Healthcare's all about the patients, right? Earning their trust so they return for annual checkups, delivering high-quality care while respecting their medical privacy at the highest level. But far too often, there's a disconnect – the idea that the care ends when the patient exits the building or a diagnosis is made, the idea that clinical deals with clinical and information technology deals with IT. But, that's not often the case in this digital age. Lines are blurred, and what happens in one area can have serious implications for another – especially when it comes to patient privacy.
Healthcare organizations are charged with safekeeping some of the most personal and sensitive information on individuals who come to receive care. That bout of depression you had in your early 20s, the sexually transmitted infection you were treated for last year, blood tests of every ilk, cancer diagnoses, medical procedures, HIV statuses, psychiatric disorders, every medication you've ever been prescribed, administered vaccinations, Social Security numbers, dates of birth, demographics, where you live, insurance details, even payment information. Healthcare organizations are gold mines of data. Valuable data. And, traditionally, protecting said data hasn't been the industry's strong suit.
Since 2009 when the HIPAA breach notification requirements took effect, nearly 1,000 large data breaches – those involving 500 individuals or more – have been reported to the Department of Health and Human Services, affecting almost 32 million people.
In addition to the breaches reported by covered entities and business associates themselves, the Office for Civil Rights, the HHS
division responsible for enforcing HIPAA, has received nearly 95,000 privacy and security complaints over the handling of health data since 2003. That's a number meriting a reevaluation of how healthcare does privacy and security.
Of course, the reasons behind why many organizations have reported egregious privacy and security failings are not always one dimensional. Oftentimes, data breaches are the result of mistakes by well-intentioned people governed by poor policies and paltry staff training, and sometimes it's the other way around.
Frequently, it's a matter of unencrypted devices being stolen or lost, but there's low probability the data has actually been compromised.
"We are encrypting 99.9 percent of our 'fill in the blank' devices,
but this one slipped between the cracks..."
And sometimes, as Lynn Sessions, partner at BakerHostetler, who focuses on healthcare privacy, hears from her clients, it's a matter of a single unencrypted device slipping through the cracks of an entity with otherwise strong encryption policies: "We are encrypting 99.9 percent of our 'fill in the blank' devices, but this one slipped between the cracks because it fell outside of the normal procurement process, or it was a biomedical device or it was used by the marketing department because they use Apple computers versus PCs," said Sessions. "Organizations have loopholes," and therein lies the breach potential.
And lastly, IT departments are just plain swamped, dealing with myriad projects and limited staff, time and budget to handle them. They can't be superheroes all the time. Providers are getting to the breaking point. Sometimes, projects have to be put on the back burner, and in many cases it turns out to be privacy and security. But listen up, IT folks: this just may end up costing you more in the end.
Paying a pretty penny
Be certain of one thing: Data breaches come at a premium.
To date, OCR has levied more than $25.1 million in monetary fines against healthcare organizations found to have violated HIPAA privacy and security rules.
Sure, not all groups are slapped with federal penalties, but don't let that ease any worries; the associated costs can often end up trumping government fines.
You have to consider the legal fees, internal investigations, credit monitoring provisions, outsourcing hotline support in addition to the external investigations. And these dollar signs can sure pile up.
A March report by the privacy research firm Ponemon Institute, for instance, pegged the cost of healthcare data breaches at a towering $5.6 billion annually, industry-wide.
Drilling into the numbers further, healthcare organizations can anticipate handing over $2 million on average over a two-year period. (The lowest two-year costs were pegged at $10,000.) That's even a 17 percent decrease from costs seen since last year, Ponemon officials noted, which can be partly attributed to the slight downtick in the number of HIPAA breaches reported by organizations compared to 2012.
So, your organization had a HIPAA breach, didn't get hit with a federal fine and came out relatively unscathed with associated costs. Not too bad, right? Not necessarily.
In addition to HIPAA, there's also the state and regional fines that can get you rethinking how privacy and security is done.
Managed care giant Health Net will tell you a little something about those. The Woodland Hills, Calif.-based health insurance company learned its business associate IBM
had lost nine unencrypted server drives on January 2011. The servers contained the Social Security numbers, names, addresses and health information of Health Net employees, members and providers.
They may have dodged federal fines, but that didn't deter two state attorneys general offices from filing suit against the company. Ultimately, Health Net was required to hand over $625,000 in fines and damages to the Connecticut attorney general and the state insurance commissioner. What's more, a year later, the company also announced a settlement with Vermont's attorney general, to the tune of $55,000.
In the realm of patient privacy and security, it's judicious to consider the medical identity theft and fraud landscape. The more laissez-faire healthcare organizations are in protecting patient data, the higher the chance of fraud.
"Having that much information, storing it all in one place,
leaving it unencrypted, hiding it behind weak or default passwords,
that would be wholly unacceptable in the financial industry."
"To give you an example, in 2010 if you received a data breach notification, there was a better than one in 10 chance that you would also be a victim of fraud. In 2012, the correlation jumped to one in four," said Al Pascual, senior fraud and security analyst for Javelin Research, in an interview with Healthcare IT News last year, discussing a fraud case study report.