<Back
|
Written by: Matt Morris
While costs in healthcare trend strongly up and to the right, the same is now true for having patient data lost or stolen. Within the last year new legislation is requiring notification of a patient information breach, as small as one lost or stolen chart, to both the California Department of Public Health and Health and Human Services. Worse yet is the requirement that includes notification to the individuals, and in some cases the local media in an effort to “get the word out” to those who could be impacted. Getting the word out that a specific healthcare organization has not protected the privacy of its patients is the greatest penalty of all. This is especially true in light of studies that have shown the healthcare industry has one of the highest percentages of customer loss, after reported breaches, when compared against other industries.
California AB 1298 - SB 541- AB 211
In January 2008 AB 1298 took effect and updated the original data breach notification requirement of individuals (SB1386) to include health information. It was January 2009 that SB 541 and companion legislation AB 211 came into existence. On the heels of some high profile breaches the State of California did not see sufficient penalties in HIPAA, as it was passed a decade ago, and decided it would step into that void. SB 541 gave the CDPH the power to investigate and fine organizations for data breaches, while AB 211 created the California Office of Health Information Integrity and gave the office power to fine individuals and refer them to professional licensing boards. Under these laws fines from can be levied for negligent disclosure, can be given to both the organization and the individual, and can range from $2500 to $250,000 per violation. Within 5 days of a detected breach, notification must be provided to both the individuals and CalOHII. Every day late in reporting will carry a fine of $100 per day. CalOHII recently reported it was overwhelmed in the first six months this year with over 800 reported breaches. While most of these breaches are still being investigated and are under review, Kaiser Permanente recently received the first fine under this law. A fine of $250,000 was imposed for not sufficiently locking down “Octomom” Nadya Suleman’s medical records allowing 23 different Kaiser employees access. When her PHI found its way to the media it created a high profile example of a breach and of CDPH ability to levy fines.
HITECH ACT
The Health Information Technology for Economic and Clinical Health Act passed as part of the stimulus bill in early 2009, and became effective September 23rd 2009. Now annual reporting to HHS of all breaches is required, and reporting to individuals is required within 60 days of a detected breach. For breaches of greater than 500 individuals HHS must be notified within 60 days and notification to the local media of the breach is required. While the California laws make no distinction in the potential harm to the individuals, the Hitech Act makes allowances for a determination if there is no significant risk of financial, reputational, or other harm to an individual, than notification may not be required. This determination must be clearly substantiated from an understanding of the type of information that was breached, as well as all forms of identity theft fraud that can be perpetrated, not just the financial aspects.
No One is Immune
While increased regulation is nearly always greeted with new frustrations, these consumer oriented requirements are nearly unanimously appreciated when our own personal information is involved. This was evident again in August when an employee of Anthem Blue Shield downloaded over 850,000 doctor’s information onto an unencrypted laptop for the purpose of working from home. That laptop was stolen from a car overnight, putting hundreds of thousands of doctors at risk of identity theft and other types of fraud. This scenario is like most data breaches, completely preventable! In fact over 80% of breaches are caused by employee error, while less than 5% are caused by hacking attempts, according to Computerworld. The workplace continues to be the #1 source of information for identity thieves, and far too often employees make it easy for them. There exists far too little awareness among employees of the cost of breaches for individuals as well as the organization. With these new requirements as part of the landscape, that needs to change.
Action Points
Risk assessments need to be done on a consistent basis as well as reviewing and updating information security policies and procedures.
There is also a tremendous need to increase employees understanding of these issues in the medical community. Forbes magazine recently reported that “it is the human element that is often overlooked in data protection schemes” Studies show that even with solid existing procedures, employees are the weakest link in data protection because they do not have a strong understanding of the why behind the procedures.
Since limited time is allowed for notification and that too often far greater damage is done by mishandling the response, HHS has said practices need to have training and a breach incident response plan in place prior to ever experiencing a breach. It is especially important considering the state and federal laws require different actions on different timelines. Make sure a plan has been put into place with the help of your counsel prior to ever needing it.
About the Author:
Matt J. Morris, is a Certified ID theft Risk Management Specialist, and is a managing partner with TBG-Fraud Solutions. He is a member of CSRHA and has worked for over a decade helping organizations prevent issues of data breaches and identity theft, and provided training for hundreds of organizations. He is currently providing training and data breach response plans to his clients, most often at no cost to the clinic.
If you would like more information please contact TBG Fraud Solutions at 888.985.1890 or visit www.preventabreach.com.
Comments or feedback? Email us at advocate@csrha.org. |
