HIPAA Breaches and the Triple-Whammy Effect

According to the Department of Health & Human Services “breachtool”, 85 data breaches affecting 500 or more individuals have been reported to the Office of Civil Rights (OCR) so far this year – not quite so many as at the same stage in 2013, but when the theft of an unencrypted thumb drive can expose 2,200 patient records to the risk of being compromised, the running total becomes kind of irrelevant. The theft of the thumb drive from an employee´s car resulted in a $150,000 fine for Adult & Pediatric Dermatology of Concord, Massachusets. Yet there will be many more data breaches reported to the OCR as the year progresses, and stiff financial penalties handed out to the healthcare organizations who fail to safeguard the integrity of protected health information (PHI).

The bad news for healthcare organizations that fail to implement measures to safeguard the integrity of PHI – and who suffered a loss or theft of data as a result – is that the cash collected by the Department Health & Human Resources for the data breaches is getting plowed back into the system to fund more audits and more auditors.

More Audits (and More Auditors) on the Way

Up until recently, the OCR has been under-funded and under-resourced. The “Office” is not only responsible for investigating breaches of PHI and conducting compliance audits but also protects against discriminatory practices in the healthcare industry.

Consequently, when the OCR conducted its initial round of HIPAA audits in 2011, the job was outsourced to accounting firms with no experience of HIPAA audits or the OCR´s “Audit Protocol”. In February this year, the OCR announced its intentions to conduct a second round of HIPAA audits, and this time around the personnel conducting the audits are going to be the OCR´s very own, purposely recruited and specially trained auditors. With the millions of dollars that have been rolling into the OCR´s bank account, the resources now exist to thoroughly check compliance with HIPAA throughout a higher number of healthcare organizations. Increasing the likelihood of more issued fines and even more auditors brought on board.

You Don´t Even Need to Have a Big Breach to Get a Big Fine

Back in 2012, the OCR fined the Shasta Regional Medical Center in Redding, California, $275,000 for the unauthorized disclosure of one patient´s medical record – the record of Darlene Courtois. Hospital CEO Randall Hempling and Chief Medical Officer Dr. Marcia McCampbell disclosed it in response to a newspaper article accusing the medical center of Medicare fraud.

The huge fine was not only for the disclosure of the medical record but for an email distributed amongst the facility´s 900 employees describing Courtois´ medical condition. Shasta Regional Medical Center failed to even impose sanctions on Hempling and McCampbell for the breach of PHI.

Things got worse for the Shasta Regional Medical Center in 2012 when the FBI interviewed Ms. Courtois as part of an investigation into the fraud allegations. As yet, no criminal proceedings have been issued, but with cases of kwashiorkor 70 times the national average at the Shasta Regional Medical Center, it would seem like a good place to avoid!

Who Wants 2,200 Patients’ Records Anyway?

Stolen patient records are becoming more valuable than stolen credit card details according to John Halamka – chairman of the New England Healthcare Exchange Network. Commenting for an article in itworld.com, Halamka noted that with enough information about a patient and some false ID, an uninsured person could walk into a medical facility and get treatment free of charge:

“If I am one of the 50 million Americans who are uninsured … and I need a million-dollar heart transplant, for $250 I can get a complete medical record including insurance company details.”

A stolen thumb drive containing 2,200 patients´ records would be worth more than $500,000 if each could be sold for $250 – incentivizing thieves and hackers to focus on the databases of healthcare organizations and reinforcing the need for healthcare organizations to implement HIPAA-compliant security measures without delay.

A Triple-Whammy for Negligent Healthcare Organizations

In addition to the inevitable fine for non-compliance with HIPAA, and potential criminal charges brought by the FBI, healthcare organizations are also at risk of huge lawsuits landing on their desks when PHI is compromised.

The theft of 10 unencrypted back-up discs from Emory Healthcare in Atlanta – containing a substantial amount of personal information relating to 228,000 patients – resulted in a class-action lawsuit, seeking $1,000 in compensation for each of the affected patients.

The Emory Healthcare class action may have been speculative (as no “harm” had been suffered by any of the patients), but if it can be substantiated that the plaintiffs have suffered a financial injury, the $200 million lawsuit might just find favor in the courts.