If you have noticed an increasing number of high profile problems for healthcare organizations with respect to privacy and security issues these last few weeks you’re not alone. The issues have ranged from employee misuse of protected health information, web-based breaches, photocopier breaches, and theft of stolen computers that compromised millions of records containing unsecured protected health information (PHI). These issues remind us that healthcare companies face significant risks in collecting, using, storing, and disposing of protected health information.
Pharmacy Hit With $1.4 Million Jury Verdict For Unlawful Disclosure of PHI
An Indiana jury recently awarded more than $1.4 million to an individual whose protected health information was allegedly disclosed unlawfully by a pharmacy. The pharmacist, who was married to the plaintiff’s ex-boyfriend, allegedly looked up the plaintiff’s prescription history and shared it with the pharmacist’s husband and plaintiff’s ex-boyfriend. The lawsuit alleged theories of negligent training and negligent supervision. The pharmacy intends to appeal the judgment.
Health Insurer Fined $1.7 Million For Web-Based Database Breach
Meanwhile, the Department of Health and Human Services (HHS) recently fined a health insurer $1.7 million for engaging in conduct inconsistent with HIPAA’s privacy and security rules following a breach of protected health information belonging to more than 612,000 of its customers. The breach arose from an unsecured web-based database that allowed improper access to protected health information of its customers.
HHS’s investigation determined that the insurer:
(1) did not implement policies and procedures for authorizing access to electronic protected health information (ePHI) maintained in its web-based application database;
(2) did not perform an adequate technical evaluation in response to a software upgrade, an operational change affecting the security of ePHI maintained in its web-based application database that would establish the extent to which the configuration of the software providing authentication safeguards for its web-based application met the requirements of the Security Rule;
(3) did not adequately implement technology to verify that a person or entity seeking access to ePHI maintained in its web-based application database is the one claimed; and,
(4) impermissibly disclosed the ePHI, including the names, dates of birth, addresses, Social Security Numbers, telephone numbers and health information, of approximately 612,000 individuals whose ePHI was maintained in the web-based application database.
Health Plan Fined $1.2 Million For Photocopier Breach
In another example of privacy and security issues causing legal problems for a healthcare organization, HHS settled with a health plan for $1.2 million in a photocopier breach case. The health plan was informed by CBS Evening News that CBS had purchased a photocopier previously leased by the health plan. (Of all the companies to get the photocopier after the health plan, it had to be CBS News). The copier’s hard drive contained protected health information belonging to approximately 345,000 individuals. HHS fined the health plan for impermissibly disclosing the PHI of those individuals when it returned the photocopiers to the leasing agents without erasing the data contained on the copier hard drives. HHS was also concerned that the health plan failed to include the existence of PHI on the photocopier hard drives as part of its analysis of risks and vulnerabilities required by HIPAA’s Security Rule, and it failed to implement policies and procedures when returning the photocopiers to its leasing agents.
I blogged about photocopier data security issues last year, after the Federal Trade Commission issued a guide for businesses on the topic of photocopier data security. Another resource I recommend to my clients on the topic of media sanitization is a document prepared by the National Institute of Standards and Technology, issued last fall.
Medical Group Breach May Affect Up To Four Million Patients
Lastly, a medical group recently suffered what is believed to be the second-largest loss of unsecured protected health information reported to HHS since mandatory reporting began in September 2009. The cause? Four unencrypted desktop computers were stolen from the company’s administrative office. The computers contained protected health information of more than 4 million patients. As a result, the medical group is mapping all of its computer and software systems to identify where patient information is stored and ensuring it is secured. The call center set up to handle inquiries following the notification of the patients is receiving approximately 2,000 calls each day.
So what are five lessons companies should take away from these developments?
- Having policies that govern the proper use and disclosure of PHI is a first step, but it is important that companies audit whether their employees are complying with these policies and discipline employees who don’t comply so that a message is sent to everyone in the company that non-compliance will not be tolerated.
- As technology is upgraded or changed, it is important that companies continue to evaluate any potential new security risks associated with these changes. An assumption should not be made that simply because the software is an “upgrade” the security risks remain the same.
- There are hidden risks, such as photocopier hard drives. Stay apprised of these potential risks, identify and assess them in your risk assessment (required by HIPAA), then implement administrative and technical safeguards to minimize these risks. With respect to photocopiers, maybe this means ensuring that the hard drives are wiped clean or written over before they are returned to the leasing agent.
- Encrypt sensitive information at rest and in motion where feasible, and to the extent it isn’t feasible, build in other technical safeguards to protect the information.
- Train, train, train – having a fully informed legal department and management doesn’t do much good if employees don’t understand these risks and aren’t trained to avoid them. Do your employees know how seemingly simple and uneventful conduct like photocopying a medical record, leaving a laptop unaccompanied, clicking on a link in an email, or doing a favor to a friend who needs PHI about a loved one, can lead to very significant unintended consequences for your company (and, as a result, them)? Train them in a way that brings these risks to life, update the training and require it annually, and audit that your employees are undertaking the training.
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.