By Mike Semel
Twitter: @SemelConsulting
Once you become aware of a HIPAA data breach it is not a good idea to sweep it under the rug, especially when that is breaking the law and anyone who finds out can report you.
Just because they are free and easy doesn’t mean you should use just any Internet file sharing service for storing patient information. Nor should you let former employees store patient data on personally-owned laptops and flash drives. These lessons can all be learned from the most recent HIPAA penalty reported by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR).
St. Elizabeth’s Medical Center, of Brighton, MA, settled multiple HIPAA violations for $ 218,400, which does not include the costs to notify patients, or costs to implement the Corrective Action Plan to show OCR that the hospital is finally complying with HIPAA as it should have been all along. By not implementing HIPAA safeguards, and not reporting a breach when it was discovered, the hospital was breaking a federal law. It was also a violation of Massachusetts law, which makes me wonder if their aggressive Attorney General, Maura Healey, will pile on with additional penalties.
The $ 218,400 settlement is just the tip of the iceberg. It does not include the hidden costs of a data breach, like lost business, brand repair, public relations, and additional advertising expenses. These consequential costs are estimated by the Ponemon Institute in the IBM 2015 Cost of a Data Breach report at more than twice the direct costs. So you can assume that this breach will end up costing St. Elizabeth’s over a half-million dollars, a waste of money when everything that was reported was preventable.
How can you prevent this from happening? Just follow the HIPAA rules and comply with the law.
- If St. Elizabeth’s had an independent professional conduct a thorough and accurate Security Risk Analysis – the first requirement in the HIPAA Security Rule—sharing files through a non-compliant Internet service would have been identified. During a recent risk analysis we identified a healthcare organization using DropBox. DropBox is a popular file sharing service, but the company does not comply with HIPAA and will not sign a Business Associate Agreement. (There are file sharing services that comply with HIPAA and are OK to use.)
Beware of companies that say they ‘make DropBox compliant’ by encrypting data prior to sharing on DropBox. We have a legal opinion that the HIPAA Omnibus Final Rule says that a company that maintains (stores) Protected Health Information (PHI) is a HIPAA Business Associate, and must comply with HIPAA and sign Business Associate Agreements. DropBox won’t. Don’t confuse the Data Breach Rule exemption from reporting lost data if it is encrypted with the separate Omnibus Rule requirements to be a Business Associate. - By implementing appropriate HIPAA policies and procedures you can eliminate the possibility that patient data would be stored on a former employee’s laptop and flash drive. The HIPAA ‘Wall of Shame’ lists the incident as a theft, but does not indicate if the employee’s equipment was stolen, or if the employee stole the data and stored it on their personally owned devices. With good IT security practices in place you can avoid both scenarios.
- If you do have a breach, as much as it may hurt, you must report it. It’s the law, not a suggestion, so unless you are a criminal, you have no choice. Most breaches do not result in fines, and when people we know have said they are worried about patients suing or retaliating, their fears have always been unfounded.
Workforce members should be trained to recognize breaches, quickly follow internal reporting procedures, and then your organization’s Privacy or Security Officer should comply with reporting and notification deadlines. Beware that just following HIPAA’s rules may not be enough- several states like California (15-days) and Florida (30 days) have shorter notification deadlines.
In most organizations there is someone who is disgruntled and has an axe to grind, or someone who just will not tolerate their employer breaking the law. Between official communications channels or the organization’s grapevine, the information won’t be kept secret long and people will be watching to see what you do. Doing the right thing is a good place to start.
This article was originally published on Semel Consulting and is republished here with permission.