Between Phase 2 HIPAA audits and a recent round of high-cost settlements, it’s clear that the Office of Civil Rights (OCR) is getting tough on enforcement. Multi-million dollar penalties for HIPAA privacy violations certainly send a message to non-compliant organizations, but more importantly, they make the rest of the healthcare community stop and listen.
Major OCR enforcements are accompanied by announcements (and sometimes new resources), giving other healthcare organizations a chance to learn from the provider’s mistakes. Here’s how some of them could have been prevented.
HIPAA Breach Notification and Privacy
HIPAA privacy violations are defined by the Privacy Rule and the Breach Notification Rule. The purpose of the Privacy Rule is to balance patients’ rights to security and confidentiality with healthcare providers’ need to access patient information.
The Privacy Rule regulates Protected Health Information (PHI) — data that can identify the patient, such as their name, address, birthdate, credit card number, medical record number, or the dates they were admitted for treatment. The rule applies to anyone who has access to Protected Health Information (PHI), including:
- Healthcare providers
- Health plans
- Cloud services (e.g. HIPAA compliant cloud storage)
- Medical billing providers
Under the Privacy Rule, PHI can only be shared inside the organization or with partners, governed by a Business Associate Agreement (BAA). It may only be used for medical purposes like treatment and billing for services, and in certain situations requiring disclosure (such as contacting law enforcement about suspected child abuse). The covered entity needs the patient’s written authorization for any other use.
If PHI is exposed (or may have been exposed) outside of the situations described by the Privacy Rule, it becomes a HIPAA privacy violation, or breach. The HIPAA Breach Notification Rule requires organizations to report breaches to the patient, HHS and, in some cases, the media. They must also assess and report:
- What PHI was exposed & how likely it is to expose the patient’s identity
- Who the information was exposed to
- The likelihood that they actually acquired or viewed the PHI
- How the risk has been mitigated
Assessing the likelihood of actual exposure is key to avoiding privacy violations. If you can show that the information was not accessed or could not have been read by the authorized person, it’s not a breach and does not have to be reported. With the right technology and policies, that can mean the difference between a close call and a multi-million dollar fine.
If you want to protect your organization from falling into a legal (and financial) nightmare, you need to study up on how these six HIPAA privacy violations could have been prevented:
1. Mailing Mix-up Leads to Major HIPAA Privacy Violation
Between May and July of 2015, a computer error at the Colorado Department of Health Care Policy (CDHP) exposed the PHI and other personal data of 3,044 Colorado residents. The mailings — sent to residents receiving state food assistance, financial and Medicaid benefits — were sent to the wrong recipients, exposing a variety of sensitive data, including their name, address, state ID, employment status (and income information), Medicaid case number and approval status, and their state tax information.
It was the second major breach of the personal data of Colorado beneficiaries, after a similar incident exposed the personal information of 2,900 residents receiving food assistance.
The state only found out about the HIPAA privacy violation when a resident reported receiving the wrong information. At that point, all they could do was send out a mailing asking people who received the wrong letters to destroy them, and offer credit monitoring services to the breach victims.
Had Colorado used HIPAA compliant email from Virtru instead of traditional mail, they would have been able to mitigate the breach, potentially limiting the effect to only a few people. When users encrypt email with Virtru Pro, they can control future access, meaning that at any time in the future access to previously sent messages can be revoked.
Virtru Pro also comes with Read Receipts, allowing users to check emails to see if they’ve been read or forwarded to anyone. In a potential breach, that enables organizations to assess the likelihood of actual exposure, and clearly establish the effect of breach mitigation.
A Virtru Pro user in this situation would be able to react as soon as a recipient sent a reply saying that they had been sent the wrong information. The sender could quickly revoke the improperly-addressed emails, then use read receipts to identify precisely who had read them, and whose PHI had been compromised.
Only recipients who opened their emails before access was revoked would have counted as HIPAA privacy violations. This would have cut the number of affected recipients.
2. Major HIPAA PHI Breach Caused by One Wrong Email Address
On May 26, 2015, Massachusetts General Hospital learned that an employee had sent an email containing the names, lab results and Social Security numbers of 648 patients to the wrong address. Although it appears the breached PHI was not misused after the incident, this incident shows how small mistakes — like mistyping an email address — can lead to massive HIPAA privacy violations.
It’s clear that Mass General was getting multiple things wrong in the lead up to the breach. For example, it’s never a good idea to email big groups of patient records through a singular email. Instead, they should be stored, accessed and monitored in a HIPAA compliant cloud storage system like Virtru Google Apps (now known as G Suite) Encryption that allows better access control.
But even with the hospital’s questionable security practices, Virtru’s HIPAA Compliance Rule Pack could have stopped the breach. The rule pack enhances Virtru Data Loss Prevention (DLP), allowing it to scan emails for a broad range of HIPAA PHI indicators, such as:
- Patient email addresses
- Credit card numbers
- Social Security numbers
- ICD-9 and ICD-10 codes
When a user tries to send a message that could contain PHI, Virtru DLP performs an action to avert HIPAA privacy violations, from warning the user about the data they are about to send, to encrypting the email by default (or potentially sending it, but stripping out all attachments before forwarding the message to a supervisor).
The HIPAA Compliance Rule Pack could have stopped the Mass General violation by warning the user they were sending the PHI to an unauthorized email address, or mitigated it by stripping attachments.
Even if the HIPAA Compliance Rule Pack had simply been configured to encrypt all messages, it probably would have stopped the breach. With encryption enabled, the user would have been able to rescind the message as soon as they realized their mistake — most likely, before the recipient had the chance to read it.
