Protected health information is arguably the most regulated type of sensitive data around. It’s the only kind of data that has a broad reaching federal law protecting it specifically. The Health Insurance Portability and Protection Act (HIPAA) contains extensive regulations regarding the collection and use of PHI (you can check out our primer on HIPAA here).
Despite what seems like an established system in place, there continue to be breaches and violations regarding the protection of healthcare data. There are multiple reasons for this including misunderstandings of the law or a lack of resources to manage compliance.
We decided to take a look at the U.S. Department of Health and Human Services’ (HHS) published list of recent data breaches and HIPAA violations to see what they had in common. We saw that non-compliant organizations ranged from single provider offices to large hospital groups. Some paid penalties of a few thousand dollars, while others had fines in the millions.
Looking past these differences, however, we saw that the breaches had a simple factor in common. They could have all been prevented with better data governance and procedures in place.
Let’s break down a few cautionary tales to see what we can learn about maintaining HIPAA-compliant data integration and protecting patient privacy.
1. Mobile device theft leads to exposed PHI
Organization: The University of Rochester Medical Center (URMC) - New York
What happened: In 2017 URMC lost a flash drive and was also a victim of theft of a laptop. Both devices stored sensitive information about patients, and neither were encrypted.
This wasn’t the first time that URMC had been in this situation. The organization had already dealt with a lost device in 2010, and noted in a follow-up assessment that unencrypted devices posed a large risk to PHI exposure. Despite this, URMC continued to allow workers to use unencrypted devices.
Settlement/corrective action: URMC was ordered to pay a fine of $3 million. In addition, the hospital was given a corrective action plan that includes tasks like revising their policies and procedures around mobile device controls and encryption/decryption.
How it could have been prevented: Theft and loss of devices is a fact of life and could happen to any kind of organization—in fact, it had already happened at URMC. When conducting regular risk analysis, the hospital system should have gone beyond simply acknowledging the possibility of device theft, and developed a plan in the event that it happened again. This could include encryption and procedures like remote wiping of sensitive information.
2. Former employees continue to access patient data
Organization: Pagosa Springs Medical Center (PSMC) - Colorado
What happened: PSMC failed to block a terminated employee from accessing the hospital’s web-based patient scheduling system. This resulted in the exposure of records of more than 550 patients. In addition, when investigating this violation, HHS discovered that PSMC did not have a business associate agreement (BAA) in place with the scheduling vendor.
Settlement/corrective action: The hospital was required to pay $111,400 and to adopt a corrective plan that includes updates to BAAs and additional HIPAA training for employees.
How it could have been prevented: Removing a terminated employee’s access from all internal systems should be a part of any company’s security protocols. Remote access to internal systems is a risk that should have been addressed in PSMC’s ongoing assessments. The hospital also needed a written agreement with its calendar vendor ensuring that PHI would not be exposed to unauthorized third parties.
3. Working with an unvetted vendor exposes data
Organization: Advanced Care Hospitalists (ACH) - Florida
What happened: ACH contracted with an individual who claimed to be a representative of a Florida-based medical billing company to conduct billing services. What ACH didn’t know, however, was that this person did not have permission to represent this billing company and the owner was unaware of the person’s actions.
ACH became aware of a problem when a local hospital contacted the group to inform them that patient information (including names and social security numbers) was viewable on a medical billing company’s website. ACH reported to HHS that more than 8,000 patients could have been affected by the breach.
During the investigation, HHS also discovered that ACH had never done a risk assessment or put data privacy measures in place in its entire 10 years of existence.
Settlement/corrective action: ACH was ordered to pay a $500,000 fine and enter into an extensive corrective action plan that includes signing BAAs with all of its vendors and conducting a risk assessment.
How it could have been prevented: ACH is different from many other non-HIPAA-compliant organizations in that it never had a security plan in place, and may never have if it were not for the data leak. If the organization had been conducting regular risk assessments and had procedures in place for contracting with business associates, it’s possible that they would have never formed a relationship with the unauthorized individual.
4. No policy on social media sharing
Organization: Elite Dental Associates - Texas
What happened: Elite was accused of disclosing a former patient’s PHI including the person’s name, treatment plan, and insurance information in a response to a Yelp review. HHS’s further investigation into Elite’s Yelp page showed that the dental practice had a history of disclosing PHI in response to reviews.
Settlement/corrective action: Elite agreed to pay a $10,000 settlement. In addition it was required to undergo a corrective action plan that includes training for its workforce on the disclosure of PHI.
How it could have been prevented: It’s easy to say that Elite should have just stayed off of social media and review sites, but that does not address the realities of being a healthcare provider today. Interacting with current, former, and potential patients online is a part of how many providers market themselves. Most do it ethically and successfully. Elite needed to include social media in its HIPAA risk assessments and develop clear guidelines to employees about what is and is not acceptable communication online.
Though unnerving, these four examples really show that all it takes to prevent PHI leaks is following the law and having data governance in place. This can also go a long way in ensuring patient trust and providing better care.
Working with PHI and want to make sure data governance is foundational at your organization? Reach out anytime and we'll help you assess. You can get in touch at firstname.lastname@example.org.