Penalties & Fines HIPAA ruling on securing PHI
HIPAA ruling highlights importance of encrypting patient information
Tim Mullaney, Staff Writer | Posted: October 21, 2013
An appeals court in Los Angeles County ruled in favor of the University of California defendants, stating that there was no evidence that the confidential files were ever accessed. News sources characterized the Oct. 15 decision as surprising in light of the stringent requirements of the Health Insurance Portability and Accountability Act. Provider groups cheered the decision, noting that it might alleviate some of the burden that healthcare organizations bear in safeguarding digital data.
"The decision is good news for hospitals and other healthcare providers who are victims of theft or hacking of medical information where the plaintiff cannot prove that the thief or hacker actually viewed the medical information," the California Hospital Association stated.
However, the files in question were encrypted. Although the thief in this case also did steal the password to unlock the encrypted information, some observers cautioned that the ruling might not apply in cases involving unencrypted files.
As we enter a new year, we will begin to see enforcement for HIPAA violations become more and more frequent. The era for voluntary compliance programs in healthcare are over and it is clear as this small hospice group was just recently fined according to McKnight's.
When reading this article, what needs to clearly be addressed is that this hospice group did not implement security measures to address the loss of data or manage that risk.
Small Practice forced to pay $100,000 HIPAA Fine which sets a precedent for text-messaging in healthcare which will affect physicians and healthcare providers.
On April 17th 2012, Phoenix Cardiac Surgery, a practice with five physicians with offices in Phoenix and Prescott, AZ reached a settlement agreement as they became the first small practice to be charged with violating the Health Insurance Portability and Accountability Privacy Act (HIPAA) and security rules. Phoenix Cardiac Surgery has agreed to take corrective actions and pay a hefty $100,000 fine.
The corrective action plan issued by HHS explicitly identified text-messaging as a security measure that needs to be addressed and by the HIPAA / HITECH tiered violations system the following was ruled: “Covered Entity must submit evidence to satisfy this obligation that includes text messaging of ePHI.”
“Covered Entity’s risk management plan must implement security measures sufficient to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level for ePHI in text messages that are transmitted to or from or stored on a portable device.“
“Covered Entity must provide documentation that it has completed a Privacy and Security Rule training since 2009 that includes additional training addressing its revised policies and procedures on the use and transmission of ePHI by text messaging.”
The HHS makes it clear that security text-messaging of PHI is an important security issue that will not be taken lightly and they will be cracking down on large medical networks and small practices alike. “This case is significant because it highlights a multiyear, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of the HHS Office of Civil Rights. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
The cost of the data breach does not just stop with the fines for HIPAA violations Tier A, Tier B, Tier C and Tier D, but the reputation, financial, legal and operational costs that are associated can also be very high.
Source: Droids & HIPAA violations; legal smartphones policies for healthcare; Marcia Nelson Jackson; June 2012
A recent study by Manhattan Research finds that 80% of physicians now use smartphones at work and by 2012 they will be joining secure online groups and platforms for communication. Doctors and healthcare providers want to receive information anytime/anywhere for texting, file sharing and discussions.
The healthcare industry overall is behind the times when it comes to protecting patient health information for your mobile devices or web cloud communication. To answer the skeptics, would the financial industry leave their communication of sensitive credit card numbers, files and images on plain-texting or third party unsecure servers? There is no way they would!
Today, electronic patient health information is more valuable on the black market than financial data. Think about medicare fraud or business marketing tactics.
An article that now has a permanent home on HHS to report and show a list of the growing data breaches and fines associated. This new health information policy is open to the public and all physicians, institutions, carriers and providers will be listed if they had a penalty for data breach.