Walking a HIPAA tightrope
Increasingly, mobile technology challenges hospitals to adhere to privacy law.
ID Experts, an Oregon company that bills itself as the leading provider of comprehensive data breach solutions for health care organizations and corporations, recently commissioned a survey of 80 health care organizations that allegedly revealed 94 percent of them had had a data breach in the prior two years.
Ask Larry Whiteside at Spectrum Health if he thinks that might be an accurate finding, and he replies, “Sort of.”
“It’s based on your definition of the word ‘breach,’” said Whiteside, who is Spectrum’s director of technology information services, security, risk and compliance. “If you define ‘breach’ as inappropriate access to patients’ records — yes,” he added.
Whiteside said he believes “probably 100 percent” of all hospitals have had a breach of that type in the past two years. That can happen when a doctor or someone else on staff looks up the record of an individual who is not directly under their care.
“Yes, we have had a few instances of people inappropriately accessing records that they shouldn’t have,” he said, adding that Spectrum has policies and procedures to deal with those issues.
“Even if you have access to medical records, if you do not have a reason to be looking at a person’s record for delivery of their care, then you’re violating policy,” said Whiteside.
A HIPAA violation, under the Health Insurance Portability and Accountability Act of 1996, could be unintentional, such as “USB drives that walk out of an organization,” said Whiteside.
At a November conference of health care information security officers in Chicago, Whiteside spoke about the spread of mobile devices in the workplace, which is adding another layer of challenges to effective security. The information security people even have a new acronym for the latest employee relations issue: BYOD — Bring Your Own Device.
Information security gets more complicated when everybody on staff is bringing their own mobile device to work, but some new hires with highly sought skills and credentials insist on bringing their devices into the workplace and using them there. In many cases, either the new employee or the organization has to give in a little on how and where those devices can be used.
Mark Iverson, director of organizational integrity and security for Saint Mary’s Health Care, said mobile device management is now the issue for hospitals across the country, along with hospital employees’ use of social media.
Putting something on a social media account about a patient “is an issue, I can assure you, that privacy officers and information security officers around the country toss and turn about at night,” said Iverson.
What about real hackers? Whiteside does not think those are the big problem now, although hospital records do contain personal information professional identity thieves would want: name, address, age and Social Security number. One thing identity thieves typically do is open phony credit card accounts, posing as someone who has a good credit record. Many older people in hospital beds fit that profile, and patients often are in no condition to be aware of what might be happening with their personal data.
But the non-malicious and even inadvertent types of data breaches can have huge ramifications for a health care organization.
In September, for example, the Massachusetts Eye and Ear Infirmary and its affiliated Massachusetts Eye and Ear Associates agreed to pay a $1.5 million fine to the U.S. Department of Health and Human Services for a HIPAA violation. An unencrypted personal laptop containing the electronic, protected health information spelled out in the law — ePHI — had been stolen. The laptop held information that included patient prescriptions and clinical information. The HHS Office for Civil Rights, which is charged with enforcing HIPAA and its security rules, investigated and concluded the clinic had failed to take necessary steps to comply with the security rule, which includes a thorough analysis of risk.
In addition to the fine, MEEI must adhere to a corrective action plan, and an independent monitor appointed by HHS will be watching MEEI closely for the next three years.
Every health care organization is required by law to notify OCR of certain “reportable” breaches of data security. A fax sent to the wrong doctors’ office is a breach but not necessarily reportable, while the loss of a laptop holding unsecured data and patient information is virtually a four-alarm fire.
Has Saint Mary’s had a breach?
“Do you mean have we had one of those breaches that hits the headlines? No, fortunately, we have not,” said Iverson. “Otherwise, you would know about it.”
One thing health care organizations have to do is “kind of be watching all the time,” said Iverson. That includes constant monitoring of the hospital’s IT networks to see who is logging on and what they are looking at. Whiteside said the addition of employees to study the monitoring logs is a necessary expense these days.
Organizations are required to proactively meet HIPAA terms up front and explain when they don’t, but there is yet another avenue open to the HHS Office of Civil Rights. According to the HHS website, any individual who believes a covered entity has violated their or someone else’s health information privacy rights or has committed some other violation of the HIPAA Privacy or Security Rules may file a complaint with OCR.
First and foremost, health care data security people work with staff at their organization to educate them before they even start working there. But doctors and nurses are supposed to be well versed on the law even before they pass through the doors. “Because they are licensed, they are required to know and understand” the HIPAA law, said Whiteside.
Every health care entity is required to provide annual HIPAA training to its entire staff, said Whiteside, and there is “an even higher level of HIPAA training required for doctors and nurses.”
Iverson said Saint Mary’s and Spectrum Health do a joint educational program each year involving their residents and med school students on the premises, as well as physician assistant students, nursing students, etc.
“Not only do they get their (HIPAA) education” as part of their school class work, “but they get it when they hit our hospitals for their clinical rotations.”