, neighbor or friend.”
Harlow says there’s not necessarily malicious intent behind this kind of breach, but that protections must be put in place to avoid the situation altogether.
“[Medical office staff] need to be highly attuned to the issues here, so that means no snooping into your neighbor’s records to see how she’s doing,” he says.
Many EHR systems, such as Practice Fusion, provide access logs that help administrators determine who has been looking at a patient’s record—and if any of them have been accessing records without proper authorization.
There are also Web-based solutions available, such as Clearwater Compliance and TeachPrivacy, for training medical staff on how to properly follow security and compliance procedures. A thorough training course should be conducted for office staff at least once a year, as well as any time security or privacy policies change.
Experts recommend creating quizzes to ensure employees understand this training, and keeping the results in employee files to bolster documentation in case of a HIPAA compliance audit.
The way HIPAA and HITECH are laid out places the onus largely on individual providers to determine how to implement the laws. And it appears many aren’t doing a very good job: Medical software vendor NueMD recently published a survey of health care providers and their support staff that finds 19 percent are “not at all confident” someone at their practice is actively ensuring HIPAA compliance.
“Some organizations assume there’s a checklist of things they have to do in order to be [HIPAA] compliant, and that’s the end of the story,” says Cobb. But that’s not the case: Cobb explains that HIPAA and HITECH are a “framework of expectations” that intentionally do not specify particular technologies (with the exception of antivirus requirements). It’s up to providers to routinely assess their own unique security threats and address them in a satisfactory manner.
The best way to begin doing that is by conducting a security risk assessment, which is explicitly required by HIPAA for all “covered entities” annually and/or whenever security protocols are modified. Covered entities include health care providers and their business associates (e.g., a company hired by a hospital to dispose of old patient records).
The assessment can be completed many different ways, but its documentation must include the following:
The government offers several digital tools and guides to help providers conduct an assessment on their own, but Cobb says practices may be better off hiring an outside firm or consultant to ensure everything is done correctly.
If the worst-case scenario becomes a reality and a breach is discovered, a response plan based on the security risk assessment’s findings is absolutely indispensable. Best practices include creating a notification timeline for affected patients that satisfies state and federal guidelines, and designating staff members to help with the response.
Cobb says it’s also essential for practices to stay on top of the “current threat landscape,” meaning the new and emerging ways criminals might try to break into your patient-record storage system.
“If your security assessment is based on a five-year-old understanding of what the bad guys do and how information gets exposed, you won’t be well-protected,” he says.
The OCR warns there will likely be a spike in HIPAA violation fines once 2015’s audits begin, making it all the more important for providers to address any deficiencies right away. The strategies recommended by our experts throughout this report can help providers mitigate security risks before, during and after a breach:
The results of our survey on patient fears indicate that much work must be done to restore patients’ faith in data security. Once that has been accomplished, health care advocate Quinlan says, the real work can begin:
Concerns over digital privacy and security have obscured the real conversation, which is, ‘How can we make health care more accessible, frictionless and safe with the data we collect about patients?’Casey Quinlan, Blogger
In other words: Practices should strive to create an atmosphere where patients see promise instead of potential risk when it comes to the way health care data is handled.
To collect the data in this report, we conducted two identical surveys (one lasting two days, the other lasting eight) consisting of 13 questions. All survey questionnaires undergo an internal peer review process to ensure clarity in wording.
Sources attributed and products referenced in this article may or may not represent partner vendors of Software Advice, but vendor status is never used as a basis for selection. Expert commentary solely represents the views of the individual. Chart values are rounded to the nearest whole number.
If you have comments or would like to obtain access to any of the charts above, please contact firstname.lastname@example.org.