TODAY’S BIGGEST CHALLENGES
As recent news once again shows – no organization is safe from intrusion and healthcare has been a particular favorite for hackers. Huge amounts of personal, financial, health and other information was harvested in the Anthem breach with as many as 80 million personal and health records illegally harvested – and all without detection. As changes in federal and state healthcare legislation and new technologies abound, so does the threat of illegal intrusion and theft of vast repositories of personal patient information.
Not that long ago, medical records were stored in large, paper files typically free from intrusion unless thieves gained access to a medical provider’s facility. Not so today, as doctors and patients have many more ways of using and sharing information, including online patient portals (VPNs), large networked healthcare exchanges, digital medical records (e-PHI), meaningful use records (EMR) and cloud (Saas) technologies. Many of the newer technologies have been driven by Affordable Care Act (ACA) mandates and other regulatory directives to improve patient care and outcome.
Did you know?
1. Patient and consumer data are top targets for hackers.
Patient data is a valuable source of information for hackers – allowing quick sales of large pools of medical, personal and financial data to the highest bidder on the black market.
In the post-Target breach days consumers learned the lesson of judiciously reviewing credit card statements and credit reports to detect improper use of their credit. The same advice is prudent for consumers to periodically review their insurance billing statements and medical records for potential misuse. Credit cards often limit exposure to $50 or less, but identity theft is costly to fix and often takes years to correct. “Medical identity theft” the latest entrant – poses not only a significant financial risk to carriers and consumers, but more importantly can pose huge medical risks to patients in need of care. Imagine someone’s “medical identity – name, address, policy no., etc.” is stolen and someone posing as the patient receives medical care – unless quickly caught (and it often takes many months for it to be detected, if at all) this treatment and diagnosis becomes a part of the insured’s medical record posing potentially serious consequences to a patient.
2. Fraud and abuse has significant consequences on the quality and cost of care.
Fraudsters use patient medical identity to gain medical services, procure drugs, defraud insurers and benefit programs, as well as posing potentially life threatening outcomes for patients whose identity was stolen. The Medical Identity Fraud Alliance estimated the cost of medical identity theft at $20 billion last year (excluding the Anthem breach, which is largely conjecture at this time) and costs are expected to significantly rise. This figure doesn’t include physician fraud for improper billing practices under Medicare, Medicaid, False Claims Act or similar laws.
3. More HIPAA-related enforcement actions (with increased fines) are anticipated.
Federal and state agencies responsible for regulating healthcare from Health and Human Services (HHS) to Office for Civil Rights (OCR) Department of Justice (DOJ) and Federal Trade Commission (FTC) have announced aggressive audit plans to ensure patient data safety and limit fraud and abuse. And compliance audits won’t be limited to just “Covered Entities” – those with direct access to patients and patient data (hospitals, doctors and other direct providers), but also extend to “Business Associates” those with access to patient records, who provide services to Covered Entities. HIPAA-regulated entities not in compliance with the final omnibus rules implemented under the Privacy and Security Rules of the Health Insurance Portability Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) will be faced with higher fines and sanctions for non-compliance.
Since HIPAA’s enactment in 1996, Covered Entities (direct providers) face rigorous requirements for protecting patient information (PHI, PII, ePHI, EMR) and must have appropriate security practices to protect patient data. There are multiple layers of security protocols, including technical, physical, administrative controls, as well as general organizational requirements designed to protect patient data. Since the implementation of the final omnibus rules, HIPAA compliance now extends governmental oversight and liability to all sorts of other individuals, businesses and vendors engaged by Covered Entities as their “Business Associates”. Appropriate privacy and security standards must be in place and enforced to limit the ever present risk of cyber attack.
4. More private litigation by patients is likely.
Although the HIPAA statute itself does not give patients the right to sue for violations, last year the Connecticut Supreme Court in Byrne v. Avery (as well as courts in several other states) ruled that HIPAA’s lack of a private right of action does not necessarily prevent an individual from bringing an action under state law. While the contractual provisions of most data security agreements between CEs and BAs (Business Associate Agreements) typically contain language limiting the rights of persons who can assert rights directly against them – the end result of recent court decisions seems to be opening the door for individuals affected by breach to pursue remedies against Covered Entities and Business Associates directly.
5. ACA, Final Omnibus Rules and HIPAA Privacy and Security standards impact more than just healthcare providers.
Whether working within the healthcare community or another field entirely, every business must carefully evaluate the risks poses by a breach of its data – whether from outside threats (hackers), inside threats (employee human error) or risks posed by access to sensitive data arising from services by Business Associates (third party vendors). Under the final omnibus rules, many vendors and their subcontractors fall under the definition of “Business Associate” requiring the same rigorous compliance with HIPAA Privacy and Security standards required of direct healthcare providers. Knowing the rules and incorporating best practices to ensure data is secure must be a top priority for the healthcare industry and any downstream providers falling under the definition of Business Associate.
It’s incumbent on any individual or business having access to patient data (or any personal consumer data) to implement appropriate security practices and to investigate the practices of their subcontractors. All it takes is one mishap to be in the same position as Anthem and other healthcare providers who found themselves on the wrong side of this issue. In addition to conducting annual risk and compliance assessments, any individual or entity falling within the scope to the HIPAA/HITECH requirements should consider including or expanding cyber security coverage sufficient to protect against this increasing risk exposure – with many experts estimating the cost at $200/record for each record actually or potentially exposed to breach.
The healthcare industry and their downstream vendors can avoid trouble by:
1. Periodically assessing and addressing potential security risks;
2. Adequately training employees to understand the risks posed by the use of technology;
3. Adopting appropriate privacy and security practices;
4. Developing a Data Security Incident Response Plans with a team qualified to quickly respond if the worst should happen;
5. Adequately evaluating the risks and adding appropriate coverage for data security compromise/breach response costs; (or be prepared to self-insure);
6. Reviewing/updating all data security contracts to ensure they meet the new legal requirements;
7. Vetting all technologies and vendors to make sure they measure up; and
8. Appointing a qualified HIPAA Compliance Officer to ensure the required standards are met.
If you’re thinking you’re too small to be noticed, you’re not. There’s an abundance of reliable information available showing the true cost to those not in compliance or suffering a breach. The reputational harm posed by a breach or potential security incident can have devastating consequences for the ill-prepared. Our firm regularly provides compliance counseling, HIPAA assessments and training to help our clients avoid trouble. Having represented a number of companies hacked by off-shore organized crime, I can tell you a data breach, even a suspected data breach, is something you want to avoid. And all it takes is some careful analysis and planning.
We invite inquires on how we can assist with evaluating your needs in this critical area.