Millions of dollars in fines associated with alleged violations of the Health Insurance Portability and Accountability Act have been doled out over the last six months, a sign, according to experts, that HIPAA enforcement is shedding light on the fact that the industry lags behind others when it comes to information security.
Healthcare organizations in Massachusetts and Idaho are the latest to agree to the fines for failing to protect sensitive patient data under the Health Insurance Portability and Accountability Act.
The former owners of a medical billing practice in Massachusetts and four pathology groups agreed to pay $140,000 for improperly disposing of medical records. The names, Social Security numbers and medical diagnoses of 67,000 patients were discovered in documents at a town waste transfer station.
Meanwhile, Hospice of North Idaho agreed to pay the U.S. Department of Health and Human Services $50,000 to settle potential HIPAA violations after a stolen laptop containing the data of 441 patients was stolen in 2010. The laptop was not encrypted, and investigators found that the firm had never conducted a risk analysis or have any policies or procedures to address mobile device security.
"Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors," Massachusetts Attorney General Martha Coakley said in a press release about the Massachusetts' HIPAA settlement. The funds will address civil penalties, attorney fees and a data protection fund to support efforts to improve the security and privacy of sensitive health and financial information in the state, Coakley said.
Experts say HIPAA enforcement has improved since administration of the rules was moved from the Medicare Operations Division to the Office of Civil Rights under the HHS. Beginning in 2009, OCR undertook auditing activities that has prompted a greater awareness of HIPAA among executives at hospitals and health systems providers, said Ed Moyle, a founding partner at information security consultancy, Security Curve. Moyle said many healthcare organizations are failing to adequately address security. One problem is that security is competing with patient care at many organizations, he said.
"Selling security is hard because it is not directly apparent to the business why it's valuable as opposed to something like an MRI machine," Moyle said. "It's all about spending priorities, but there needs to be a recognition that part of patient care is respecting the privacy of patient health data."
Medical facilities are also held responsible for protecting patient data even when contracting services with third-party providers. From an enforcement standpoint, business partners must meet the same standards as healthcare organizations, Moyle said. Under the HIPAA rules, organizations must undergo a risk analysis, establish controls to mitigate risk and set security policies. The rules require security awareness training and the implementation of data encryption on laptops, tablets and other mobile devices to protect data.
"There is a big lack of a formalized risk assessment approach that gives you quantitative and qualitative data to base your security program on," Moyle said.
NEXT: Firms in Alaska, Massachusetts agree to pay millionsSmall provider organizations and even larger research facilities often have a hard time addressing and maintaining security and lack adequately trained IT staff and a security officer with the level of authority needed to run an effective program, said Kate Borten, president of The Marblehead Group, a consultancy that specializes in healthcare security. Security hasn't advanced much over the last decade, Borten said.
"This is all the tip of the iceberg because we still have organizations that don't understand what the security rules are all about," she said. "We still don't know if organizations are even recognizing and reporting breaches."
Other healthcare organizations have agreed to pay millions of dollars in fines for alleged HIPPA violations in 2012.
In September, the Massachusetts Eye and Ear Associates, Inc. agreed to pay $1.5 million HIPAA fine for the theft of an unencrypted laptop containing about 3,600 of its patients and research subjects, including patient prescriptions and clinical information. The Boston-based firm disclosed the breach, following the HITECH breach notification rules, but investigators found that the firm lacked a security program, failing to adequately implement policies and procedures for the removal of portable devices containing patient data.
Beth Israel Deaconess Medical Center in Boston underwent a similar breach when a laptop was reported stolen in May containing information on 3,900 patients. The hospital is reportedly encrypting more than 1,000 laptops in response to the breach.
In June the Alaska Department of Health and Social Services agreed to pay $1.7 million and said it would implement better security policies and procedures stemming from a 2009 theft of a USB hard drive possibly containing the data on 500 individuals from a computer technician's vehicle.
PUBLISHED JAN. 8, 2013