If you thought HHS’s bark about cracking down on HIPAA breaches was worse than its bite, think again. Some very high-profile healthcare organizations have spent copious amounts of money this year to atone for their privacy-violating sins. Read on to learn more.
According to a US Department of Health & Human Services press release, New York and Presbyterian Hospital (NYP) and Columbia University (CU) recently agreed to a $4.8 million settlement regarding “charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network.” This is the largest HIPAA settlement to date.
The two organizations have a working arrangement in which CU faculty members serve as attending physicians at NYP. Thus, they use a shared data network and firewall. Unfortunately, as a result of inadequate technical safeguards, a server deactivation by a CU employee caused the ePHI of 6,800 individuals to become accessible via Internet search engines. That ePHI included patient statuses, vital signs, medications, and lab results.
NYP and CU learned of the breach after someone found the ePHI of a deceased partner (a former NYP patient) online. An investigation by the HHS Office for Civil Rights (OCR) found that the entities not only inappropriately disclosed ePHI on the Internet, but also they made no efforts prior to the breach to ensure the security of their servers or software. Additionally, neither NYP or CU conducted a risk analysis or developed a risk management plan. And “NYP failed to comply with its own policies on information access management.”
NYP paid $3.3 million of the settlement, and CU paid the remaining $1.5 million. Both organizations have committed to implementing a comprehensive corrective action plan.
Christina Heide, acting deputy director of health information privacy for OCR, said, “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”
And making data security central requires encryption. According to this HHS press release, Concentra Health Services agreed to pay $1,725,220 in April of this year to settle potential breach charges after an unencrypted laptop was stolen from the Springfield Missouri Physical Therapy Center (one of Concentra’s facilities). After a thorough investigation, the OCR found that Concentra’s encryption “efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization.”
Susan McAndrew, former deputy director of health information privacy for OCR, said, “Covered entities and business associates must understand that mobile device security is their obligation. Our message to these organizations is simple: encryption is your best defense against these incidents.” That’s why all of WebPT Member data is encrypted and stored in a HIPAA-compliant Tier III-Certified facility complete with digital video surveillance, biometric screening, round-the-clock guards, and a defensible perimeter—just to be safe. Plus, we use a 256-bit SSL encryption for customer interfaces. And as a recipient of the TRUSTe Certified Privacy badge, we employ strict password guidelines to ensure login security. In other words, WebPT Members have a lot less to worry about when it comes to HIPAA compliance.
There is plenty of room for paper mistakes, too. According to this article, Parkview Health System—a non-profit community health system in Indiana—recently agreed to an $800,000 settlement for possible HIPAA violations that took place five years ago.
After taking custody of a retiring physician’s medical records in an effort to help the doctor transition her patients to new providers (and decide whether to purchase a piece of the physician’s practice), Parkview “left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician's home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.” Apparently, the employees who left the boxes knew that the physician was not home at the time.
Luckily, it does not appear that any unauthorized person viewed the patients’ protected health information (PHI). However, Parkview is still paying dearly for its blunder—although the dollar amount isn’t that surprising to experts. According to Kate Borten, president of The Marblehead Group, a security and privacy consulting firm, "this breach was a failure of common sense.” Borten went on to say that the monetary ramifications aren’t shocking, considering that HHS has been warning about cracking down on HIPAA breaches for some time.
As part of Parkview’s settlement, the organization agreed to implement a comprehensive electronic health record system—“that is more secure than a paper record system”—and to conduct extensive employee training.
This isn’t the first time OCR has slapped organizations with hefty fines due to improper paper record-handling. In 2010, Rite Aid Corp. paid a $1 million fine after disposing of prescription information in dumpsters. CVS Caremark reached a $2.25 million settlement in a similar case in 2009. According to OCR’s latest annual breach report, paper records were involved in 23% of major health data breaches (those affecting more than 500 people) and 61% of smaller breaches in 2012.
But safeguarding PHI is critical whether that PHI is in electronic or paper format. In the same article cited above, Dan Berger, CEO of the security consulting firm Redspin, said, “The most important thing is to build a culture around the privacy and security of patient information. It's not just a 'culture of compliance,' which sounds a little Draconian. We prefer a 'culture of respect for our patients,' including the privacy of their health information."
So how do you build a culture around privacy and security? According to compliance expert Tom Ambury, it all starts with a solid plan. Check out his post on the subject here.