With so much changing in the data privacy landscape, it is easy to forget the importance of established regulations like the Health Insurance Portability and Accountability Act (HIPAA), but lately they have dominated the headlines. Recent enforcement has increased awareness around safe data-handling practices, paying special attention to online transfers of medical information and the risks associated therein. This post focuses on how the Health Information Technology for Economic and Clinical Health (HITECH) Act expands the HIPAA requirements, the role of the attorney general on enforcing the HIPAA Privacy and Security Rules, and record-breaking settlements for HIPAA violations.
The HITECH Act was enacted in 2009 to stimulate the adoption of Electronic Health Records (EHR). To achieve its desired result, HITECH required improved IT infrastructures to handle data transfers in anticipation of the heightened and rapid exchanges of data between doctors, hospitals, and other entities.
Title II of HIPAA addresses the security and privacy of protected health information. The relationship with HITECH emerged because third-party business associates weren’t held to the same HIPAA compliance standards as covered entities. As a result, HITECH instituted laws to require business associates to comply with HIPAA, subjecting them to audits and increased monetary fines for non-compliance.
The HITECH Act expanded the authority of state attorneys general to pursue HIPAA violations. More specifically, Section 13410(e) outlines the power to bring civil actions on behalf of state residents. State attorneys general now have more resources to pursue action and regulate data abuse. Aside from civil disputes, organizations may be required to conduct a thorough risk analysis of security risks and vulnerabilities of electronic data systems.
Recently, Attorney General Barbara Underwood of New York levied fines against Arc of Erie County, a Buffalo-based nonprofit that provides services to people with developmental disabilities. They were charged a $200,000 penalty because personal information was made accessible on an internal-use website, due to an absence of a login or password requirement. It was discovered that the gender, race, primary diagnosis codes, phone numbers, dates of birth, and ages of 3,751 individuals were made available via a search engine. After a full-scope forensic investigation, it was determined the security breach permitted unauthorized access to electronic personal information for more than two years.
As part of remediation, Arc of Erie County’s crisis management team offered a free, one-year subscription to an identity theft protection service to all 3,751 affected persons. However, Arc of Erie County will need to continue to reassess several areas within their privacy and security program to mitigate risks and strengthen their security controls to better align with the HIPAA and HITECH requirements.
Anthem, Inc. is an American health insurance company headquartered in Indianapolis, Ind., supplying medical coverage to one in eight Americans through its affiliated health plans. Anthem, Inc. was the victim of a continuous cyber-attack that infiltrated its data storage platform and gained access to the personal information of more than 79 million people. The compromised data included names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. The unauthorized entry originated through spear phishing emails sent to an Anthem subsidiary.
On October 15th, 2018, Anthem made headlines when they agreed to pay $16 million to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Although the organization did make the proper notifications that a breach occurred, they failed to identify the malicious actors responsible for the attack. Along with the imposed fines, OCR is demanding that Anthem take corrective actions to reinforce detection procedures of cyber intrusions and fortify client login by requesting multi-factor authentication. The Anthem breach has become a prime example for other entities of the importance of constant monitoring of data storage platforms and the implementation of effective security measures.
The imposed penalties and fines have resulted in medical companies developing business associate agreements with their third-party data handlers, a proactive approach taken to increase awareness throughout the workforce. When medical companies develop new processing systems, there should also be an emphasis on staff training to further understand the risks associated with handling patient information and the best practices for protecting it. Staff training should be mandatory; negligence may cause financial and reputational harm to all parties involved.
It is evident from the involvement of state attorneys general and the OCR that companies are taking data privacy more seriously than ever before. The crackdown on data breaches will continue to push organizations to ensure their privacy and security measures are periodically reviewed and tested.
In the wake of the largest HIPAA settlement to date, many entities should evaluate and assess their current HIPAA policies, procedures and practices to proactively secure medical information and reinforce public trust. HITECH changed HIPAA by introducing new requirements for HIPAA covered entities and business associates. These companies should conduct an annual risk analysis to understand their exposure and mitigate critical risks. As regulators continue their crack down on violations, and as patients suffer the consequences of lax security measures, now is the time to ensure that personal information entrusted to your organization is secure.
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.