HIPAA Violations in the News: How to Avoid 5 Headline-Making Mistakes
A surefire way to drive patients away is to mishandle their private health records and expose their most intimate information to crooks and hackers.
Whether you’re a patient or a practice, you need to know how to avoid the consequences of a HIPAA violation.
We interviewed the following experts to analyze what caused five high-profile HIPAA violations in the news, how each one could have been avoided and why you should act now to protect yourself from ending up in a similar situation.
(Click on a link below to jump to that section.)
Introduction: HIPAA Violations and Their Consequences
Case 1: Fax Number Mix-up Causes a HIPAA Breach
Case 2: Stolen Hard Drive Leads to $750,000 HIPAA Fine
Case 3: Paper-Based Medical Files Exposed Due to Improper Storage
Case 4: Hackers Hold Hospital’s Data Ransom
Case 5: Lack of Business Associate Agreement Prompts Investigation
Conclusion: How to Avoid Headline-Making Mistakes
Introduction: HIPAA Violations and Their Consequences
Two main laws protect patients’ privacy and security rights: the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
A HIPAA violation can happen when a covered entity is at fault for the unauthorized acquisition, access, use or disclosure of protected health information (PHI).
HIPAA and HITECH are unique because they’re not just a set of straightforward rules. These laws are sometimes described as a “framework of expectations” that providers must abide by.
The onus is on each practice to assess their own unique security threats and address them in a satisfactory manner by performing routine risk assessments (more on these later).
Throughout this article, we’ll use real-life examples to show you how to avoid various kinds of healthcare data breaches. Here’s a quick reminder of what’s at stake:
Potential Consequences of a HIPAA Violation
Case 1: Fax Number Mix-up Causes a HIPAA Breach
A fax machine misdial caused a breach at WestCoast Children’s Clinic in Oakland, Calif. on April 16, 2013. The clinic wanted to fax medical records to a patient’s family, but an employee accidentally dialed the wrong number. The clinic reportedly had policies in place requiring staff to verify a fax number with the intended party before sending sensitive data—a procedure that apparently wasn’t followed.
We asked Ryan Witt to share his insights on this topic. He’s a privacy and security workgroup co-chair at the Workgroup for Electronic Data Interchange (WEDI) and the vice president of healthcare industry practice at Fortinet, a cybersecurity firm. Here are highlights from our interview, which we’ve edited for length and clarity:
On fax machine usage in the medical industry:
“Cyber-criminals have sophisticated weapons to facilitate their attacks, and they are attacking an industry that still regularly uses fax machines. This breach highlights the need for far greater investment in technology and the importance of building a robust security architecture.”
On ways medical practices can avoid being in WestCoast Children’s situation:
“Focus on the ‘3 T’s’:
Training: Staff still required better education around safeguarding patient data.
Timely updates to systems: Many breaches occur because readily available patches or updates to an IT infrastructure were not deployed, so make sure your systems are up to date.
Technology: Healthcare has underinvested in technology. Thus, providers have greater overall exposure compared to other industries. Electronic delivery systems, next generation firewalls and layered security architectures should be common place.”
On patient reactions after a security breach:
“Patients are certainly aware of the challenge [security threats pose]. A 2015 report claimed that more than half of recent hospital patients would willingly change healthcare providers if their current one experienced a data breach and that 65 percent of patients would avoid providers that had undergone a breach.”
Case 2: Stolen Hard Drive Leads to $750,000 HIPAA Fine
Cancer Care Group, a 13 physician radiation oncology practice in Indiana, paid a $750,000 HIPAA settlement after a laptop bag was stolen from an employee’s car. The problem? Inside that bag was unencrypted backup media, which stored PHI.
Bob Chaput is our expert commentator on this case. He is the CEO and founder of Clearwater Compliance, a consulting firm that provides HIPAA and HITECH-compliant software, services and training.
His reaction to this case:
“The good news is, this practice had the wherewithal to say, ‘We need to back up our digital information because if our computers crash, we might lose it.’ The bad news is, their backup media was unencrypted and stolen. This shows a failure to do the most fundamental step in any information security program: a risk assessment.”
On specific steps practices can take to perform a successful risk assessment:
1. “Find out where all the PHI is stored. Most organizations don’t have a comprehensive inventory of their PHI. This is necessary to identify all possible exposures that could lead to a HIPAA violation.
2. Create a list that ranks your PHI exposure risks from most to least serious.
3. Conduct a risk treatment. Go down your list, item by item, and make informed decisions about how you’re going to accept or mitigate each risk.
4. Encrypt all electronic PHI (ePHI). Tons of vendors offer encryption software and it is readily available in most modern operating systems.
5. Train staff on proper security policies. A practice could put in all the technology in the planet, but at the end of the day many HIPAA violations end up being a people issue. For example, you could encrypt an employee’s laptop but that becomes futile if the employee leaves a sticky note with their password on top of that laptop.”
Case 3: Paper Medical Files Exposed Due to Improper Storage
The storage of patient information at an employee’s home led to home care agency Lincare’s HIPAA violation. In 2008, a Lincare employee moved out of the house she shared with her estranged husband. Shortly after, he accused her of leaving behind documents containing sensitive medical information for 278 patients.
