Why Your Medical Practice May Have Exposure to a Cybercrime

Most people think of "cybercrime" as actions by someone who wrongfully gains access to electronic information and then uses it for their benefit illegally. However, "cybercrime" cases also include enforcement actions regarding data breaches against reputable entities who allegedly did not take adequate protection measures safeguarding client data. Both the federal and state governments have pursued such actions and published requirements in dealing with sensitive, and particularly HIPAA-related, information.

HHS' Office for Civil Rights (OCR) entered into several major settlements of HIPAA-based enforcement actions in 2012. The entities include a major health insurance provider in Tennessee, a hospital in Massachusetts, and the Alaska Department of Health and Human Services. All of these cases settled for between $1.5 million and $1.7 million. These cases stem from reported data breaches involving lost or stolen electronic storage media allegedly containing protected health information (PHI). These settlements also generally include corrective action plans, some with third-party compliance monitoring, in addition to the monetary payments mentioned earlier.

Recently, WellPoint settled a similar case and agreed to pay $1.7 million for leaving information accessible over the internet. OCR began its investigation following a breach report submitted by WellPoint as required by the HITECH Act. The HITECH Breach Notification Bill requires HIPAA-covered entities to report a breach of unsecured PHI. The report indicated that the security weakness in an online application database left electronic PHI of over 612,000 individuals accessible to unauthorized individuals over the Internet. OCR’s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Privacy Rule.

Notably, the government is not only pursuing actions against large insurance carriers or hospital systems. A cardiac surgery practice in Phoenix settled a case for $100,000 with OCR resulting from allegedly posting PHI on a publicly accessible, Internet-based appointment calendar. State attorneys general have also pursued "smaller" cases, which have resulted in six-figure settlements. Therefore, it is clear that physician practices must take adequate measures as well.

Whether system upgrades are conducted by covered entities or their business associates, OCR expects organizations to have in place reasonable and appropriate technical administrative and physical safeguards to protect the confidentiality, integrity, and availability of electronic PHI -especially information accessible over the Internet. Moreover, beginning September 23, 2013, liability for many of HIPAA’s requirements will extend directly to business associates that receive or store PHI, such as contractors and subcontractors.

On November 26, 2012, OCR released guidance regarding methods for de-identification of PHI in accordance with the HIPAA Privacy Rule. The Privacy Rule essentially establishes two methods to de-identify PHI. The first is removing 18 specific identifiers, including name, address, and social security numbers. The second is obtaining a professional statistical analysis and opinion that the risk of identification of an individual is very small.

With the government focus on "cybercrime" becoming an increasing area of scrutiny, physicians who have access to and record PHI should ensure they are familiar with and implement the appropriate procedures in securing and protecting PHI.

Additional rules can be found at www.hhs.gov. However, the rules are not always clear and ideally you should contact a healthcare attorney to ensure you are HIPAA-compliant and what to do if there may be a potential breach.