Can HHS Get a Handle on Healthcare Data Breaches?
Mac McMillanLegal Penalties Outweigh Civil FinesTo that end, last week, The Sacramento Bee reported that a class-action suit was filed on Nov. 21 on behalf of plaintiff Karen Pardieck in Sacramento Superior Court against Sutter Health. Sutter Physicians Services and Sutter Medical Foundation (SMF)—two affiliates within the Sacramento, Calif.-based Sutter Health network—had announced in October the theft of a company-issued, password-protected unencrypted desktop computer from SMF’s administrative offices in Sacramento. Although no medical records themselves were on the computer, some medical information, including demographic information, dates of services, and descriptions of medical diagnoses and/or procedures used for business operations, was exposed.McMillan points out that lawsuit penalties sought for data breaches far outweigh civil fines against them. That was certainly the case McMillan says, in the breach that took place in September at Stanford University Hospital (Palo Alto, Calif.), when the names and diagnosis codes of 20,000 emergency room patients were posted on a public website. The maximum federal fine was $1.5 million, whereas the hospital is now embroiled in a $20-million class-action complaint, as reported by the Palo Alto Daily News. “If those lawsuits are going to start being upheld and people start receiving $20 million settlements, you’ll see industry behavior change,” says McMillan. “What I think is going to happen—like we saw in other industries like the credit card and banking space—is that it’s the general public that’s eventually going to fix the problem, and it’s either through litigation or taking their business elsewhere.”According to the OCR website, about 20 privacy and security compliance audits will be conducted in an initial wave to test protocols set to begin this month. The results of the initial audits will inform how the rest of the audits will be conducted, and all 150 pilot audits are to be completed by the end of 2012. McMillan has serious doubts though that the OCR will finish its audits by the prescribed date. “It’s tough to have teeth now because you’ve got ICD-10, ACOs, and meaningful use, and you’re going to step up enforcement now,” McMillan asks. “There are no easy answers out there for any of it.”Susan McAndrew, deputy director for health information privacy, OCR, told Healthcare Informaticsearlier this year that her office is serious about enforcement. “It is HHS' expectation that covered entities and their business associates take these requirements seriously. HHS will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules,” she said. “While HITECH may be an incentive for covered entities, self-evaluation should be standard practice. To ensure compliance, covered entities and business associates should conduct regular internal audits, hold regular trainings for their employees, and have a prompt action plan in place to respond to incidents.”