Since its passage by Congress in 1996, the Health Insurance Portability and Accountability Act (HIPAA) has become a pervasive force in the health care industry. While most, even within the medical field, do not know exactly how HIPAA works or how far it reaches, almost everyone, especially within the medical field, has been taught to be afraid of it. This post is part one of a two-part discussion on HIPAA, the issues to be aware of when considering patient confidentiality, and how to deal with any confidentiality breaches or HIPAA violations.
As “covered entities” under HIPAA, medical providers – including hospitals, doctors, clinics, insurance companies, nurses, pharmacists, dentists, and everyone else employed in the delivery of health care services (right down to the custodian in a medical facility) – share the obligation to maintain patient privacy and the confidentiality of protected health information (PHI). The failure to do so can result in significant civil and criminal penalties, as well as potential sanctions (such as the loss of a license) issued against individual violators. Because the fines and penalties can be increased for every instance of a HIPAA breach, the total dollar amounts can reach staggering levels very quickly.
For instance, in October 2018, the Office of Civil Rights (OCR) announced it had settled its case against Anthem, an independent licensee of Blue Cross and Blue Shield Association and the nation’s second largest health insurer. The complaint stemmed from an incident that occurred back in January 2015, when Anthem realized that cyberhackers had breached the company’s security measures and gained access to its members’ PHI. In that instance, 78.8 million of its members had their most sensitive data compromised, including but not limited to their credit card information. When the case finally settled late last year, it did so to the tune of $16 million – the largest settlement ever reached to resolve HIPAA violations. In fairness, though, it was also the largest HIPAA breach in history.
Obviously most medical providers, particularly those located within West Virginia, do not have to be concerned with the scope of the breach experienced by Anthem. However, the threat of cyberterrorism is real even for smaller providers, as Princeton Community Hospital learned when it became a victim of the global Petya malware attack in June 2017. In that case, the rural West Virginia hospital system was infected with a form of malware, disguised as ransomware, that ultimately was responsible for infecting over 2,000 IT systems across 64 countries.
What is the scariest part of all? It is the fact that these hackers often waltz right through company security systems – not because the systems are not sophisticated but because, in most cases, an unsuspecting employee of the company has handed the bad guys the keys to the kingdom. Such breaches can occur when the employee unwittingly responds to a “phishing” email or clicks on an untrustworthy link that initiates the malware allowing the hackers a channel into the system.
In other words, despite all a company’s diligence and expense on IT security systems, the whole thing can still be undone by simple human error. As such, while encryption and other HIPAA-compliant security measures are an absolute must, the most important factor in preventing a breach of a company’s security systems might just be its internal IT policies and the training it has provided its employees in recognizing these dubious emails before they can trigger a disastrous chain of events.
Bowles Rice LLP maintains an experienced health care group that can help medical providers of all sizes with the review and creation of policies and the implementation of other risk management procedures. Further, health care lawyers can be a critical part of the timely response to any HIPAA breach. In part two of this discussion on HIPAA, I will review the fundamental steps that must be taken anytime a covered entity discovers a breach of confidentiality in violation of HIPAA. In such cases, immediate steps must be taken to address the breach and to reduce and mitigate any damage that has been caused by the breach. Stay tuned!