First fine from HIPAA breach-no­ti­fi­ca­tion rule not seen as much of a de­ter­rent

Modern Healthcare - - NEWS - Joe Carl­son

First-ever fine for breach-no­ti­fi­ca­tion rule doesn’t im­press crit­ics

The first-ever penal­ties stem­ming from en­force­ment of the breach­no­ti­fi­ca­tion rule in the 2009 stim­u­lus law are draw­ing mixed re­views from data-privacy ad­vo­cates, who say fed­eral reg­u­la­tors’ $1.5 mil­lion set­tle­ment with Blue Cross and Blue Shield of Ten­nessee seems un­likely to halt health­care com­pa­nies’ lax treat­ment of pa­tient data.

HHS’ Of­fice for Civil Rights, which en­forces the data-privacy rules un­der the Health In­sur­ance Porta­bil­ity and Ac­count­abil­ity Act of 1996, re­ported last week that Blue Cross and Blue Shield of Ten­nessee agreed to pay $1.5 mil­lion and en­ter into a 450-day cor­rec­tive ac­tion plan af­ter 57 hard drives con­tain­ing pri­vate health data for more than 1 mil­lion peo­ple were stolen in 2009 from a leased fa­cil­ity that did not have ap­pro­pri­ate ac­cess con­trols.

“This is not about breach no­ti­fi­ca­tion, it’s about se­cu­rity,” said Twila Brase, a reg­is­tered nurse and pres­i­dent of the Cit­i­zens’ Coun­cil for Health Free­dom in St. Paul, Minn. “The set­tle­ment brings this up into the news so peo­ple un­der­stand that we have a prob­lem with se­cu­rity of pri­vate health data. But I just don’t think that the fines are nec­es­sar­ily go­ing to solve the prob­lem.”

Blue Cross and Blue Shield of Ten­nessee said in a news re­lease that the un­en­crypted hard drives had been lo­cated in a “data stor­age closet” in­side a for­mer Blue Cross cus­tomer call cen­ter that the com­pany had leased in Chat­tanooga, Tenn. The com­puter drives con­tained au­dio and video record­ings of cus­tomer ser­vice calls that in­cluded some pa­tients’ names, So­cial Se­cu­rity num­bers, dates of birth, di­ag­no­sis codes and health plan ID num­bers.

Blue Cross said there was no in­di­ca­tion that any of the data has been mis­used. The com­pany has spent $17 mil­lion on its in­ves­ti­ga­tion, no­ti­fi­ca­tion and pro­tec­tion ef­forts fol­low­ing the thefts, in­clud­ing vol­un­tar­ily en­crypt­ing all of its “at rest” data.

“Since the theft, we have worked dili­gently to re­store the trust of our mem­bers by demon­strat­ing our full com­mit­ment to lim­it­ing their risks from this mis­deed and mak­ing sig­nif­i­cant in­vest­ments to en­sure their in­for­ma­tion is safe at all times,” Tena Rober­son, deputy gen­eral coun­sel and chief privacy of­fi­cer for the Ten­nessee Blues, said in the re­lease.

The Health In­for­ma­tion Tech­nol­ogy for Eco­nomic and Clin­i­cal Health Act, en­acted in 2009 as part of the Amer­i­can Re­cov­ery and Rein­vest­ment Act, in­cludes a re­quire­ment that cer­tain or­ga­ni­za­tions must re­port in­stances of im­per­mis­si­ble use of pri­vate health in­for­ma­tion or breaches that af­fect more than 500 peo­ple to reg­u­la­tors and news me­dia.

Af­ter its in­ves­ti­ga­tion, the Of­fice for Civil Rights con­cluded that Blue Cross had vi­o­lated health-privacy laws in two ways: by fail­ing to per­form a re­quired se­cu­rity eval­u­a­tion in re­sponse to an op­er­a­tional change, and by fail­ing to im­ple­ment phys­i­cal safe­guards such as ad­e­quate fa­cil­ity ac­cess con­trols, ac­cord­ing to a news re­lease from the Of­fice for Civil Rights.

Dr. Deb­o­rah Peel, founder and chair­woman of the Pa­tient Privacy Rights Foun­da­tion in Austin, Texas, said the Of­fice for Civil Rights’ fi­nan­cial set­tle­ment and cor­rec­tive ac­tion plan dis­re­gard the harm to vic­tims. The agree­ment could have re­quired the com­pany to pro­vide iden­tity-theft mon­i­tor­ing ser­vices, for ex­am­ple, be­cause many cases of med­i­cal iden­tity theft take years to ma­te­ri­al­ize, she said.

“It’s good to see OCR is try­ing to force the in­dus­try to pro­tect the data,” Peel said. “It’s just dis­heart­en­ing to see that they did noth­ing to help the pa­tients.” She also char­ac­ter­ized the $1.5 mil­lion fine as “prac­ti­cally noth­ing” to a large, statewide health in­sur­ance com­pany.

But the busi­ness risks pre­sented by mas­sive breaches made pos­si­ble by the wide­spread adop­tion of health in­for­ma­tion tech­nol­ogy go far be­yond penal­ties im­posed by HHS, in­clud­ing the costs of me­dia re­la­tions, rep­u­ta­tion dam­age and ex­po­sure to class-ac­tion law­suits, ac­cord­ing to a re­port is­sued this month by a coali­tion called the PHI Project led by the Amer­i­can Na­tional Stan­dards In­sti­tute. Sacra­mento, Calif.-based Sut­ter Health; UCLA Health Sys­tem, Los An­ge­les; Stan­ford Hospi­tal & Clin­ics, Palo Alto, Calif.; and Tricare contractor SAIC have all been sued over breaches in the past six months.

The $1.5 mil­lion set­tle­ment pay­ment in the Ten­nessee Blues case and the tech­ni­cal na­ture of the ac­tual vi­o­la­tions al­leged speaks to the fail­ure of the law to pro­tect con­sumers while giv­ing health­care or­ga­ni­za­tions un­der­stand­able rules, said James Pyles, a prin­ci­pal at the law firm Pow­ers Pyles Sut­ter & Verville, a lead re­searcher and au­thor of the re­port.

“These tapes were un­der bio­met­ric locks,” Pyles said. “They were dou­ble-locked. They had se­cu­rity in the build­ing. It wasn’t as if these things were left in the back of a car some­where. And yet they ended up pay­ing the max­i­mum that could have been paid. That has im­pli­ca­tions for ev­ery­one.”

—with Gregg Blesch


The wide­spread adop­tion of IT makes mas­sive breaches pos­si­ble and the risks go be­yond HHS penal­ties, ac­cord­ing to one re­cent re­port.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.