I have mostly been concerned with data breaches that impact financial information, like the recent Target and Neiman Marcus events. But health care breaches are also expensive, also costing about $200 per lost record and the potentially more serious impacts due to lost patients and even doctors due to the damage to the organization’s reputation.
In October 2013 AHMC Healthcare lost the medical records of 729,000 patients – they literally just walked out of the office. These records contained patient names, Medicare data, diagnosis, plus insurance and payment information. State and Federal governments are cracking down on these breaches, with stiffer notification rules and serious penalties: $150,000 from Adult & Pediatric Dermatology in December 2013, $1.2 million from Affinity Health Plan in August, and $1.7 million from Wellpoint in July.
There are two Federal laws that apply to health care records, HIPAA and HITECH; plus the safety of health care information is included in the privacy laws of 46 US States plus the District of Columbia.
HIPAA is the “The Health Insurance Portability and Accountability Act” of 1996. It includes rules about privacy, security and breach notification.
HITECH is the “Health Information Technology for Economic and Clinical Health Act” of 2009. It seeks to improve US health care through the increased use of IT, including Electronic Health Records (EHR or EMR) systems. It also includes rules about privacy and security of medical records.
Since most healthcare companies also handle patient financial information, they may also be required to be PCI-DSS (Payment Card Industry Data Security Standard) compliant. You might think they can just worry about one type of compliance because they are both about protecting people’s personal data. You would be wrong. There are significant differences in requirements.
The biggest difference is that PCI-DSS compliance is defined by a commercial group of companies including American Express and Discover, VISA, and MasterCard. While some States have criminal penalties for willful violation of their privacy laws, almost all penalties for violations are in terms of fines, the cost of dealing with a breach, and lost reputation. These fines can run into the millions of dollars paid to the credit card companies, and could result in the company losing the right to process credit cards which can be a fatal blow. The company must notify their customers who may have been compromised. The large breaches end up in the news, but the smaller ones usually don’t.
PCI requirements are very technical, identifying specific IT activities and defining at least the attributes of solutions in twelve major areas.
HIPAA is Federal law monitored by the US Department of Health and Human Services (HHS). In addition to fines paid to HHS, HIPAA establishes criminal penalties including vacations in a federal prison. HIPAA requires that in addition to notifying potentially impacted patients, they must also issue press releases through media outlets.
HIPAA is focused on policies, training and processes. It requires that all of your business partners and vendors, including Cloud Service Providers, be covered by a BAA (Business Associate Agreement) and that they must be HIPAA compliant. Your company plus each of your business partners must complete a risk assessment and management plan for addressing each of the HIPAA safeguards.
HITECH, also under HHS, establishes four levels of penalties based on the culpability of the organization, with financial penalties up to $1.5 million dollars. However, you can avoid financial penalties under HITECH if you correct the problem within 30 days and the violation was not due to your willful neglect.
I wonder who pays the fines when the Affordable Care Act website, including its back-end processing that links to Social Security and the health care providers, violates HIPAA, HITECH or PCI-DSS rules?
The last word:
What to do?
- Make sure your company and your partners are HIPAA and HITECH compliant. Work with your partners like billing and EMR providers to make sure they are compliant, including with PCI where appropriate.
- Get a copy of each partner’s HIPAA risk assessment and management plan, and keep them with yours in preparation for a possible HHS audit, usually conducted by KPMG. Also get a copy of your partner’s latest audit report and confirm that HIPAA compliance is based on the OCR Audit Protocols.
- If you are also dealing with patient financial information (e.g., hold credit card numbers), get your partner’s latest PCI audit report and that their compliance is based on the PCI-DSS.
- Make sure your employees and contractors are well trained on your processes and the law, and monitored for violations.
- Make sure your IT department is following the appropriate best practices. Use the PCI technical requirements as a framework for HIPAA compliance.
A health care security breach can impact your business, even put you out of business. While you are focused on your patients’ health, also focus on protecting their privacy and your reputation.
Keep your sense of humor.