Recent breaches of several large healthcare companies, such as Anthem, Premera Blue Cross and UCLA Health, compromised the protected health information (PHI) of nearly 100 million people. Those incidents have made it clear: Stakes are rising and HIPAA is finally coming home to roost. However, some simple measures can protect your organization from becoming victim to a breach. To that end, it’s worth dispelling some persistent myths.
MYTH: The bad guys are coming for your data
REALITY: It’s not them—it’s us
We’re all so focused on a potential hack that we neglect to guard ourselves. In fact, a survey of 80 U.S. healthcare organizations, conducted by the Ponemon Institute, found that 75% don’t secure medical devices containing sensitive patient information, while 94% had leaked data in the previous two years—mostly due to staff negligence.
In 2012, Massachusetts Eye and Ear had to pay the U.S. Department of Health and Human Services a $1.5 million fine to settle HIPAA violations because of a single stolen, unencrypted laptop. The Office for Civil Rights said that Mass. Eye and Ear not only failed to secure data on the laptop but also failed to comply with several other HIPAA security-rule requirements. UCLA Health, another example, was hacked, but the data was also unencrypted.
We can debate whether the loss of electronic PHI is due to theft or unencrypted data, but that’s not the point. Maintain focus on the things within your power to control and do the best you can for your EMS service.
MYTH: Breaches always require notification
REALITY: That depends how you define a “breach”
The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured PHI. So, do all “breaches” or unauthorized disclosures require notification? Not if it doesn’t qualify as a breach.
You actually have to conduct a risk assessment first. If there’s a low probability of compromise, notification isn’t necessarily required. A risk assessment covers these four factors:
- Extent of PHI: What was the source, how much PHI was involved, and was it de-identified information that could possibly be re-identified?
- Disclosed to whom: Was it disclosed to another business associate, maybe the incorrect one, but one who has similar requirements to maintain confidentiality?
- Was PHI viewed or accessed: Was the acquired PHI even viewed?
- Mitigation: Was the information encrypted and password protected?
There are also exceptions to the definition of a breach, such as:
- Use or access by a person acting under and within scope of authority in good faith
- Inadvertent disclosure from one authorized person to another authorized person
- Good faith belief that unauthorized person can’t retain the information
There’s also a breach notification safe harbor. If a device is stolen, there’s no notification requirement if it meets the National Institute of Standards and Technology (NIST) 140-2 encryption standard.
When something happens, we jump to the conclusion that it’s a breach—but the truth is, the law is a lot more nuanced.
MYTH: As long as I comply with HIPAA, I’m in the clear
REALITY: There are other issues we need to protect against
Don’t be fooled into thinking HIPAA is all you have to worry about. There are many other federal and state regulatory agencies that want to protect consumers’ information and other data, including the Federal Trade Commission.
Be aware of personally identifiable information (PII), which is any data that are unique identifiers of an individual, such as names, addresses, birthdates or social security numbers—essentially PHI without the medical information. Forty-seven states have data breach laws for PII.
In 2013, for example, the FTC filed a complaint against LabMD, a medical testing laboratory, after one of its employees had downloaded LimeWire, a peer-to-peer sharing program, onto a company workstation to listen to music at work. The sharing platform allowed sensitive client data to leave the network, and in 2012, LabMD documents containing the PII of at least 500 consumers were found in the hands of identity thieves. As recently as July 2016, the FTC decided that (the now defunct) LabMD unreasonably failed to protect the security of consumers’ sensitive personal information. The commission’s decision essentially dictated a new standard that says that it doesn’t matter whether there was actual harm to consumers—the mere exposure of their information was sufficient.
What You Can Do For Your Agency
Acts as simple as setting devices to have shorter time-out periods or encrypting hard drives can do a lot to protect your EMS service and its consumers. If, for example, your agency stores medical information locally on a laptop and a medic accidentally leaves the device at a scene, the device is subject to theft and potential loss of PHI. But if the hard drive is encrypted, the information still can’t be accessed even if someone manages to get in and remove the hard drive. Some measures you can take to protect your data include:
- Restricting access for authorized users: Set a limit to how long you can look up a patient through a mobile device since last contact and don’t retain data locally after it’s been synced.
- Lockouts and timeouts: Set your device to lock automatically when it’s not in use.
- Password settings: Based on your agency’s preference, you can require passwords to expire at regular intervals, maintain a certain length and complexity, and not be repeated.
The information in this article should not be construed as legal advice or legal opinion on specific facts, and should not be considered representative of the views of ESO Solutions or any of its lawyers, unless expressly stated.
Michael Sias is an expert on the legal issues faced by high-growth companies and has extensive experience in both the public and private sectors, as well as private practice. He holds AB and LLM degrees from Duke University, along with JD and MBA degrees from the University of Denver. Michael is the Vice President and Corporate Counsel at ESO Solutions, a leading provider of healthcare software and interoperability solutions, and leads the company’s legal department, overseeing compliance, contract management, risk management and privacy issues.