Government healthcare officials imposed a $239,800 penalty against Lincare due to the husband’s unauthorized access to this PHI.
David Harlow gave us his take on the Lincare violation. He is an attorney at The Harlow Group LLC, a consultant and the founder of the HealthBlawg, a blog that covers healthcare law and policy.
On whether electronic medical records software would have been a better storage solution for Lincare:
“In general, electronic storage is more secure than storage of paper records. Even though electronic records may be available from ‘anywhere,’ if they are properly secured through the proper application of administrative, technical and physical measures, they are likely to be more secure. If the records had been accessible in a secure cloud environment via an encrypted device provided to the employee, with proper controls applied, the records would have been more secure in this particular case.”
On what advice he’d give medical practices to safeguard patient data:
“Remember that this is not just a conversation about HIPAA compliance. States have their own laws and regulations, some of which are more stringent than HIPAA. Other types of rules may apply as well. There needs to be an organizational commitment to a comprehensive compliance program.”
Case 4: Hackers Hold Hospital’s Data Ransom
The majority of healthcare data breaches are caused by cyber attacks, as Hollywood Presbyterian Medical Center (HPMC) found in February 2016. Unknown criminals hacked into the hospital’s system and demanded a $17,000 ransom to restore it. The hospital paid via Bitcoin after working without EMR or email access for more than a week. It eventually regained control of all its medical data.
Steve Alder is the editor-in-chief of the HIPAA Journal, a website covering privacy and security medical news. We interviewed him so he could weigh in on what happened at HPMC.
On how the hackers accessed HPMC’s files:
“This attack appears to have involved Locky ransomware, which is primarily delivered via spam email. One of the best protections is to ensure all employees receive training (at least once a year) on security best practices and are instructed on how to identify malicious emails. Training should involve test emails being sent to see who responds. Additional training can then be provided as necessary.”
On his top tips for preventing cyberattacks:
“It is essential that all data are backed up regularly and those backup files are tested. HPMC paid the ransom because it was deemed to be the best option, which suggests a viable backup copy [of the hospital’s data] did not exist.
Ensure all software is up to date, patches are applied promptly and scans of all systems are conducted regularly. Macros should [either] be disabled on all computers or set to require authorization before being allowed to run.
Website filtering solutions can be used to reduce the risk of drive-by downloads and other web-borne threats, while anti-spam solutions can be used to prevent malicious emails from being delivered.”
Case 5: Lack of Associate Agreement Prompts Investigation
Minnesota-based North Memorial Health Care (NMHC) agreed to pay a whopping $1.55 million settlement after one of its business associates was investigated. NMHC had been collaborating with a company called Accretive Health in September 2011 when a laptop was stolen from the car of an Accretive Health staffer.
That laptop contained the PHI of NMHC patients. Investigators determined there was no business associate agreement (BAA) in place between the two companies.
Kirk Nahra provides us with expert analysis to evaluate what went wrong here. He is a partner at the law firm Wiley Rein LLC and specializes in privacy and information security litigation and counseling.
On why NMHC was fined even though Accretive’s employee lost the laptop:
“This was a case where a breach by a business associate led to an investigation that revealed there had been a more general failure [by NMHC] to implement appropriate security procedures.
“It is a good reminder about the risks presented by business associates in general. Here, those risks were exacerbated because there was no business associate agreement in place. HIPAA doesn’t require active auditing of vendors, but it does encourage due diligence and as much oversight as is reasonable.”
On best practices for implementing HIPAA-compliant business associate agreements:
1. “Companies need to review all of their service providers and identify those with any kind of access (or even reasonably potential access) to PHI.
2. Determine a strategy to implement the right contract terms and evaluate whether there are any other terms beyond HIPAA that companies want in place. Good due diligence when contracting is important.
3. Follow a process to negotiate the contracts … depending on the specific business associate, their work for you, their sophistication and their own role under HIPAA.
4. Keep in mind that the exact same contract requirements in your BAA apply to business associates when those associates retain subcontractors.”
Conclusion: How to Avoid Headline-Making Mistakes
Healthcare providers should bear these tips in mind because HIPAA compliance audits are now underway. To recap, here are the major lessons we can take from these newsworthy HIPAA violations:
1. Invest in technology to electronically exchange PHI instead of relying on fax machines. Direct messaging software and patient portals can serve this purpose.
2. Encrypt all digital devices containing PHI, as per your individual risk assessment.
3. Digitize your patients’ medical records to ensure their security is not dependent on their location. We’ve compiled a list of the 10 most popular EMR products to help you make a good selection.
4. Regularly back up your data and beware of malware. The internet isn’t to blame for HIPAA breaches, but it’s still prudent to protect yourself from cyberattacks.
5. Always have business associate agreements in place. At some point, it’s very likely your practice’s PHI will be in the hands of a business associate. Make sure you understand a potential partner’s security policies before contracting with them.
Above all, it’s absolutely essential to routinely and comprehensively train your staff on mitigating your organization’s privacy and security risks.