Four-Year HIPAA Breach: Don’t Let it Be You

Healthcare IT requires a similar approach to medicine: foundation plus innovation. We make sure you have the nuts and bolts, keeping you updated as the landscape adapts.

We’ve extensively covered the HIPAA (Health Insurance Portability & Accountability Act of 1996) Omnibus Final Rule (the revision that went into effect in September 2013) in this blog. We’ve also repeatedly explored the expected rise in HIPAA fines by the HHS (Department of Health & Human Services) in 2014, as indicated by comments from a lawyer for the federal OCR (Office of Civil Rights).

Who you don’t want to be – 2009 through today

You do not want to be one of the organizations on the HIPAA Wall of Shame. The number of violations provides a sense of why the HHS has amplified its compliance efforts: 21 million people were affected by healthcare data breaches between 2009 and 2012. Often those breaches would not have occurred if the healthcare practice had taken simple steps.

Lucas Mearian of Computerworld reported in August 2012 that six healthcare incidents listed at that time on the Wall of Shame had each exposed the healthcare data of more than 1 million patients.

Since it’s easy to view federal regulations as efforts by the government to constrain business rather than its own operations, the top organization on the Wall of Shame at that time was ironic: TRICARE Management Activity. The firm, which handles healthcare for the Pentagon, lost backup tapes that contained 4.9 million records.

One of the privacy officials at the OCR, Rachel Seeger, said that theft was the cause of breach in 54% of incidents. Meanwhile, hacking only represented 6% of data exposures. Here is how the breaches broke down by type:

• theft – 54%
• access/disclosure without authorization – 20%
• lost devices/data – 11%
• hacking – 6%
• incorrect disposal of documents – 5%
• other – 4%

Seeger reported that theft was the most frequent cause of regulatory violations. Luckily, the thieves generally are not concerned with the content: “The thieves are not after the information in the laptop, but they‘re after the laptop,” said Seeger.

Fast-forward to April 2014, and you see that theft of mobile devices is still a significant issue. That month, the HHS released a press release entitled, “Stolen laptops lead to important HIPAA settlements.” At that point, the OCR had reached settlements totaling $1.975 million.

Notably, Susan McAndrew of the OCR mentioned in the press release that it was straightforward to comply with all device requirements: don’t leave everything easily accessible. She stated, “Encryption is your best defense against these incidents.”

Four-year breach of Virginia healthcare provider

Eric McCann of Healthcare IT News reported in January on a healthcare breach that was notable not so much for the number of patients involved. Still, the length of time the vulnerability continued. Riverside Health System, which includes five Virginia hospitals, confirmed in December 2013 that the data of almost 1000 patients had been exposed between September 2009 and October 2013.

During that time, an individual who Riverside had fired unlawfully entered the system and accessed pages containing Social Security numbers and medical data of people. The employee, a licensed practical nurse, had been entering the system undetected up to November 1. At that time, a random audit conducted by the company revealed the suspicious access.

A month after that, Peter Glagola of Riverside issued an apology that pointed to detection of the incident as a sign of the company’s concern with security. Although Riverside has long had a “robust compliance program and ongoing monitoring in place,” the oversight was unacceptable, and monitoring efforts would be bolstered with “more automatic flags.”

McCann noted that both covered entities and business associates (as of the Omnibus) could be fined up to $50,000 per violation if the problem is not solved. In comparison, the offense is only $10,000 maximum if the problem is solved.

Much of what the Wall of Shame teaches us is not a “too bad for them” attitude toward the healthcare companies listed. Instead, it shows how easy it is to become noncompliant. In other words, Riverside is far from alone.

Last December, the OCR reached a settlement of $150,000 with Massachusetts-based Adult & Pediatric Dermatology. The practice was fined $150,000 for operating in violation of three core HIPAA rules: breach notification, security, and privacy. That violation stemmed from the theft of a thumb drive out of a car. When the OCR investigated the incident, they found that the practice had not performed a regular risk analysis of its systems or contacted patients whose information was compromised, both requirements under the law.

Leon Rodriguez, who heads the OCR, said that the dermatology practice was indicative of an issue throughout the industry. According to Rodriguez, the most significant area of vulnerability for covered entities is “failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis.”

Protection through business associates

If you want to stay compliant with HIPAA and avoid the Wall of Shame, your best bet is to work with a business associate specializing in healthcare IT. According to Joseph Nompleggi, Vice President of Product Development for Complete Healthcare Solutions, our “secure infrastructure, and expertise in Healthcare IT” makes us an excellent choice for HIPAA compliant hosting or our for scalable VPS Hosting.