Keeping Data in Motion:The high cost of HIPAA non-compliance

O C T O B E R 2 0 1 3 | P A R T 2

WHITE PAPER | Keeping Data in Motion

Part 2: The high cost of HIPAA non-complianceIn Part 1 of this series, we outlined how HIPAA regulations impact the transfer of protected health data and how those rules apply to fax transmission. In Part 2, we will look at the high cost of noncompliance of HIPAA regulations. According to Rebecca Herold, an expert on information security and privacy, at Rebecca Herold & Associates, LLC, “The Department of Health and Human Services is increasingly aggressive and effective” in enforcing HIPAA regulations. Her assessment of the landscape emphasizes one key point: Managing paper-based medical records is not for the faint of heart.

During a 2012 webinar entitled “A Simple and Compliant Solution to The Paper Problem in Healthcare,”1 Herold pointed out that the U.S. Department of Health and Human Services (HHS) completed about 110 compliance audits for covered entities in 2012, as well as hundreds of investigations resulting from data breaches and complaints.

The penalties resulting from investigations like these have run into millions of dollars for healthcare organizations that have violated HIPAA rules governing the privacy and security of protected health information (PHI). A closer look at these missteps will reduce your organization’s risk of making similar mistakes. In fact, depending on your role in the healthcare organization, it may even save your job – or keep you out of prison.

Penalities can really stingThe average cost of a data breach is $5.5 million, and the average cost per patient record is $240. While HHS reserves the largest penalties for healthcare organiza-tions that knowingly violate HIPAA rules, the annual maximum fine for unknowingly violating the rules is $1.5 million.

By April 2013, penalties for patient data breaches had topped $50 million.2 These fines resulted from about 65,000 breaches that had been filed with the Office of Civil Rights, a branch of HHS. As of September, the count had already climbed to 80,000.3

In the past, such fines were only levied when data leakage affected 500 or more individuals. But recently, HHS has been going after “smaller fish.” Hospice of North Idaho, for example, was fined $50,000 for losing a laptop containing PHI on about 440 patients. In the words of Leon Rodriquez, Director of the Office of Civil Rights (OCR), “This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.”4

2

“ Covered entities must take action and will be held accountable for safeguarding their patients’ health information.” – Leon Rodriquez

Director of the Office of Civil Rights

Simple mistakes have major consequencesOf course, lost laptops are not the only way your organization can get into trouble. Johns Hopkins University Applied Physics Laboratory Medical and Dental Insurance Plan experienced a data breach when PHI was attached to an email addressed to 85 employees by a benefits staff member. Within five days, all recipients were notified, and the email was deleted, but the damage had been done. Approximately 692 individuals were affected by this breach. The email included names, dates of birth, social security numbers, and marital and disability status.

At the Laboratory Corporation of America, an external hard drive containing the PHI of 2,773 individuals was stolen. The breach included first and last name, medical record number, dates of birth, laboratory test information data and some social security numbers.

WellPoint, one of the largest insurers in the U.S., was required to pay $1.7 million because it left PHI for more than 612,000 patients accessible over the Internet. The OCR report on the breach said WellPoint failed to provide safeguards that would verify the person or entity trying to get access to the patient data, and it had failed to do the proper technological evaluation following an IT software update.5

Even more disturbing was the breach at the University Medical Center of Southern Nevada, where a former volunteer faxed patient face sheets to an attorney who used them to contact prospective clients. The PHI involved in the breach includ-ed names, addresses, dates of birth, social security numbers and diagnoses; 5,301 individuals were at risk, and as a result of this breach, at least one person has been indicted on one count of conspiracy to illegally disclose PHI in violation of HIPAA.6

It is likely healthcare providers, clearinghouses and related business associates will see the number of reported breaches grow even more in the near future. In September 2013, new HIPAA rules on protecting PHI took effect. The American Medical Association published guidelines to help physicians comply, pointing out that “the new rules expand the obligations of physicians and other health care providers to protect patients’ protected health information (PHI), extend these obligations to a host of other individuals and companies who, as ‘business associates,’ have access to PHI, and increase the penalties for violations of any of these obligations.”7

AMA described breaches that fall into four penalty tiers:

n Unintentional breaches

n Breaches in which the doctors “knew, or by exercising reasonable diligence would have known” of the violation, but the physician did not act with willful neglect

n Breaches in which the clinician acted with willful neglect but corrected the problem within 30 days

n Breaches resulting from willful neglect for which the clinician failed to make a timely correction.

