When medical practitioners fall into the habit of routinely checking the boxes to certify compliance with requirements of the Health Insurance Portability and Accountability Act (HIPAA), they inadvertently jeopardize patient privacy, because they overlook common data security risks that hide in plain sight.
In the current regulatory environment, one of the quickest ways to run afoul of HIPAA is to neglect the task of responding to communications from the Office for Civil Rights (OCR).
The OCR, the sub-agency of the Department of Health and Human Services (HHS) charged with overseeing HIPAA compliance, is in the process of sending out tens of thousands of emails and letters to collect contact information on data security officers in healthcare facilities. In busy medical offices, electronic messages from the OCR may be lost in an avalanche of emails or stuck in spam folders, while paper letters might be mistakenly tossed out. Being unresponsive to OCR requests with impunity does not mean the practice will be excluded from the audit pool database.
Besides being alert to OCR requirements, medical practitioners also need to be on the lookout for these three other common sources of threats to their patients’ electronic protected health information (ePHI):
1. Mobile devices
Too many medical practitioners operate under misconceptions about the security of staffers’ laptops. Though practitioners may not always retain specific notes on office visits or consultations on laptops, these computers often contain hundreds if not thousands of ePHI records, looking for social security numbers and credit card information – not medical diagnoses. Hackers can break into laptops and pull that information from emails, document attachments, spreadsheets, explanations of benefits, and other health-related data.
In addition, as doctors and patients increasingly communicate via smartphones, smartwatches, tablets, and other mobile devices, the opportunities for cyberthieves increase.
The loss of patient data via mobile devices not only threatens the reputation and viability of medical practices, it can also result in costly fines. The Cancer Care Group, a large radiation oncology practice in Indianapolis, was slapped with a $750,000 HIPAA fine because a laptop computer containing data on 55,000 patients and employees was stolen from an employee’s vehicle.
Unfortunately, that settlement represents only one among a number of multi-million dollar penalties levied against medical professionals because of lost or stolen laptops.
2. Business associates
Agreements with business associates (BA) – such as IT companies, medical billers, attorneys, and insurance carriers, among others – are essential to maintain the lifeblood of medical practices today. When these BAs do not handle patient health records properly, however, they put healthcare organizations in jeopardy. For example, an orthopaedic clinic in NC sent X-rays and ePHI for 17,300 patients to a prospective business partner without having a BA agreement in place. Like the Cancer Care Group, this clinic paid $750,000 in HIPAA security violations.
If a data breach occurs, the OCR not only investigates the BA, but may also investigate the Covered Entity (CE). (Under HIPAA regulations, CEs include health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.)
CEs are commonly lulled into a false sense of security about this hidden HIPAA liability because they think a BA Agreement (BAA) protects them. It’s true that BAAs are required under HIPAA, but these documents do not shield the medical practice from an OCR investigation if a Business Associate has a data breach.
While it takes work to negotiate stronger BAAs, practitioners are well advised to insist on getting proof that the BA is protecting ePHI and that the Covered Entity will receive a breach report from the BA in a reasonable timeframe. Further, if the BA caused the breach, it should indemnify and pay agreed-upon expenses to the Covered Entity.
3. Phishing and ransomware
Old scams like the offer of riches from supposedly royal foreign potentates may no longer fool as many people as they once did – but hackers continue to worm their way into medical offices via phony emails, bogus website links, and phishing expeditions that can catch even savvy employees off guard.
Worse, instead of simply stealing ePHI for the black market, sophisticated cyberthieves now use ransomware to block healthcare providers from accessing their patients’ medical information. Hollywood Presbyterian Medical Center in Los Angeles was shut down by hackers who held the hospital hostage for 10 days – forcing staffers to keep records with pen and paper until the hospital paid $17,000 in bitcoin as a ransom.
Unless properly trained, employees may take no notice of these everyday threats to patient information. Because simple human errors can open the door to hackers, medical practitioners need to close those doors by raising awareness and educating staffers about the risks inherent in seemingly ordinary activities like opening an email.
Conducting employee training sessions and security risk assessments (SRA) provide two strategies for overcoming the tendency to overlook potential HIPAA violations. By employing these strategies, medical practitioners can ensure they are paying attention to all aspects of caring for patients – including their rights to privacy.