For health care organizations and professionals, HIPAA is as ubiquitous as the white coat or the stethoscope. And, while most such professionals understand the importance of protecting patients’ information, they may unwittingly find themselves in violation of the HIPAA Security Rule by failing to apply frequent system patches and other upgrades to their computer systems and networks.
The HIPAA Security Rule sets forth the national standards for protection of individuals’ electronic personal health information (ePHI) created, received, used or maintained by a covered entity. And those who qualify as “business associates” of a covered entity are subject to the same rules and potential fines as the covered entities themselves.
Just last December, a covered entity submitted to the first major settlement with the Department of Health and Human Services (HHS) for violations amounting to neglect under the HIPAA Security Rule. Anchorage Community Mental Health Services (ACMHS) had adopted the sample Security Rule policies and procedures years earlier, but the organization never followed those procedures. Specifically, ACMHS failed to patch its IT systems and continued to run outdated software. Those failures eventually led to a malware data breach resulting in the compromise of the ePHI of more than 2,700 individuals. ACMHS was required to pay $150,000 to HHS, implement a corrective action plan and make reports to HHS’ Office of Civil Rights (OCR) about the status of ACMHS’s Security Rule compliance for a period of two years.
“Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis,” said OCR Director Jocelyn Samuels, in a December 2014 bulletin. She said such an approach includes “reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
Because some malware can operate undetected on a system for long periods, and because the types of viruses and malware out there are constantly changing, it is critically important that health care providers and their business associates, as well as other companies in general, apply security patches and update software regularly. In particular, health care providers who still use Windows® XP should take note that failure to migrate to a new operating system could be a violation of the Security Rule. Microsoft no longer supports Windows® XP, and computers using it are “five times more vulnerable to security risks and viruses” as a result.
In situations like that of ACMHS, the damage done to the patient-provider relationship may come at an even greater cost than the fines and monitoring imposed by HHS. According to a recent survey conducted by TransUnion Healthcare, 65 percent of respondents would avoid health care providers or organizations that experience a data breach. Of those participants who said they would stay away, 73 percent were between the ages of 18 and 34.
The survey results also provide insight into what kind of response patients expect when there has been a breach. Almost half (46 percent) of patients expect a notification within one day of the breach. Thirty-one percent of patients expect a response or notification within one to three days of a breach.
But a prompt response is not all consumers expect. Seventy-two percent of the survey participants said they expect providers to offer at least one year of free credit monitoring after a breach, and more than half said they wanted a dedicated hotline and dedicated website offering details after a breach. So, a breach can be costly to an organization in many ways.
Companies of all sizes, regardless of their industry, should take heed of the lessons to be learned from the ACMHS breach and should implement the following practices:
- Establish IT security policies and follow those policies;
- Hire competent IT professionals to manage and monitor systems;
- Routinely check for and apply IT security patches;
- Regularly update all IT systems and review virus software;
- Upgrade equipment and software before they become outdated and before they are no longer supported by the latest technology.
Organizations that suffer a breach should do the following:
- Notify clients/patients as soon as possible after the breach is discovered;
- Be forthcoming about what caused the breach and what is being done to fix it;
- Establish a website and hotline to provide information concerning the breach;
- Provide credit monitoring to those affected by the breach;
- Consider providing additional services, such as identity theft insurance/repair, to those whose information was compromised.
With careful planning and vigilance, companies can maintain the trust of their customers. And with proper handling, candor and communication, even those companies that have fallen victim to a breach can retain or recover the trust of those they serve.
 U.S. Department of Health and Human Services, http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html; 45 CFR 160; 45 CFR 164 (A) and (C).
Luis F. Ruiz