Anyone who has been to a healthcare provider in the last five years has become familiar with a HIPAA Release form. As a patient, you are required to sign the form giving the provider permission to release confidential medical records to your insurance company. Along with the form you may have been given a summary of the law describing your rights. I usually get a shrug and an apology from the registration staff for having to repeatedly ask me to sign the same form. However, it has always seemed to me healthcare workers were taking the law seriously and complying with its regulations.
I was surprised to learn recently hospitals are not shoring up their responsibility under the federal law to protect the unwarranted release or loss of my data. Individual physician office practices are scoring even lower in their protection of confidential patient data. Ponemon Institute released a benchmark study this past week on hospital compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. While I was not able to access the full report, their press release was compelling enough.
Federal and cival penalties for HIPAA privacy and security breaches were significantly increased as part of the HITECH Section of the American Recovery and Reinvestment Act which took effect on February 17, 2010. Along with billions of dollars for investment into creating electronic health records (EHR), additional funding was allocated to ensure breaches in confidentiality would be investigated and violators successfully penalized. Key provisions of the HITECH regulations now include:
BEWARE THE UNAWARE
- Fines will be imposed even when a violator unknowingly violates the act. The minimum penalty is $100 with an annual maximum for repeat minimal violations of $25,000. If the violation is severe, irregardless of the circumstances, a provider can be fined up to $50,000 per violation with an annual maximum fine of $1.5 million. No penalty will be imposed if the violation is corrected in 30 days.
BEWARE THE AWARE BUT FOOLISH
- This penalty is reserved for the provider, who is aware of the act and willfully, but not neglectfully, accesses medical data without patient consent. Such infractions could occur during the course of patient transfer to another facility when a provider might want to learn the clinical outcome of a prior patient. Fines in this category range from $1,000 to a maximum of $100,000 for repeated violations.
BEWARE THE AWARE WHO FAIL TO SECURE
- Willful neglect will cost a provider anywhere from a minimum of $10,000 to a maximum of $250,000 per violation. Maximum penalties for repeat offenses remain up to $50,000 to $1.5 million. Lesser penalties will be imposed if the provider corrects the violation within 30 days. Maximum penalties for corrections not remedied in 30 days. Examples of violations might be an unsecured server; exposed passwords; and/or data leaving secured provisions for analysis purposes.
BEWARE THE CRIMINAL
- Individuals who knowingly release health information and/or medical record data may be criminally prosecuted and spend 1 year in jail in addition to fines of up to $50,000. A violation using a false pretense basis is more serious. Such offenses can land individuals up to 5 years in jail in addition to fines up to $100,000. Selling or maliciously using health information for personal or financial gain comes with a 10 year prison sentence and fines up to $250,000.
With the above looming penalties, providers have been required to report all breaches involving 500 unencrypted medical records or more since September 2009. Some states have enacted even tougher laws. Earlier in 2010, Connecticut’s Attorney General, Richard Blumenthal, sued Health Net of Connecticut for misplacing security data for nearly 450,000 enrolled patients along with failing to timely notify them. The lost data included social security numbers, bank account information, and medical health information. The data was lost for 6 months before authorities and patients were notified.
California is one of the states with tough laws supporting patient confidentiality. During 2010 the state imposed stiff penalties totaling $675,000 against 6 hospitals.
- $250,000 for one unauthorized employee who was able to access 204 patient medical records.
- $130,000 for unauthorized access of one patient medical record by 7 employees.
- $100,000 for unauthorized access of 33 patient medical records by 17 employees.
- $95,000 for unauthorized access of one patient record by 4 employees.
- $75,000 for unauthorized access of three patient records by 1 employee.
- $25,000 for unauthorized access of three patient records by 2 employees.
The Ponemon Institute, a research organization sponsored by ID Experts, conducted a two year study at 65 healthcare organizations and interviewed 211 senior-level managers. Data loss and theft experiences were included in the research. Poneman reported the following:
Breaches are costing the healthcare industry nearly $6 billion annually.
The average organization had 2.4 data breach incidents over the last 2 years.
Major breaches were unintentional employee action, lost or stolen computing devices, and 3rd party error.
Ponemon went on to report that 58% of the participating organizations have little to no confidence in their ability to protect electronic health records. A staggering 71% have inadequate resources allocated to data security, and 69% would be unable to quickly identify and detect a data theft. Sadly, a majority of the organizations had less than two staff dedicated to data protection management. Reportedly, there were a significant number of undetected data breaches not reported to state and federal authorities. Most interviewed did not feel the HITECH regulations have been an impetus to do a better job.
Ponemon Institute is holding a FREE WEBINAR entitled Benchmark Study on Patient Privacy and Data Security on Tuesday, November 16, 2010 at 1:00pm ET for those interested. ID Experts are reported in Fiercehealthcare.com to be the leader in data breach solutions for government, financial, universities, corporations, and healthcare organizations. While this is clearly a marketing effort, if the research process and what was revealed is solid which I suspect it is, then the results are staggering and healthcare executives need to tune in.
Another issue looming in the confidential healthcare data world was revealed in the November 14 Baltimore Sun newspaper. Med Chi, a physician medical society representing 22,000 Maryland physicians, is concerned electronic health records can also be altered by drug companies and insurance companies. They are the first medical society in the nation to pass a resolution calling for state legislation to ensure doctors retain the right to control the treatment plan and keep patient records neutral without imposed financial parameters. This resolution follows Maryland legislation last year encouraging physicians to adopt electronic medical records. It seems physicians are fearing daily access and interaction by 3rd party payors and drug companies into what was once a confidential treatment process conducted solely by health professionals.
It seems hackers, thieves, harassers, and paparrazzi have an open market at this time. Government regulations and penalties are not making much of an impact. More legislation and regulation is coming, but will my and YOUR data be any safer in the end? What will it take to get the attention and priority agenda of heathcare executives to use the experiences and systems of other industries and get data safeguarded?
Comment from Brian Nash: We will soon be posting a White Paper providing instructions on how to report a HIPAA violation as well as important links to federal and state agencies responsible for the protection of a patient’s rights under HIPAA.