Posted on February 7, 2011 | | Categories: HIPAA
Last November, six hospitals and one nursing home were fined in California for data security breaches related to patient healthcare records. The total fines were $792,500 by the California Attorney General. The cause? The facilities failed to prevent unauthorized access to confidential patient medical information.
While these breaches made headline news in California, they were but the tip of the iceberg of the total healthcare record breaches in 2010. According to the Privacy Rights Clearinghouse, there were 592 reported healthcare data security breaches last year, which potentially exposed more than 11.5 million records. This was double the breaches of healthcare facilities in 2009, opening severe liabilities to the organizations that housed those patient records.
So what now? If your organization can be fined for failing to prevent unauthorized access, how can you safeguard your company's healthcare records?
Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, extended the complete Privacy and Security Provisions of HIPAA to business associates of covered entities. This includes the extension of newly updated civil and criminal penalties to business associates. On November 30, 2009, the regulations associated with the new enhancements to HIPAA enforcement took effect.
What's it mean? If your company merely does business with an organization that is involved with healthcare records, HITECH says that you are liable for any security breaches on your watch that reveal patient vital healthcare information. This could include things like names, addresses, social security and Medicare/Medicaid numbers, or any info that could lead to misuse of healthcare information.
So how can your company protect itself from this liability?
The Department of Health and Human Services (DHHS) interim Security Rule says that "a covered entity must consider implementing encryption as a method for safeguarding electronic protected health information." The DHHS rule does permit something called "comparable methods" in lieu of encryption, but it does not specify what those methods might be.
To determine if your company can provide security through some so-called "comparable method" it's important to look at the types of breaches that occurred in the past. The Privacy Rights Clearinghouse provides a good free search service to investigate at http://www.privacyrights.org.
By looking through the types of breaches that occurred in 2010, (stolen laptops, doctors emailing records to their home computers, lost or missing flash drives, unauthorized browsing by employees), the first question that you should be asking is "Can our organization really secure all those potential mechanisms for data theft without relying upon encryption?" It's a difficult task, and the resources that your organization will expend (hardware solutions, policy solutions, etc.) can be significant.
Still, the monetary fines for failing to provide adequate protection are severe, and your management may decide that a thorough review of your security will be required.
By comparison, implementing encryption technology like Crypto Complete - is undoubtedly a faster and more cost-effective means. Crypto Complete encrypts sensitive data at the source using integrated key management, complete with auditing, field encryption and backup encryption, without interrupting the normal IT workflow. Data encryption permits the source of information itself to be put under a lock and key, and once encrypted, that data is protected from both unlawful use and the HITECH liability rule.
Finally, consider the downside of ignoring the HITECH rules? Take a look at one attorney's perspective "Responding to an Electronic Medical Records Security Breach: What Every Health Care Provider Needs to Know" to get a handle on the steps for determining the scope of the law. You'll be surprised at how comprehensive the requirements have become, and why your management should be concerned.
Encrypting your data is the most recognized, safest and least expensive means of protecting your organization from liability from unauthorized access. If you've been to putting off addressing the potential pitfall of unauthorized access to your data, now is the time to investigate.