The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. Coming up on twenty years later, HIPAA is not a new concept, but there are some ongoing issues. In 2009, HIPAA was joined by the Health Information Technology for Economic and Clinical Health Act (HITECH). This additional legislature brought changes to how HIPAA is enforced and the penalties that HIPAA non-compliance incurs. The Department of Health and Human Services has an Office of Civil Rights (OCR) that is responsible for enforcing HIPAA. Non-compliance with HIPAA is most evident after a data breach. Healthcare systems that suffer a data breach are investigated by OCR and fined large amounts of money for HIPAA violations. Let us examine healthcare and HIPAA data breaches and what they mean for the businesses that experience them.
The HIPAA Survival Guide website offers a detailed definition of what constitutes a breach. Unfortunately, data breaches involving healthcare have become more and more common in recent years. OCR keeps a database of all breaches reported since 2009 that affect 500 or more people. It is known as the "Wall of Shame" and can be accessed by the public here. Currently, theft is the most common type of breach. It occurs mostly in the form of laptops containing unencrypted healthcare information being stolen. The information is used for identity theft, putting millions of people at risk. A data breach and the subsequent OCR investigation costs healthcare companies almost more than they can afford.
In February 2015, health insurance company Anthem suffered a data breach that compromised an estimated 78 million people. Privacy Analytics crunches the numbers in their infographic, estimating a company will spend $208 per person after a breach. This is a potential cost of more than $16 billion for Anthem, even before fines from OCR. Some other breaches that occurred last year include several BlueCross BlueShield companies such as Premera, CareFirst, and Excellus. With another 20 million or so affected in these breaches, the costs will be extraordinary.
Another form of data breach is becoming increasingly prevalent and has already struck several healthcare organizations this year. Ransomware is a type of malware which limits or prevents users access to their system.
In February, Hollywood Presbyterian Medical Center in Los Angeles was paralyzed by hackers when they took over its computer systems and demanded millions of dollars in Bitcoin in exchange for its return, although in the end they settled for much less. Needless to say, this represents a very serious situation affecting many lives and sensitive information.
Just this week, the large computer network of Medstar Health in Washington DC was brought to a screeching halt due to a cyber attack, forcing their personnel to perform functions manually and, ultimately, having to turn away some patients, of which MedStar has hundreds of thousands. This breach is currently being investigated by the FBI.
In addition to what it costs to handle the people affected by a data breach, healthcare systems are subject to fines from OCR. In 2014, New York Presbyterian Hospital and Columbia University settled with OCR at a combined $4.8 million for a joint breach. This is an extreme example, but Cancer Care Group, Inc. recently settled for $750,000 and St. Elizabeth's Medical Center is paying approximately $218,000 for their HIPAA breach. The penalties for HIPAA violations add up very quickly.
There are steps businesses can take to prevent a data breach and ways to be prepared in case one occurs. Running regular risk assessments will show where your company is vulnerable. Continuing to educate employees about HIPAA will make them aware of situations to avoid so a breach does not occur. Checking that all business associates have proper security is a good practice. Remind them that as of 2013, any company that is a business associate of a healthcare system must also comply with HIPAA standards. For a full list of preventative measures to take, see Managed Solution's "10 Tips to Prevent a Healthcare Breach".
As far as being prepared, businesses should respond as quickly as possible when a breach occurs and have teams ready to handle both OCR and patients. Companies should consider:
The numbers concerning healthcare and HIPAA data breaches are astonishing. Moving forward, there has to be a change in how Protected Health Information (PHI) is handled. Security needs to be increased, encryption should always be used, and de-identification is another option. It seems unlikely that data breaches will ever be 100% extinct, but it may be possible to make PHI so difficult to access that it is not worth stealing. One thing healthcare systems and their business associates can do is make the effort to be HIPAA compliant. It is far better to be safe before or during a data breach than it is to be sorry afterwards.