Healthcare hacks and data breaches increasing, even as HIPAA compliance grows

Is your data safe? Healthcare hacks and data breaches increasing, even as HIPAA compliance grows. HIPAA training, HIPAA compliance, HIPAA manuals, HIPAA policies & procedures, HIPAA forms matter – if you’re in the healthcare space, eat, drink, think, and dream HIPAA.

The Washington Post designated this year, the year of the healthcare hack. And, the Post noted, it’s only going to get worse:

Data about more than 120 million people has been compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009, according to Department of Health and Human Services data reviewed by The Washington Post. “That’s a third of the U.S. population — this really should be a wake-up call,” said Deborah Peel, the executive director of Patient Privacy Rights.

The Post points out that the Premera Blue Cross hack could involve 11 million people. This breach could include exposure of members’:

• names
• dates of birth
• social security numbers
• mail and email addresses, phone numbers
• member ID numbers
• bank account information
• claims information (including information about diagnosis and clinical care)

Cybersecurity is more important than ever. These data breaches reflect concerted attacks on data security – not a lone incident such as a stolen laptop or thumb drive. The U.S. Department of Health & Human Services (HHS) has a breach portal, detailing breaches affecting 500 or more individuals. The “location of breached information” includes:

• paper/films
• network server
• portable electronic device
• laptop
• desktop computer
• email
• electronic medical record

There are 1169 entries, ranging from a single health provider, to a business associate under HIPAA, to a large health plan. What can companies do? In our healthcare legal practice, we see compliance as asymptotic – meaning that one can approach but never reach 100% compliance. In insurance language, it’s all about “risk mitigation.” To paraphrase Batman, companies put on Kevlar but then so do the cyber-criminals. Crikey. In fact, HIPAA demands a risk assessment, followed by risk mitigation measures. Not every HIPAA standard is mandatory. Some HIPAA specifications are “addressable” rather than “required.” Your company, during its risk assessment, must be able to identify the ways in which it complies with the required standards and specifications, and, which addressable ones the company chooses to tackle (or not), and why. The key to surviving a HIPAA audit is a defensible rationale for implementing HIPAA in a way that is appropriate scaled to the institution. Thus, a HIPAA Security policy might say, for instance:

In deciding which security measures to use, the Security Official will reasonably and appropriately implement the standards and specifications in the HIPAA Security Rule, taking into account:

• the size, complexity, and capabilities of Company
• Company’s technical infrastructure, hardware, and software security capabilities
• cost of security measures
• the probability and criticality of potential risks to electronic protected health information (ePHI).

The Security Official will provide rationales for recommendations based on these criteria, with respect to each addressable standard in all of Company’s Security policies.

Every healthcare provider, and every business associate under HIPAA, should have the following:

• HIPAA policies and procedures (a HIPAA manual)
• HIPAA forms, accompanying the policies and procedures
• A risk assessment (as indicated in the Security Rule, and as laid out in the appropriate HIPAA security policy)
• HIPAA training for all staff (see for example, our online HIPAA compliance training)
• A Security Official (preferably an IT specialist)

Data breaches cannot be prevented. There is no “iron dome” defense here. But, companies can hire HIPAA counsel to assess their current level of HIPAA compliance, and turn it up a notch, so that the company’s HIPAA and cybersecurity compliance program withstands the missiles of a potential auditor. Let us know if you have questions about healthcare privacy and security compliance for your practice or healthcare organization.