Protect Your Anesthesia Practice against a Data Breach

Hardly a week goes by without news of the loss of a computer containing thousands of patient records.  It is all too easy for medical practices and health systems to suffer data breaches, and the financial consequences can be severe.  When a breach of patient data is found and reported, healthcare providers and legal business associates can be liable for penalties of up to $1.5 million for violations of a single HIPAA provision.

The Department of Health and Human Services’ Office of Civil Rights (OCR) recently made it clear that an actual breach and disclosure of electronic Protected Health Information (ePHI) is not necessary—there may be liability for not having policies and procedures in place to address the breach notification provisions published in the HIPAA Omnibus Rule in January 2013.  The Breach Notification Rule requires covered entities (healthcare providers, health plans, healthcare clearinghouses) to notify individuals and OCR (and in some cases the media) of breaches of PHI and requires business associates (such as billing companies) to notify covered entities of such breaches. 

The HIPAA Omnibus Rule, which took effect on September 23, 2013, changed the definition of what constitutes a breach of PHI.  Now, any disclosure of PHI that violates the HIPAA privacy rule is presumed to be a breach unless a covered entity or business associate demonstrates that there is a low probability that the PHI was compromised by undertaking a risk assessment that meets certain requirements.  Specifically, the risk assessment must:

• Determine the nature and extent of PHI involved;
• Establish the identity of the unauthorized person who used the PHI or to whom the disclosure was made;
• Determine whether the PHI was actually acquired or viewed, and
• Establish the extent to which the risk to the PHI has been mitigated.

A dermatology practice with six locations in Massachusetts and New Hampshire last month last month entered into a $150,000 settlement agreement with OCR to resolve alleged violations of the Breach Notification Rule.  The settlement included a corrective action plan requiring the practice to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

A report that an unencrypted thumb drive containing some 2,200 patients’ ePHI had been stolen from a staff member’s car triggered OCR’s investigation.  The thumb drive never turned up.  The group issued the required notifications.  OCR found that the practice had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process, as required by HIPAA.  Further, the practice did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

To avoid the problem experienced by the dermatology group, anesthesia and pain medicine practices should consider taking the following action steps, recommended by the law firm McDonald Hopkins LLC in Cleveland:

• Review and update written HIPAA privacy, security and breach notification policies and procedures;
• Identify and review all business associate relationships and ensure that appropriate business associate agreements are in place …;
• Perform risk analysis to assess potential risks and vulnerabilities to the confidentiality, integrity and availability of all ePHI;
• Take action on security gaps (risk management) and promptly correct identified HIPAA violations;
• Document HIPAA-related determinations and actions;
• Train members of the workforce to comply with the HIPAA Rules and to promptly identify, investigate and respond to possible data breaches;
• Encrypt ePHI to the extent feasible;
• Avoid unnecessary disclosures of PHI; and
• Obtain (or at least determine the feasibility of) cyber insurance.

These preventive measures are time-consuming and expensive for a practice.  Encryption merits a special comment here because it offers the highest level of protection against data breaches:  if stolen data is encrypted consistent with guidelines certified by the National Institute of Standards and Technology, a breach is not considered to have taken place at all and the provider does not have to report a potential or presumed breach.  While many if not most providers are already requiring encryption on laptops, adding encryption to desktop computers or central servers may not survive a cost-benefit analysis when the effect on workflow and network speeds is considered.

Nevertheless, the costs of a breach, presumptive or actual, can be far worse than the expense of prevention.  In addition to the potential penalties that the Government may levy or settle, there are the costs of investigating and responding to a breach, which include the notification of patients, the government and, in cases involving more than 500 patients, local media.  There may also be substantial damage to the reputation of the practice.

As the ASA noted in its Payment and Practice Management Memo No. 3 (October 2013), “a potential breach in complying with HIPAA is not as unlikely as you may think” and “HIPAA compliance may be more difficult than it has been in the past. Given recent policies and provisions, all covered entities (which include anesthesia practices) must be more cautious in taking measures to protect both the privacy and the security of the PHI of their patients.”  The volume and variety of nine data breaches that occurred late in in 2013, reported by Helen Grigg in Becker’s Hospital Review on December 19, 2013, illustrates the difficulty and importance of—and also some possible strategies—for protecting ePHI against loss or theft:

1. A third-party vendor removed electronic security safeguards from a Santa Barbara, Calif.-based Cottage Health System server without informing hospital officials, exposing the information of 32,500 patients.
2. A laptop containing 1,900 Southern Illinois University HealthCare patients' data was stolen from a physician's office.
3. Approximately 49,000 patients were notified of a data breach at Kaiser Permanente's Anaheim (Calif.) Medical Center.
4. Horizon Blue Cross Blue Shield of New Jersey notified approximately 839,711 members that two unencrypted laptops containing members' personal and health information were stolen from the insurer's Newark, N.J., headquarters.
5. A laptop and paper files were stolen from Houston Methodist Hospital, compromising the personal and health information of 1,300 patients.
6. Pittsburgh-based UPMC notified 1,300 patients treated at various UPMC locations their records were inappropriately viewed by a UPMC McKeesport employee.
7. A data breach at the University of Washington Medicine in Seattle compromised the personal and health information of 90,000 patients.
8. The theft of a laptop from a University of California San Francisco physician compromised the health information of 8,294 people.
9. In Fortuna, Calif., Redwood Memorial Hospital announced the loss of a thumb drive containing personal and medical information of 1,039 patients.

Other HIPAA covered entities in the past year have lost control of PHI when they failed to destroy hard drives of computers (or photocopiers) prior to recycling, or failed to perform an appropriate technical evaluation following a software upgrade, or even when they simply misplaced paper binders containing patient data.  Since reporting began in 2009, over 700 breaches involving 500 or more individuals have been reported to OCR. In addition, OCR has received over 64,000 reports of breaches involving fewer than 500 individuals. OCR has obtained corrective action from covered entities in more than 13,000 cases and has entered into HIPAA resolution agreements with covered entities in 16 cases for HIPAA noncompliance.  The title of the ASA memo quoted above is “You Can’t Be Too Careful When it Comes to HIPAA Privacy and Security.”  We concur, and we hope that the protective measures taken by our readers will do their job.