Millions of dollars in fines associated with alleged violations of the Health Insurance Portability and Accountability Act have been doled out over the last six months, a sign, according to experts, that HIPAA enforcement is shedding light on the fact that the industry lags behind others when it comes to information security.
Healthcare organizations in Massachusetts and Idaho are the latest to agree to the fines for failing to protect sensitive patient data under the Health Insurance Portability and Accountability Act.
The former owners of a medical billing practice in Massachusetts and four pathology groups agreed to pay $140,000 for improperly disposing of medical records. The names, Social Security numbers and medical diagnoses of 67,000 patients were discovered in documents at a town waste transfer station.
Meanwhile, Hospice of North Idaho agreed to pay the U.S. Department of Health and Human Services $50,000 to settle potential HIPAA violations after a stolen laptop containing the data of 441 patients was stolen in 2010. The laptop was not encrypted, and investigators found that the firm had never conducted a risk analysis or have any policies or procedures to address mobile device security.
"Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors," Massachusetts Attorney General Martha Coakley said in a press release about the Massachusetts' HIPAA settlement. The funds will address civil penalties, attorney fees and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in the state, Coakley said.
Experts say HIPAA enforcement has improved since administration of the rules was moved from the Medicare Operations Division to the Office of Civil Rights under the HHS. Beginning in 2009, OCR undertook auditing activities that has prompted a greater awareness of HIPAA among executives at hospitals and health systems providers, said Ed Moyle, a founding partner at information security consultancy, Security Curve. Moyle said many healthcare organizations are failing to adequately address security. One problem is that security is competing with patient care at many organizations, he said.
"Selling security is hard because it is not directly apparent to the business why it's valuable as opposed to something like an MRI machine," Moyle said. "It's all about spending priorities, but there needs to be a recognition that part of patient care is respecting the privacy of patient health data."
Medical facilities are also held responsible for protecting patient data even when contracting services with third-party providers. From an enforcement standpoint, business partners must meet the same standards as healthcare organizations, Moyle said. Under the HIPAA rules, organizations must undergo a risk analysis, establish controls to mitigate risk and set security policies. The rules require security awareness training and the implementation of data encryption on laptops, tablets and other mobile devices to protect data.
"There is a big lack of a formalized risk assessment approach that gives you quantitative and qualitative data to base your security program on," Moyle said.
NEXT: Firms in Alaska, Massachusetts agree to pay millions