How HIPAA Fines Jeopardize Your Business Continuity

Health and Human Services (HHS) Office for Civil Rights has been targeting medical facilities that are not abiding by HIPAA security standards. In the past year, HHS has hit small practices all the way up to major medical centers with hefty fines amounting to tens of thousands to millions of dollars.

Today, I want to walk through three very specific cases that represent some of the ways in which your office may be risking getting hit with fines to major violations. HHS has confirmed having penalties on some facilities amounting to well over four million dollars in civil penalties from HIPAA violations related to data management and security policies (or practices in violation of best practices and good HIPAA security hygiene).

I want to outline a few examples of those violations which might put your office in deep water with penalties and fines (let alone risk of a major data breach, loss of patient trust and complete shutdown of your organization).

Over the past 6 years offices all over the United States—including many in and around Philadelphia—have been hit hard with HIPAA violations for simple practices that led protected health information (PHI) to be either exposed or stolen.

One device was residing out of office on a laptop inside an employee’s residence. Another was related to a bank erroneously releasing patient transaction data to the wrong person. And finally, the last I’ll talk about was from an unencrypted flash drives leaking PHI of hundreds of patients. Each of these incidents was worthy of its own hefty fine (among other repercussions).

Stolen computer leads to ten thousand dollar fine

In the case of the computer, the office manager of a doctor’s office had excel files on her desktop containing patient names and dates of visits. The office manager’s laptop was reportedly stolen from her car in a parking lot. The laptop was not encrypted and the information—especially information containing patient information, such as patient names and dates, was viewed as a data breach. As defined by HHS, the excel file was protected health information (PHI).

Because several hundred patients’ information was compromised, the office had to report the breach, which amounted to a fine costing nearly ten thousand dollars in violations, let alone legal fees, forensic investigations related to the breach (and validation of a breach), along with growing patient mistrust of the office’s handling of patient information.

The office manager had no idea that she had in her possession protected health information. To be clear, any information that can identify a person—names, addresses, visit dates and location of visit—are considered protected health information under HHS. To be sure you understand what specifically is considered PHI, take a look at this list. Anything on this list is regarded as protected health information:

• Names
• All geographical data smaller than a state
• Dates (other than year) directly related to an individual
• Telephone numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health insurance plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers including license plates
• Device identifiers and serial numbers
• Web URLs
• Internet protocol (IP) addresses
• Biometric identifiers (i.e. retinal scan, fingerprints, Etc.)
• Full face photos and comparable images
• Any unique identifying number, characteristic or code

Anything listed above should be treated as sensitive information in your office and should be kept secure (encrypted and not accessible to those without authorization to view it).

Second breach hits the same doctor’s office

About a year later, unfortunately, a second incident struck the office. While The doctor made sure to enable policies that required all laptops to be encrypted and limited the mobility of computers moving outside of the office (to avoid a situation where a laptop or device containing PHI fall into the wrong hands), the office’s bank mistakenly released charge information to the wrong person.

This bank—like many banks around the country—uses lockboxes to store transaction information and simplify the payment process. The problem with this lockbox? It was NOT secure—while there are many lockbox solutions that ensure HIPAA security standards, the one this bank used did not. The bank released the lockbox to the wrong client, exposing 640 patient identities.

Shouldn’t the bank be held accountable?

I’m sure we’re all thinking, “But it really was the bank’s fault!” The doctor’s office can’t be held accountable for this!

Those patient identities were the responsibility of the doctor and his office. They didn’t do their due diligence to make sure that their vendors—including banks—were abiding by standards outlined by HIPAA. This office didn’t even have a business associate’s agreement in place—an agreement between a vendor and a medical office or organization that ensures the vendor understands, commits to and agree to take responsibility for any HIPAA infractions related to their negligence. The office received another fine mainly because they were not vetting the bank before entrusting it with their PHI.

Who specifically are business associates?

HHS defines a business associate as any service organization that provides assistance to your business that is likely to touch or process some of your PHI data in some way, shape, or form.

To start thinking about who is and who is not a business associate (of the vendors you work with), I encourage you to evaluate the following questions:

• Do they get records of patient visits?
• Names?
• Treatments?
• Do they get records of specific equipment or consumables needed for a patient’s treatment?

All of this is considered PHI! And any vendor working with you that either has physical access to data or that manipulates or processes ANY form of data relating to a patient (even simply patient names) should be considered a Business Associate and have a Business Associate’s Agreement (commonly termed a BAA) with your office.

USB drive falls in the wrong hands

The last violation a local office accrued happened last year. A technician (this office had an IT technician on staff before seeking other solutions after this third breach) had been asked to back up data from one of the lab computers. Not thinking about security measures, the tech went ahead transferring everything from the computer onto a USB drive.

For some reason, the USB drive, containing a couple more thousand records, could not be accounted for. The tech thought he had put it in a drawer in his office, but it wasn’t where he thought it was. Apparently the drive had been in a box and was recycled with some equipment. The office received a phone call from someone that had found the USB device. Since nothing on it had been encrypted, they were alarmed that patient data was wide open for anyone to see—like they just had. As the other two incidents, this last incident resulted in fines and bad press.

The problem with HIPAA?

It’s too easy to fall short of compliance. It’s far too easy to succumb to a data breach, or even worse, a ransom attack.  It takes dedication and strategy to understand how to keep information security apart of normal operations, especially in local offices, where people simply assume they are doing everything right and could never imagine fines or breaches happening to them.

Are you sure you are doing everything you can to keep your office secure?

Contact us today for a free network security assessment.