According to the Protenus Breach Barometer report, over 5.5 million records were stolen or exposed as a result of 477 reported healthcare data breaches in 2017.
The overwhelming majority of these breaches, 379, affected healthcare providers, and occurred in 47 U.S. states. Clearly, the frequency of unauthorized access to protected health information (PHI) also known as patient medical records is occurring at an alarming rate and putting healthcare providers and patients nationwide at risk.
Top sources of unauthorized access
A big challenge for providers is identifying precisely how this unauthorized access occurs. Here’s a look at seven most common sources for unauthorized PHI access:
1. Cyberattacks – There are increasing threats from malware and ransomware that can copy data to remote servers days before the actual encryption attack. The number of reported major hacking events attributed to ransomware by healthcare institutions increased by 89% from 2016 to 2017, according to Cryptonite’s 2017 Healthcare Cyber Research Report.
2. Insider snooping – Insiders were responsible for 37% of the total breaches in Protenus’ 2017 report and insider snooping is one of the top perpetrators in this category. One reported incident involved a hospital employee snooping for 14 years before the breach was discovered.
3. Mishandling of Protected Health Information (PHI) – Given the complexity of the release of information (ROI) process, there are many opportunities for mishandling of PHI. These include misplacing paper copies of records, leaving copies of PHI in public spaces, misfiling them in the wrong patient’s chart, or delivering them to the incorrect recipient. This also occurs when multiple staff members handle a request or when master patient indexes have duplicate patients with different addresses that have not been updated.
4. Theft of a device – Today, PHI including treatment and diagnosis information, medications and social security numbers can be found on laptops, tablets, thumb drives and smartphones throughout provider organizations. Thefts of these pervasive devices occur on a regular basis and securing all of them at all times can be an enormous challenge for provider organizations.
5. Lost equipment – The same devices that are targets for theft can also be lost by staff. Laptops, tablets, thumb drives and smartphones with ePHI have been left on airplanes, in restaurants and elsewhere without proper encryption or password protection.
6. Improper destruction procedures – This occurs when paper records are not shredded (or not shredded properly) as well as when PHI is left on computers, printer drums and scanners with hard drives. Ensuring that your shredding vendors have signed Business Associate Agreements and perform the appropriate procedures is essential.
7. Lack of legal signing authority – Individuals signing for a patient without having the legal authority to do so can take many forms. For example, relatives in custody battles or couples in divorce proceedings have forged names on medical record release forms to gain access. This can also occur when family members obtain the medical records for a deceased patient when there is a legal personal representative such as an executor of the estate.
Understanding the penalties
The stakes are high for provider organizations as HIPAA violations, even if unknown to the covered entity, have serious consequences. Fines can be as much as $50,000 per violation and an annual maximum of $1,500,000 per year. Incidents that are committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment of up to 10 years.
These penalties are not just for massive breaches. In May of 2017, the OCR issued its first single-patient breach resulting in civil monetary penalties, followed quickly by a second single-patient penalty to another organization. With this precedent, providers may now be subject to penalties for any single breach incident, regardless of the number of patients impacted.
In addition, covered entities with unauthorized access incidents are required to complete a breach risk assessment and adopt a corrective action plan to bring policies and procedures up to HIPAA standards. Completing a risk assessment can be very labor intensive including the retraining of involved staff, review of policies and procedures, contacting patients, reaching out to media if applicable, and filing with the U.S. Department of Health and Human Services (HHS)/Office for Civil Rights (OCR) if necessary.
Providers also need to consider other factors associated with unauthorized access including legal damages pursued by the patient, reputational damages from breaching patient privacy, internal costs of breach remedies due to breach investigation, legal costs and other compliance fees.
Lastly, monetary penalties are there to motivate providers to safeguard the information appropriately, but at the end of the day, one should ask themselves how they would feel if their information was inappropriately accessed. An individual’s medical records contains their identify. A credit card can be stolen and has a useful life on the black market for a few uses; however a person’s medical records can be used to impersonate them throughout the rest of their life.
Best practices for protecting against unauthorized access
Given the prevalence and significant consequences of unauthorized access incidents, here are some best practices that provider organizations should consider to protect their institutions.
● Ensure there is strong disclosure management documentation pertaining to the organization’s policies and procedures, especially on how to handle exceptions. Rigorous ongoing training and knowledge assessments should be performed by the organization.
● Safeguards need to be built into both processes and computer systems. For example, have an individual other than the person that printed the records be responsible for quality assurance and mailing records; and ensure systems flag highly sensitive patient information such as “HIV” or psychotherapy notes which require special additional authorizations.
● Staff should be diligent about validating authorizations, requestor calls and where the information is going to ensure that the requestor has the legal authority to access the record and that PHI is being sent to the correct individual.
Don’t do it alone
Given the complexity of the ROI process including complying with ever-changing regulations, provider organizations should consider working with disclosure management outsourcing companies who can serve as a valuable resource in preventing unauthorized access. These organizations embed the best practices into their service offering and have extensive regulatory expertise and specialty technologies to streamline the ROI process, as well as mitigate compliance risks while enhancing the protection of patient privacy. With the current epidemic of unauthorized access, provider organizations should think twice before they do it alone.