How to protect patient information against cyberattacks and data breaches: requirements under the Health Insurance Portability and Accountability Act (HIPAA)
For nearly 15 years, HIPAA’s Privacy and Security Rules have governed the handling and transmission of protected health information, or “PHI”. The Privacy Rule governs how PHI may be used and disclosed, while the Security Rule sets out the steps that entities covered by HIPAA must take to protect PHI in electronic form. This is the first of several blog articles on the requirements of HIPAA’s Security Rule and how to comply.
What is “PHI”? The federal statutes and regulations that define PHI are lengthy, but boil down to the following:
- Information created by a health care provider, health plan, employer, life insurer, school or university, or health care clearinghouse, and
- Relating to past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or payment for provision of that health care
- PHI is individually identifiable if it includes demographic information collected from an individual, is (1) created or received by one of the types of organizations listed above, (2) relates to health condition, provision of health care, or payment for health care, and (3) identifies the individual
- Protected health information, or PHI, is individually identifiable health information that is transmitted or maintained in electronic or any other format or medium
Any company, organization, or other person handling or transmitting PHI is considered a “covered entity” and must comply with these Rules. That includes hospitals, health insurance plans, healthcare providers, and “business associates” who handle, process, or transmit PHI for such covered entities. So even a medical or dental practice with a few providers must comply.
Why worry about the HIPAA Security Rule? The reason is that hackers have increasingly targeted healthcare organizations and medical providers in recent years, because PHI is valuable to hackers and the criminals they can sell that information to. Both large organizations such as Anthem, and small providers such as local medical practices, have been victims of cyberattacks and data breaches. A few statistics:
- In 2016 there was an average of at least one date breach per day in the US, totaling more than 450 reported breaches, affecting more than 27 million patient records
- Nearly 200 of the reported breaches were the result of employee errors or employee wrongdoing
- The largest breach in 2016 compromised 3.62 million records
- It is estimated that the number of breaches this year will exceed the 2016 total
Data breaches are costly, and include the cost of determining how the breach occurred, fixing vulnerabilities, and notifying those affected. These costs can run into the thousands of dollars, and much more for a large organization (Anthem paid $40 million in postage stamps alone to notify 80 million patients whose PHI was compromised in a 2015 breach).
Another potential cost of a breach comes from government enforcement. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) enforces the HIPAA Privacy and Security Rules. Its primary enforcement tool are fines, and in recent years OCR has been more aggressive in fining organizations for HIPAA violations.
OCR has four categories culpability for determining fines, ranging from an organization’s being unware of a violation and reasonably unable to avoid it, up to an organization willfully neglecting HIPAA rules and not attempting to fix the violation. The maximum fine per category is $1.5 million. In 2016 OCR levied $23.5 million in fines. So far in 2017, fines include:
- Presence Health, fined $475,000 for failing to provide timely notifications to patients affected by a breach, or to provide timely notification to OCR, as required by regulations, with each day that Presence Health failed to notify being considered a separate violation
- MPFRE Life Insurance Company of Puerto Rico, fined $2.2 million after a storage device was stolen from its IT department; the device contained extensive patient information including names, dates of birth, and social security numbers for more than 2200 individuals
In imposing the fines, OCR cited these companies for failing to assess risks and vulnerabilities, to encrypt data, to adequately train employees, and failing to have a breach notification plan in place. In future blog articles we will cover all of this and more, so that anyone covered by the HIPAA Security Rule will have a better idea of what they must do to protect their patients’ information and themselves.