Emmott On Technology: Untangling the Latest HIPAA Requirements – Part III

Thursday, December 5, 2013

Image

There is a quaint idea found in the American justice system; you are considered innocent until proven guilty. The HIPAA and HITECH data breach rules dispense with that old worn out concept. If your office experiences a data breach, you are considered guilty no matter what.

Actually there is a get out of jail free card that could save you: data encryption. Otherwise you are guilty. Even if there is no evidence that your data has actually been used or anyone has experienced any harm, you are guilty.

Minor infractions, such as sending a radiograph via Gmail, should be avoided but the big penalties come with big data losses of 500 or more files.

One of the penalties is your office will be listed on the Health and Human Services “Wall of Shame”.

This is a web page that lists every reported breach affecting 500 or more individuals. The site lists the following six types of breach:

  • Theft – 50%
  • Unauthorized Disclosure – 16%
  • Loss – 12%
  • Hacking – 8%
  • Improper Disposal – 4%
  • Unknown – 2%

The percentages are approximate and some incidences have multiple breach types listed.

Theft accounts for half of the reported breaches. Commonly a laptop is stolen. In addition, servers are stolen from offices, and backup drives are stolen from the back seats of cars. Unauthorized disclosure usually involves individuals accessing files they shouldn’t. This could be an ex-wife looking up her ex- husband’s file or something similar. Larger disclosures involve the sending of information such as an EOB to the wrong people. Loss is self-explanatory. Improper disposal can be paper files left in a dumpster or digital records on a drive.

One notorious case involved a health plan that returned printers to the leasing company and the printers’ memory discs had patient data stored on them. The only type of breach that clearly is intended to access data is a hacker attack which accounts for only about 8% of reported incidents.

Most of the time it would seem reasonable to assume the thieves are after the device not the data. For example, one dentist experienced a breach when his backup with 10,000 patient records was stolen from his office manager’s car. The thieves broke in, took some cosmetics, the backup, and other miscellaneous stuff. It is highly unlikely the thieves accessed the data. In fact it is likely they were just teenagers taking whatever was there and they never even tried to access the data. There has never been any evidence that anyone tried to use the lost data in any way, and not one of the 10,000 patients suffered any loss. Nevertheless the office was investigated by the OCR (Office of Civil Rights), required to jump through numerous legal hoops and paid out more than $12,000 to comply with the rules.

A brief and admittedly unscientific survey of dentists listed on the wall found the same pattern for every office. That is a stolen computer with no indication the thieves were looking for data, no evidence of any kind that any patient identification data was used or any patient was harmed, yet the dental office was required to spend up to a year and as much as $46,000 to comply with the data breach rules.

If you experience a possible breach the rules expect you to report it to HHS and do a prompt investigation with a written report within 60 days. (Some state laws require a report in as little as five days.) The report should include a description of the incident, what types of data were disclosed, what mitigating factors may be involved and what the level of risk might be.

You may then be required to contact all patients involved by mail informing them of the breach. You need to post the information on your practice web page, inform the media and provide a hotline for people to call with questions.

If a patient was to experience a loss due to the breach the dental office can be held liable.

Civil penalties also may be imposed. Fines range from $100 to $50,000 per record. That means if you lost 2,500 records, the minimum fine would be $250,000.

One general business survey (general not just medical and dental) found 88% of businesses reported at least one data breach.

Most likely your professional liability insurance will not cover you for any of the expenses or the fines associated with a data breach. Some plans are beginning to offer limited coverage as an option and others such as pcihipaa have been developed specifically for this problem.

If you experience a breach the only thing that will get you off the hook at this time is if your data is encrypted. Some businesses have tried to argue that password security is enough to protect the data, but OCR will not accept that defense. You need to encrypt the data stored in your office server. You should especially encrypt any data that leaves the office on a laptop or as a backup. And finally, it is good policy to encrypt emails that contain patient information.

Dentists do have a professional obligation to protect our patient’s confidentiality. Lost or stolen data does have the potential to be used in a malicious manner. On the other hand 92% of reported breaches are not directed toward data theft and the vast majority of lost or stolen computers do not jeopardize our patients in any way.

Can we find some middle ground that does not assume guilty with no hope of proving innocence? Maybe. The future is coming and it will be amazing!

  • <<
  • >>

Comments

-->