HIPAA CASE STUDY- BREACHES OF PHI IN HEALTHCARE

Amanda FosterErin Frankenberger

Healthcare Security Breach Facts

• 61% of organizations are not confident of where PHI is physically located

• 69% of hospitals don’t have the proper controls or policies to detect and respond to breaches

• 29% of hospitals feel that protection of PHI is a priority

• Between 2009-2011 over 18 million patient records were breached

• Between 2010-2011 there was an increase of 32% in the amount of records breached.

• Laptops and other portable devices (tablets, smartphones etc.) are the number one cause for PHI breaches. (Redspin, 2011)

Case study: HHS Settlement

• 2010 a Physician’s laptop was stole while abroad• Computer contained PHI • Information was not encrypted• Massachusetts Hospital reported the incident to

HHS• HHS found six areas of noncompliance with HIPAA

privacy and security rules. • Hospital did not have to admit guilt • HHS was paid $1.5 million in a settlement

What is HIPAA?

• The Health Portability and Accountability Act of 1996

• Provides continuity of care• Control’s fraud• Assists in controlling abuse in healthcare• Reduce healthcare costs• Guarantee security and privacy of health

information

What is PHI?

• Names• Geographical identifiers• Dates directly related to

the individual• Phone numbers• Fax numbers• E-mail addresses• Social security numbers• MR numbers• Health Insurance

beneficiary numbers

• Account numbers• Certificate/license numbers• Vehicle identifiers (license

plate, serial numbers...)• Device identifiers• URL’s• IP address numbers• Biometric identifiers

(finger prints, retinal and voice prints)

• Full face photographic images

• Any other unique identifying code or characteristic

What is considered a Breach?

• Unauthorized use or disclosure of PHI• Anything that may compromise the security or

privacy of PHI• If the disclosure poses a significant risk to the

individual• Some exceptions:

a) unintentional access by an employeeb) case of inadvertent disclosure of PHI

What is the Main Cause of PHI Breaches in the Healthcare Industry?• Main cause is lost or stolen laptops.• A growing concern is ‘BYOD’ or bring your own

device includes the use of:a) Smart phonesb) Tabletsc) Any other high tech data collecting device

What is encryption of data?• Encryption technology uses cryptography to code digital data a

nd information.(LaTour, 2010) • Information can be transmitted over communications media, and

the sender will know that only the recipient can make sense of the information

• There is symmetric or single-key encryption, where the computer software assigns a secret key or code

• For the encryption to work, both the sending computer and the receiving computer must have the same key

• The second type of encryption is asymmetric also known as public key infrastructure (PKI) in which both computers are not

required to have the same key to decode messages• There is a private key that belongs to one computer and a publ

ic key is given to the desired computer in which it wants to exchange the encrypted data

What other protective measures can be implemented to prevent PHI breaches from

occurring? • Firewalls are hardware and software security devices situated betwe

en the routers of a private and public network(LaTour, 2010)• They protect computer networks from any unauthorized outside users

and they can also protect entities within a single network• Audit trails are another preventative measure which can provide ev

idence of computer system utilization• These chronological sets of records can assist in determining if th

ere were any security violations, and can often identify areas for improvement

• Some suggested data elements that are tracked in healthcare information systems audit trails are:

date and time of event,patient ID, user ID, access device used, type of action (read, print, update, or add), source of access, software application used, reason for access (patient care, research,

billing, etc)

Are there any regulations or legislation in place for the use of mobile devices?

• Mobile Health Applications (mHealth apps) are coming under the microscope in legislation

• There is no formal regulation regarding how PHI is collected through mobile devices

• Hank Johnson, a representative from Georgia proposed the Application Privacy, Protection and Security Act of 2013 (APPS)

• It is only in the draft phase, but if it were to be approved developers would have to disclose how they collect personal dat

a and what other parties would have access to this data

What are the repurcussions of breaching PHI?

• Civil: $50,000 per incident, up to$1.5 million per calendar year for violations that are not

corrected • Criminal: $50,000 to $250,000 in fines and up to

10 years in prison • In addition, institutions that fail to correct a

HIPAA violation may be fined up to $50,000 per violation.

When must a breach be reported and to whom? • The HHS website states that once a breach has been identified, the covered

entities must inform the affected individuals• A written notice by first class mail or e-mail if the individual elected

to receive notices electronically• The notifications have to be provided no later than 60 days following the

breach discovery• The written notice must include a description of the breach and the steps

the individuals must take to protect themselves from harm• There should also be included, information regarding what the covered enti

ty is doing to investigate the breech, and how they will prevent future breaches

• After notifying the media, they must contact the Secretary through the HHS website, and they must fill out a breach report form.

• If more than 500 individuals are involved, then the covered entities are required to provide notice to media outlets serving the State or jurisdict

ion (usually done in a press release)• Then they must notify the Secretary within 60 days

• If there were less than 500 patients affected they would then report the breach on an annual basis

• If the breach happens due to a business associate, they must notify the covered entity following the discovery of the breech.

To improve the situation...

• There should be tighter standards for the use of

electronic devices• The use of personal

devices should be prohibited

• Office devices (laptops) should not be allowed outside of the facility

• Organizations should stritly adhere to policies and procedures involving

electronics

ReferencesBreaches Affecting 500 or More Individuals. (2013, February 7). United States Department of Health and Human Services. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative

Dolan, P. L. (2012, September 28). Large settlement for data breach sends message to lock up laptops and sm

artphones - amednews.com. American Medical News. Retrieved from http://www.ama- assn.org/amednews/2012/09/24/bisg0928.htm

Latour, K.M., & Eichenwald, S. (2010). Health information management: concepts, principles, and practice

(3rd ed). Chicago, Ill.: AHIMA.

References

Low-Tech Security Risks Still Leading Cause of Breaches. (2011, July 19). Journal of AHIMA. Retrieved February 18, 2013, from http://journal.ahima.org/2011/07/19/low-tech-security-risks-still-leading-cause-of-breaches/?mobile_switch=mobile

Nordqvist, C. (2012, December 7). Data Breaches - A Growing Problem In Healthcare Organizations. Medical News Today: Health News. Retrieved from http://www.medicalnewstoday.com/articles/

Redspin. (n.d.). Breach Report 2011 Protected Health Information. Retrieved from www.redspin.com/docs/Redspin_PHI_2011_Breach