Avoidable HIPAA Nightmares

Third Quarter 2013Articles Staying Well Within the Law

You may be familiar with the adage, “There is no such thing as bad publicity as long as they get your name right.” One place you don’t want your organization’s name to appear is on HHS’s “Wall of Shame.” That’s the informal name of the list published by the U.S. Department of Health and Human Services (HHS) that posts large breaches of unsecured HIPAA privacy breach incidents affecting 500 or more individuals. Smaller breaches must be reported to HHS annually and are not subject to public disclosure.

As of July 17, 2013, 627 breaches of unsecured protected health information (PHI) were reported on the Wall of Shame. However, these publicly posted breaches represent less than one percent of all reported breaches. During the period of September 2009 through May 31, 2012, there were more than 57,000 reports of breaches involving fewer than 500 individuals.

What can you do to avoid this kind of ugly publicity and liability exposure? First, focus on the areas of greatest risk. Based on a 2012 report by HHS’s Office of Civil Rights (OCR), theft and loss represent 65 percent of large breaches. Laptops and other portable storage devices account for 38 percent of large breaches, paper records are 24 percent and desktop computers account for 15 percent. Only 14 percent are associated with improper access to email, network servers or electronic medical records. Accordingly, a lot of data is getting into the wrong hands via physical objects – smartphones, tablets, thumbdrives, laptops and old-fashioned paper records.

There is an effective solution to most of these breaches (other than the paper kind): encryption. If you’re not routinely encrypting all of your PHI, or if you don’t know whether it is being encrypted, make this your first priority.

A breach is defined as an impermissible use or disclosure that compromises the security or privacy of the PHI. An unauthorized disclosure is presumed to be a breach unless it can be demonstrated that there is a low probability that the PHI has been compromised based on a risk assessment that considers the nature and extent of the PHI involved; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and the extent of mitigation efforts.

This is where encryption comes in. Only breaches involving “unsecured” PHI must be reported. If data is encrypted in a manner consistent with the standards the National Institute of Standards and Technology (NIST), such data will be considered to be “rendered unusable, unreadable, or indecipherable to unauthorized individuals persons” and therefore no longer “unsecured.”

Many of the widely reported breaches and enforcement actions have involved large health systems and insurance companies, but don’t let that trend lure you into complacency. In 2012, a two-physician practice in Phoenix agreed to pay HHS a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the PHI of its patients. This occurred after an investigation into an improperly secured internet-based appointment calendar revealed that the practice had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules and had limited safeguards in place to protect patients’ electronic data. Earlier this year, a small hospice agency, The Hospice of North Idaho, agreed to pay a $50,000 fine, representing the first settlement involving a breach affecting fewer than 500 individuals.

Another priority should be to limit the use or disclosure of PHI to the “minimum necessary” to accomplish the intended purpose. Cedars-Sinai Medical Center in Los Angeles recently reported that 14 patient records were accessed by unauthorized persons, including employees of independent physician practices. (Reportedly, the records were those of reality TV personality Kim Kardashian). In 2012, a court upheld the conviction and prison sentence of a UCLA employee who had peeked at celebrity records even though the information was not further leaked, sold or used improperly. UCLA also agreed to pay a civil fine of $865,000. Providers and their IT vendors should develop safeguards to restrict access to records to those with a legitimate need to see them.

These suggestions are merely some of the low-hanging fruit that can significantly reduce your HIPAA exposure. To ensure
you are in full compliance by the deadline of September 23, 2013, consult knowledgeable counsel.

This article first appeared in the August 2013 issue of Western Pennsylvania Healthcare Newsand is reprinted here with permission.