Subscribe to LexTalk to stay on top of today’s legal issue and trends.
Catapult Your Career |
Industry Insights & Trends |
Product Training & Tips
A single “Gesundheit” ... that’s all it takes to destroy the HIPAA success of your healthcare company.
Much like the butterfly effect, it begins with a sneeze, which sends a patient to your clinic, which results in a patient record. But what happens when this record—i.e., the patient’s health information (PHI)—is stolen and auctioned on the deep web? There, a criminal might sell the patient's health information, as part of a larger data base, for around $96,000 to $411,000.
So from a single sneeze, your healthcare company now faces a HIPAA violation.
But the sneeze isn’t to blame for your company’s HIPAA woes.
Instead, the blame—more often than not—falls on your employees.
Two recent healthcare reports underscore the major threat that employees pose to data security. One report showed that internal actors—because of error, negligence, or malice—caused more than half (58%) of protected health information security incidents. The other report, which surveyed healthcare employees, found that nearly 1 in 5 employees would consider selling patient data to a third party.
This means that when a patient enters your clinic or uses your medical device, there’s already an inside threat to his or her health information. Part of this threat is malicious because certain employees are willing to sell patient information for profit. While this threat is shocking, there’s an even greater threat from your employees.
That threat is the looming danger of digital slip-ups.
Health care employees are tethered to a digital world, and because of digital mobility, health care information is often on the move. Noting the dangers of mobile/digital devices, Roger Severino, Director of the U.S. Department of Health & Human Services (HHS), Office for Civil Rights (OCR), had this to say:
Mobile devices in the healthcare sector remain particularly vulnerable to theft and loss. Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk.
LexisNexis’ white paper, Meeting the Risks Relating to Protected Health Data and Medical Devices, highlights a mobile-device case in which electronic protected health information, or ePHI, was disclosed by CardioNet, a wireless health services provider. CardioNet, which offers mobile monitoring for cardiac arrhythmias, paid a $2.5 million settlement after losing the data of 1,391 patients. This loss occurred when an employee’s laptop was stolen from a parked car outside the employee’s home.
But employee laptops aren’t the only digital sources for patient information. Employee email and social media are also soft targets for data thieves. Recently, Iowa-based Primary Health Care notified patients that four of its employees' email and Google Drive accounts had been improperly accessed. According to a recent report on this information hack:
One of the potentially compromised email accounts or Google Drives contained a combination of patients' names, phone numbers, Social Security numbers, driver's license numbers, financial account numbers, credit or debit card numbers, date of services, diagnosis and treatment information, medical history, facility and provider visited, health insurance information and, if applicable, Medicaid identification numbers.
As for the dangers of employee social media, the LexisNexis white paper points to a HIPAA violation that resulted from a med tech’s Facebook post. In the post, the med tech commented on a patient killed in a car crash, using the words, “Should have worn her seatbelt…” Because of this PHI disclosure, the med tech was fired by her hospital employer. The white paper goes on to underscore the risks of social media by warning employees to:
If (and when) a HIPAA violation occurs, employee error—or in some cases, malicious intent—will likely be the culprit. To protect your company from legal action, HIPAA penalties or criminal punishment, your employees need to create an airtight information seal within the walls of your business.
But before you can have airtight employees, you first need an airtight understanding of regulatory compliance—i.e., the laws governing the handling and security of patient health information and the increased wireless interconnectivity of medical devices. The former defines and limits the circumstances in which PHI may be used or disclosed; the latter highlights the growing, external cyber threat to drug and device companies.
For an in-depth focus on these two aspects of regulatory compliance, download the LexisNexis white paper, Meeting the Risks Relating to Protected Health Data and Medical Devices.