by Daniel J. Solove
Last week, I gave a keynote address at a conference called Safeguarding Health Information: Building Assurance through HIPAA Security, sponsored by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). I’d like to summarize my remarks here for anyone interested who wasn’t able to attend.
The focus of my talk was on how the healthcare industry must step up the protection of health data. The two most important things that must happen are making upper management appreciate the risks and making the workforce aware of how they can prevent privacy and data security incidents.
According to a Ponemon Institute study in 2013, data breaches cost healthcare institutions $5.6 billion that year. 90% of the organizations responding to the survey had at least one breach over the past 2 years, and 38% suffered more than 5 breaches during the past 2 years.
Better preventative medicine is needed. Preventative medicine works not just for health but also for data.
The C-Suite or upper management must truly understand the risks, the law, and the importance of compliance. And the workforce must know how to protect PHI. In a previous post, I have summed it up this prescription with a simple rhyme:
More Attention to the Risks and Costs
According to a HIMSS survey in 2013, at most organizations, only a very small percent of the IT budget goes to data security. 19% spent less than 1% These facts indicate the C-Suite needs to pay a lot more attention to data security officials. Indeed, I think that the C-Suite needs to pay more attention to privacy officials too, because privacy and security go hand-in-hand.
There are three big costs of an incident that the C-Suite often fails to appreciate: (1) Money; (2) Time; and (3) Reputation.
In recent years, thanks in part to the 2009 HITECH Act’s enhanced penalties and broadening of HIPAA’s scope, HHS has been stepping up HIPAA enforcement efforts.
A covered entity’s business associates and subcontractors are now directly subject to HHS enforcement. Additionally, business associates are responsible and liable to the covered entity for the activities of their subcontractors.
If a company that operates as a business associate has incidents, this could cause problems with contracting with covered entities and other business associates. A company could lose its ability to do business if it isn’t trusted.
Big fines are being issued. Fines can be up to $1.5 million per provision of HIPAA violated. When there’s a breach, HHS’s investigation often turns up quite a number of HIPAA violations, and the fines for these add up.
In May, HHS issued the biggest HIPAA fine for an incident to date: $4.8 million. Last year, one organization was fined $1.2 million for returning photocopiers to a leasing agent without erasing the ePHI contained on the copier hard drives.
The study found that the average settlement award in these cases was approximately $2,500 per plaintiff, with mean attorneys’ fees reaching $1.2 million.
Incidents are not just solved by writing a check. They take time and sweat. These things are tremendously costly not just in terms of money but also in terms of time.
A significant number of important personnel will be tied up dealing with these issues. And even the C-Suite might be tied up too, as they need to deal with the PR fallout and might need to address the matter themselves.
Patient trust is essential to healthcare. Physicians have had a long tradition of maintaining confidentiality of patient information, but in modern healthcare, so many different people and entities have access to a patient’s data. Health data is among the most sensitive of information about a person, and good healthcare depends upon people’s trust that they share this information fully and freely with their healthcare providers. Privacy and security incidents undermine that trust.
When there’s an incident, agencies such as HHS post information about their cases on their websites. HHS’s list is dubbed the “Wall of Shame.”
These cases can tarnish an organization’s reputation. Even if the general public isn’t paying attention, an entity’s reputation can suffer with other organizations, which might not share personal data with that entity.
And all the regulators will now be paying more attention – the various federal agencies, state AGs, state agencies, international regulators, and so on. Just like having a prior criminal record won’t help future encounters with the police, the same is true with having a regulatory violation rap sheet.
Enforcement and Costs are Increasing
To date, HHS has entered into resolution agreements with 24 organizations.
Of the 27,466 complaints HHS investigated between 2003 and 2012, it obtained corrective action in 2/3 of them.
Corrective action plans can stretch up to 6 years. These plans often lay out strict compliance terms on policies, procedures, training, and document retention.
Curtailing Human Error
A PC World article discusses a new study by Forrester that reveals that internal threats are the “leading cause” of data breaches. 90% of malware requires a human interaction to infect. 95% of data security incidents involve human error.
Because so many employees don’t receive sufficient training, they engage in all sorts of risky data security practices.
There have been many recent HIPAA fines involving human error.
In June 2014, for instance, one organization was fined $800,000 after its employees left 71 cardboard boxes of containing medical records unattended in a physician’s home driveway.
In 2011, a hospital was fined $865,500 after unauthorized employees repeatedly looked at its patients’ ePHI.
The same year, another hospital was fined $1 million after its employee, while commuting to work, left the documents on the subway train.
Training is cheap preventative medicine compared to the expense an incident.
The Best Medicine is Prevention
Compliance measures such as training are preventative measures that are not expensive when compared to the costs of the risks it is addressing.
As I said above, and as I will say again because it is worth repeating: Preventative medicine works not just for health but also for data.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 800,000 followers.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter