A few weeks ago, an innocuous comment at a non-healthcare related event got my attention and if you manage data for a healthcare provider organization, it should have gotten yours too.
While I was obviously not in attendance at an event hosted by the American Bar Association, I saw what Department of Health and Human Services (HHS) Chief Regional Civil Rights Counsel Jerome Meites said through news reports. Meites predicted that there will be a huge spike in the fines from violations of the Health Insurance Portability and Accountability Act (HIPAA).
As noted by The Hill, last year already saw a record number of fines from HHS’ Office of Civil Rights (OCR) on the HIPAA violations (both in number of fines and value of fines). In fact, a recent report from OCR indicated that there have been more than $8 million in fines levied as a result of careless data breaches. Undoubtedly, that specific total has gone up as hospitals and healthcare systems in New York and Indiana were both recently pinged quite a few dollars of their own for breaches.
Meites told the audience that in his eyes (not the official HHS stance, for what it’s worth) those numbers will be low compared to what’s coming. Think about that for a second. Those record OCR HIPAA fines will be considered low!
I don’t care how confident you are in your data protection technology, that statement has to scare you. After all, as we’ve seen, many of these data breaches occur due to simple human error. Take for instance, the aforementioned healthcare system in Indiana. Fort Wayne, Ind.-based Parkview Health System will pay $800,000 because employees’ cardboard boxes of patient medical records unattended and accessible to unauthorized persons on the driveway of a retiring physician’s home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue.
That has nil to do with encryption and zip to do with two-factor authentication. You can put all the protections in the world in place but if you don’t have a culture of data security, be prepared to open up the wallet.
The last time I talked with our resident security expert, consultant, Mac McMillan, he gave me an interesting analogy. He likened putting in the right data security infrastructure—which includes that cultural aspect—to putting up a stop sign in a dangerous intersection. Everyone knows it’s necessary but no one does anything about it. It’s not until an accident occurs and some guy’s BMW is totaled that all of a sudden there is an URGE to put in that stop sign.
Of course not investing in the right data security infrastructure nowadays is like not putting up a stop sign in a neighborhood with the Speed Racer fan club. It’s insane. While those cultural errors are probably the main reason why healthcare provider organizations are having droves of protected health information (PHI) breached in record numbers these days, we have to acknowledge that there are technological concerns on the horizon. The Institute for Health Technology Transformation (iHT2)* recently reported how healthcare has seen a rise in the threat of cybercrime since medical identity theft is more lucrative than the theft of personal identification information alone.
Indeed, those technological threats are only going to amplify along with the fines that provider organizations are going to see from OCR. Why wait for an incident? Do your due diligence. Avoid getting your BMW totaled and/or wallet emptied.
Please feel free to respond in the comment section below or on Twitter by following me at @GabrielSPerna
*Since December 2013, the Institute for Health Technology Transformation (iHT2) has been in partnership with Healthcare Informatics, through its parent company, the Vendome Group LLC.