3. Stolen Laptop Leads to Multi-Million Dollar HIPAA Privacy Violation
On September 2nd, 2012 a laptop was stolen from the car of an employee of the Feinstein Institute for Medical Research, compromising the records of about 13,000 patients and research participants. This set off a lengthy investigation which culminated — almost four years later — with a $3.9 million settlement.
Laptop theft is a very common cause of HIPAA privacy violations, and often results in severe penalties. Healthcare organizations need to treat theft as a fact of life, and develop robust security and technology use policies to prevent breaches when it occurs.
Using a secure HIPAA cloud storage solution could have prevented the stolen laptop from breaching data, provided the organization protected logins with good security practices, like strong passwords, frequent password changes, and multi-factor authentication.
With Google Apps security settings, administrators can set a minimum password strength, as well as requiring all users to use 2-step authentication. To access their accounts, users will be required to enter both a password and a short code sent to their phone. Even if a device is stolen and the hacker manages to retrieve the login data, they won’t be able to access PHI without the code.
4. HIPAA Privacy Violations Don’t Just Happen Off-Site
Stolen devices can lead to HIPAA privacy violations (and costly penalties) even if they’re kept on-premises. In 2015, Lahey Hospital and Medical Center faced an $850,000 settlement for the theft of a laptop containing the PHI of 599 individuals, stolen from an unlocked room more than 4 years earlier. The laptop was on a stand, where it was used to operate a portable CT scanner and view radiology data.
The subsequent OCR investigation found Lahey had failed at HIPAA compliance in multiple areas:
- Risk analysis
- Physical safeguards of workstations
- Workstation control policies
- Tracking users and activity on workstations
A number of physical safeguards would’ve prevented the breach: if a policy had been in place that mandated that doors must be locked when rooms aren’t in use, or if workstations were secured in a locked room when they weren’t currently being utilized, Lahey probably wouldn’t have had the breach. That’s to say nothing for other physical security measures like guards, cameras, or biometric scanners.
Even without the physical safeguards above, the hospital could have made the data from a stolen workstation inaccessible, preventing a HIPAA privacy violation. It would have only required implementing a few basic technical safeguards:
- Requiring a unique user login
- Configuring workstations to log out automatically when inactive
- Encrypting workstations
With the emphasis on HIPAA data security off-site and in the cloud, it’s easy for hospitals to become complacent about on-site risks. This violation should remind organizations to ensure their HIPAA compliance checklist secures facilities as well as the cloud.
5. Massive Settlement Shows That OCR Takes HIPAA privacy Violations by Business Associates Very Seriously
Business Associate Agreements (BAAs) are not a new requirement, but traditionally the OCR has not focused on them— even when a partner causes a HIPAA privacy beach. The recent $1.55 million settlement with North Memorial Health Care shows that the OCR has gotten much tougher about enforcement, however.
The 2011 breach exposed the PHI of 9,497 patients when an unencrypted laptop was stolen from a car (sound familiar?). But the laptop was in the possession of Accretive Health, Inc., an organization hired for services related to payment and health care operations. The partner had access to North Memorial’s database, containing almost 300,000 records, as well as non-electronic PHI, but was not under a BAA. The investigated uncovered deficient risk analysis, creating a host of other vulnerabilities to ePHI, leading to a big fine almost five years later.
Remember, a BAA doesn’t just decrease the risk to your patients. It also provides crucial legal cover, should a partner cause a HIPAA privacy violation. It’s likely that the OCR will start penalizing business associates who breach HIPAA in the future, but for now the health care provider is the one at risk.
6. Triple-S Management
Triple-S Management Corporation — an insurance holding company recently settled with the OCR for $3.5 million after a long series of HIPAA privacy violations and security incidents. Here are a few of the highlights:
- In 2010, two former workers were working for a competitor. Because their access rights hadn’t been revoked they were able to enter Triple-S’ database, exposing PHI.
- In 2013, a Triple-S vendor sent pamphlets to the company’s Medicare Advantage beneficiaries, incorporating PHI that had been provided to the vendor without a BAA. That PHI was printed on the outside of the pamphlets, exposing recipients’ names, addresses and health insurance claim numbers to anyone handling the pamphlet.
- In 2014, another former employee accessed ePHI. This time, the data was copied onto a CD and loading onto his new employer’s computer, exposing a wide range of beneficiary enrollment information.
- In 2015, someone put membership cards in the wrong envelopes, sending members other members’ names and detailed insurance information.
And those are just the breaches involving over 500 people.
All of those HIPAA privacy violations could have been corrected had the data been communicated electronically. Had they completed a risk analysis, they would have likely put processes in place to prevent the breaches that occurred.
Organizations need to learn the way scale affects HIPAA compliance risk. As an organization gets bigger, the opportunities for breaches grow exponentially. Workers come and go, potentially with grudges or profit motivations for compromising PHI. Communications get outsourced to companies that may not be conscientious about security. Subcontractors of subcontractors are given access to information that could cost you millions in the wrong hands
No one should take unnecessary risks with security, but it’s especially important for big organizations to make HIPAA compliance part of everything they do. That means auditing your security practices regularly, creating a clear technology use policy, training your employees on a constant basis, and monitoring for any potential breach constantly.
HIPAA privacy violations don’t have to be a fact of life. With military-grade encryption backed up by a user-friend interface, Virtru Pro drastically decreases the risk and severity of HIPAA breaches.
Virtru’s HIPAA Compliance Rule Pack stops employees before they send out unsafe emails, using warnings that both prevent incidents and provide invaluable training. Virtru Pro with Read Receipt allows organizations to react quickly to potential HIPAA privacy violations, revoking access, and limiting or eliminating PHI exposure and breach notification obligations. Virtru for Google Apps secures medical records, reinforcing Google security and providing access control, for a complete HIPAA compliant cloud.
Contact us to learn more about how Virtru can make securing patient data easier and safer, across your organization.