WHITE PAPER | Keeping Data in Motion

3

WHITE PAPER | Keeping Data in Motion

Homing in on fax risksFax-related data breaches continue to plague covered entities because, despite the federally sponsored push to digitalize patient records, clinicians still rely heavily on paper faxing. A 2012 survey conducted by Healthcare IT News, for instance, found that one in five organizations primarily use fax to share PHI. And entities that have electronic medical record systems in place are still at risk. The aforementioned survey revealed that approximately a third of providers do not integrate fax with their EMR or other back-office apps.8

The 2012 National Physicians Survey found that fax is the primary form of communication for 63 percent of physicians, while the Markle Survey on Health in a Networked Life 2010 found that 61 percent of doctors use a fax machine as the predominant means of sharing information with other doctors.9,10

Herold said that among the hospitals and clinics she works with, close to half of all breaches have involved fax transmissions. So what exactly can go wrong?

Among the examples Herold highlighted: Children’s Hospital of Orange County inadvertently faxed patient records to an auto shop. Doctors’ offices in Tennessee accidently sent patient information, including social security numbers and medi-cal histories, to an Indiana businessman’s fax machine for more than four years without realizing it.

It’s also possible for breaches to occur as a result of malicious intent, with PHI falling into the wrong hands because hackers break into fax servers. Similarly, a covered entity is at risk if it doesn’t remove data from the disk storage section of a fax machine before disposing of the unit. One financial company, for instance, sold its fax machine to a reseller and did not remove the patient data from the hard drive or from the trays.

Protecting faxed patient dataClearly then, one of the first steps in protecting faxed PHI is understanding how to use the fax technology in a secure way. Beyond that, “You need to ensure that someone [in your organization] has responsibility for information security and privacy compliance,” says Herold. That person has to be given the authority to establish the appropriate policies and procedures.

4

“ One of the first steps in protecting faxed PHI is understanding how to use the fax technology in a secure way. Beyond that, you need to ensure that someone [in your organization] has responsibility for information security and privacy compliance.” – Rebecca Herold

Herold & Associates, LLC

The 2012 National Physicians Survey found that fax is the primary form of communication for 63 percent of physicians, while the Markle Survey on Health in a Networked Life 2010 found that 61 percent of doctors use a fax machine as the predominant means of sharing information with other doctors.9,10

About OpenTextOpenText is the leader in Enterprise Information Management (EIM). EIM enables organizations to grow the business, lower costs of operations, and reduce information governance and security related risks. OpenText focuses on the key drivers of business success to improve business insight, strengthen business impact, accelerate process velocity, address information governance and provide security.

OpenText Information Exchange solutions help organizations integrate and extend their information exchange systems and processes in order to improve their efficiency, decrease security risk, and lower their transaction cost for internal and external information exchange.  For more information visit: faxsolutions.opentext.com.

WHITE PAPER | Keeping Data in Motion

Covered entities, as well as all their business associates, need to understand how faxes are being used within their facility and do a risk assessment, using the threats outlined above as a starting point. Once the assessment is completed, the organization needs to establish the proper controls to mitigate those risks, which means using cover sheets with the appropriate information on them, including the recipient’s name and a call back number. If your facility uses a fax server or sends faxes through an email server, it is also important to use encryption to reduce the risk of unauthorized access, explained Herold.

Also be certain to provide regular, ongoing staff training so that everyone is fully informed of their responsibility when handling PHI. And finally, while HIPAA outlines the federal regulations for PHI transfer, every covered entity needs to know the laws in its individual state as they apply to patient data transmission.

Following the proper precautions will help protect both you and the patients you serve from unnecessary risks. Once the proper precautions are in place, health-care providers will need a flexible, cost-effective solution to address the HIPAA regulation challenges they face. Part 3 of this series will look at how one solution delivered real-world benefits for healthcare providers.

5

Produced in partnership with HIMSS Mediawww.himssmedia.com©2013

REFERENCES 1 https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=445081&sessionid=1&key=

52F179157F8B5F7058BA475773615E8A&partnerref=tmclanding&sourcepage=register2 https://protectedtrust.com/penalties-in-patient-health-data-breach-cases-top-50-million/ 3 http://www.healthcareitnews.com/news/ready-or-not-hipaa-gets-tougher-today?topic=08,29,184 http://www.networkworld.com/community/blog/first-time-small-data-breach-draws-big-fine-50k 5 http://www.healthcareitnews.com/news/ready-or-not-hipaa-gets-tougher-today?topic=08,29,186 http://www.phiprivacy.net/man-who-solicited-patient-records-from-university-medical-center-of-southern-nevada-sentenced-

to-prison/7 http://www.ama-assn.org/resources/doc/washington/hipaa-omnibus-final-rule-summary.pdf8 Source: Survey conducted by Healthcare IT News in January 2012 on behalf of the OpenText Fax and Document Distribution Group

with 288 respondents9 Markle Survey on Health in a Networked Life 2010, Jan 201110 2012 National Physicians Survey, Oct 2012

“ Covered entities, as well as all their business associates, need to understand how faxes are being used within their facility and do a risk assessment.” – Herold