By Katie Hebeisen, Communications Specialist
Hospitals and their vendor partners can learn valuable lessons from the underlying facts in Health Insurance Portability and Accountability Act (HIPAA) enforcement actions over the past couple of years. The actions underscore that anybody in a company's workforce, no matter their role, can subject the organization to significant fines and penalties if they do not have a "healthy" understanding of HIPAA. Small errors in judgment - like leaving a laptop in a car or failing to log and respond to patients' requests for information - can subject a covered entity or business associate to significant fines and penalties. The enforcement actions taken against covered entities and business associates alike who erred in HIPAA compliance can teach others what not to do and how they can be more careful with their own patient information.
In ACA International's 2012 Spring Forum session, HIPAA Unhealthy: Gambling on What the 2011 Upsurge in HIPAA Compliance Problems Means, Leslie Bender, president of Bender & Radcliffe, P.A. in Timonium, Md., spoke about HIPAA enforcement actions and the potential privacy and security risks that come with new technology.
Significant HIPAA Enforcement Violations
"If we read between the lines in what has happened in various HIPAA violation cases, we see that the Department of Health and Human Services [HHS] has plunged into a new era," Bender said. "The HHS expects us all to have documented compliance programs, as well as ongoing and meaningful training programs, for all members of our workforce."
Since the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act, state attorneys general now also have authority to enforce HIPAA regulations. HHS has run extensive training programs for attorneys general to provide instruction on the details of HIPAA enforcement.
"Attorneys general are zealous consumer advocates and may not be as permissive as the HHS' Office of Civil Rights," Bender said. "As a consequence, we have already seen huge enforcement actions initiated by attorneys general."
The first action taken by a state attorney general involving violations of HIPAA was by the Connecticut attorney general, who brought an enforcement action against a large managed care organization alleging HIPAA privacy and security violations. The attorney general grew skeptical of the practices of the health plan company after the organization misplaced a portable computer disk drive containing significant protected health information (PHI). The attorney general sued the company for failing to secure private patient medical records and financial information and failing to promptly notify endangered consumers about the security breach.
Although there is no evidence that any patients or consumers were victimized by fraud or identity theft, or suffered any loss as a result of misplacing this device, the action required the company to adhere to a corrective action plan and resulted in over $7 million worth of costs to the organization.
In another well-publicized enforcement action, the Minnesota attorney general filed a suit against a business associate alleging the company violated both HIPAA and state law. The action stemmed from a laptop stolen from an employee's vehicle that contained information relating to the patients of the business associate's hospital clients.
"These situations are eye openers," Bender said. "Even if it's a trusted employee, accidents can happen."
Bender explained that the HITECH Act requires everyone involved in the health care arena to comply with every standard and specification whether they are the hospital or a business associate.
"It's very damaging to a company's reputation when every patient in a hospital system is alarmed by receiving notification that their personal information may be at risk," Bender said. "We're not talking about sophisticated hackers or dishonest people conducting espionage; we're talking about human beings making simple mistakes that can end up costing businesses money and reputational damage while increasing the anxiety of affected patients."
The rising use and reliance on portable technology devices raise further concerns with HIPAA and patient privacy. Portable technology devices attract consumers because they are convenient, affordable and efficient. People want information available at their fingertips, and the Internet is available 24/7.
"The convenience of using these tools may present an enormous opportunity for corruption and cyber risk; therefore, we need to be very careful about training staff on what they're doing and how they're using these tools," Bender said. "Ground rules need to be set now because if employees unknowingly engage in harmful activity and we fail to set expectations in the work force, we are at risk."
One of the latest, most popular trends with the Internet is the use of social media. Social media uses web and mobile-based technology to turn communication into interactive dialogue between parties.
"Many of my health care clients are moving to social media as an easy way to train and attract patients," Bender said. "Patients want to blog about their symptoms and find out from other people how to treat their conditions or how to receive financial assistance."
Social media platforms present a whole new avenue for potential viruses and phishing scams to enter into electronic networks, especially when the platforms consist of chat and instant messenger tools. While some social media applications are safe and harmless, others may provide a tunnel for harmful software to enter computer systems, resulting in damage that the user may not even know has occurred.
According to Bender, traditional security parameter controls are supposed to keep harmful things from coming in, but what if the "bad guys" are already "in" and are trying to send data out? "We need to focus some of our security energy on stopping data theft from leaving our corporate gateways from the inside out; not necessarily from the outside in," Bender said. "More resources are available for people to sell private data today, so we need to keep it inside our private networks."
Bender also noted that the industry is starting to see companies warn their employees against certain types of Internet use, especially when it comes to personal electronic devices.
"When you allow people to bring their own devices to work, you need to think about what the operational challenges are and if they're exposing you to future risks," Bender said. "You can restrict your employees' access on company computers, but they can still access anything they want on their smartphones."
Bender predicts changes may be made to the HITECH Act yet this year to include regulations for security and technology.
"We don't have a crystal ball to understand the implications of the technology we use and like to take advantage of," Bender said. "Technology makes us more efficient, but it also makes the information most sensitive to us vulnerable to risks we cannot necessarily foresee."
Published by Pulse