Ignorance might be bliss in some situations, but for those in the healthcare industry, it makes for a poor defense. Unfortunately, it can be extremely difficult (if not seemingly impossible) to stay on top of the ever-changing rules and regulations that govern the industry.
While there isn’t enough ink at the printer’s to cover all the pressing regulatory problems, Keith C. Dennen, a member in the Nashville office of Dickinson Wright, sat down with Medical News to discuss what he considers one of the biggest issues that continues to plague the industry … HIPAA compliance.
“It used to be that doctors worried about malpractice. Thanks to tort caps,” Dennen said, “that issue is practically gone. Now they worry about HIPAA.”
He continued, “The reason is, of course, that all you have to do is make one little mistake, and suddenly it’s 1) national news, and 2) everyone and their brother is fining you.”
Despite all the focus given to HIPAA and HITECH rules and regulations at the federal level and in the media, compliance continues to be problematic … and non-compliance continues to be extremely costly.
Last spring, Dennen continued, the Department of Health and Human Services levied the largest HIPAA monetary fine to date on New York-Presbyterian Hospital and Columbia University for the release of protected health information. The $4.8 million fine was for a breach that occurred in September 2010 when a physician tried to deactivate a personally owned computer server on the NYP network and accidentally made PHI – including vital signs, medications and lab results – accessible on Internet search engines.
In a statement announcing the settlement, Christina Heide, acting deputy director of health information privacy for the Office of Civil Rights said, "When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information. Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems."
The interesting thing, Dennen noted, is that there was no evidence that anyone actually made use of the data or that the patients were adversely impacted. Also of note, the breach didn’t affect hundreds of thousands of patients … or even tens of thousands. Instead, the $4.8 million fine was levied for the disclosure of PHI for 6,800 individuals.
Now, he continued, “New York Presbyterian and Columbia are big enough to do a thorough risk analysis, but how about a small physician office in Columbia, Tenn.?”
Certainly, it would have cost far less for the New York facilities to proactively search for the technical gaps blamed on the breach than to pay the massive fine. That, said Dennen, is the real takeaway message.
Can a small practice afford the costs associated with insuring electronic files are secure? “You can’t afford not to,” he said. “Let’s say they fine you $200,000 … can you afford that?”
While updating firewalls and computer systems can be costly, Dennen said even simple, inexpensive steps often still aren’t taken. “We still have the lost laptops that aren’t encrypted. We still have the mobile phone, lost or stolen, that doesn’t have a password or fingerprint recognition enabled.”
Just last month, officials with the UCLA Health System announced cybercriminals accessed a computer network that contained an estimated 4.5 million patients’ unencrypted personal and medical records. Even when a practice or medical facility has done everything in their power to secure their information flow, Dennen said they still aren’t out of the woods.
“The greatest opportunity for a HIPAA violation is with people who don’t even realize they are covered by HIPAA … the business associate,” Dennen said. “Every night I have to close my door and lock it because not only do I have client information, I have protected health information.”
While individuals do not have private right of action in the case of HIPAA violations, Dennen said he expects to eventually see a different type of lawsuit hit Tennessee courts.
“Thanks to Elvis, we have some of the strongest privacy protections in America,” he said of state laws that were enacted decades ago to protect the legendary singer and numerous other artists based in Tennessee. “I keep waiting for that lawsuit to occur and not be HIPAA but be a privacy right issue,” he noted of leaked patient information.
The most frightening part of HIPAA violations, he continued, “is you don’t know you’re not compliant until something happens.” Dennen said it’s far too easy for Dr. Smith in Hartsville, Tenn. to be lulled into a false sense of security and think no one would ever hack into her computer. But if she has 2,000 files in the databank, then that’s 2,000 credit cards that could be opened. While bigger organizations might yield higher numbers of identities, security is often more lax at smaller practices.
“The Office of Civil Rights has said their primary focus right now is HIPAA enforcement,” he stated.
Not knowing you were out of compliance won’t get you very far if the OCR comes calling.
Related Links:
