Usually I love patterns.
Quilt patterns, weaving patterns, and patterns in math and science
fascinate me. “The Code” is a BBC
television show that explores patterns in nature. It has captivated me for hours. (I know there were only three shows, but I
found the reruns on YouTube). If you study
a pattern, you can often predict what will happen when you next see that
pattern. For example, if you notice a
State Trooper parked on the side of I-40 and you see that you are going over 80
mph, it’s likely that you will next see flashing lights, hear a siren, and be
relieved of a substantial amount of cash.
Recently, I found an even more upsetting pattern while studying HIPAA prosecutions.
In 2005, North Carolina passed a law that requires all
businesses to notify customers when the business suffers a security breach of
customer information. In 2009, the
federal government passed a similar law requiring health care providers to
notify patients of security breaches affecting patient information. Providers must also report certain breaches
to the federal government. The law gave
state Attorneys General authority to prosecute HIPAA violations.
In 2010, a Massachusetts hospital hired a company to erase
computer tapes with medical information on 800,000 patients. It shipped several boxes of the unencrypted
back-up tapes to the company. Only one of the boxes arrived at its intended
destination. No one ever found the other
boxes. In compliance with breach
notification laws, the hospital reported the breach to the government. The state Attorney General’s office responded
by initiating a HIPAA prosecution against the hospital. Eventually, the case settled for $750,000 in
penalties.
In another case, thieves stole a laptop containing
unencrypted patient records maintained by a Massachusetts Eye and Ear
Clinic. After the clinic filed a breach
report, the HIPAA police fined the clinic $1.5 million and required it to
retain an “independent monitor” of its security practices. The clinic had never conducted the security risk
analyses required by HIPAA. Its policies
governing portable devices were “inadequate.”
BlueCross BlueShield of Tennessee also felt the sting of a
breach report. On 57 unencrypted hard
drives, the company had recorded customer service calls that included patient names,
Social Security numbers and medical information. BCBS stored the hard drives at a leased
facility. Thieves stole the drives. As required by law, BCBS filed a breach
notification report. The HIPAA police
rode onto the scene and hit the company with a $1.5 million penalty. BCBS must also meet numerous administrative
requirements in the future.
Apparently, the federal government is even willing to go
after state agencies for HIPAA violations.
The Alaska Department of Health and Social Services filed a breach
report stating that thieves had broken into a DHSS employee’s car and stolen a
USB drive containing unencrypted patient information. Based on the breach report, the HIPAA police
began an investigation. Alaska had to
pay $1.7 million in penalties and has to comply with numerous provisions to
improve its security standards. Where
was Sarah Palin when they needed her?
The feds have stated that the breach reporting laws are an
“important enforcement tool.” What an
understatement! The reports serve as
detailed confessions of HIPAA violations.
With those reports and hundreds of regulations, standards, and
guidelines that only lawyers who are computer experts can understand,
prosecution should be a piece of cake.
Yet, we can learn from the above cases. First, encrypt all patient/customer
data. Be sure to encrypt emails that
transmit patient information, including xrays.
Second, make sure that any person or agency that has access to your
patient information has signed a business associate agreement as required by
HIPAA. Third, if you sustain a breach,
immediately notify your attorney. DO NOT
try to file a breach report without legal advice – unless you have a few
million dollars to throw away. Fourth,
be extremely careful in how you destroy patient records that are no longer
needed. If you ship them to a facility
for destruction, be sure that you have checked out the facility and have a
business associate agreement with it.
If you study the federal government’s HIPAA website, you
will see that there have been more breach notification reports than there are
stars in the sky. Accordingly, the HIPAA
police have hired a private corporation to help with prosecutions. It paid the company millions of dollars in 2012. It seems to me that leveling multi-million
dollar fines against an overburdened health care industry and against states
that are already drowning in debt may not be the best solution to the problem
of privacy rights violations. Perhaps
someone in Washington needs to take a look at this. Wait – never mind – that’s how we got into
this mess in the first place.
( See, I do love patterns. Even my dishcloths have patterns.)
