Breaches, Breaches, Everywhere

By Matt Fisher, Esq
Twitter: @matt_r_fisher

It often seems as though a day does not go by without the report of a new breach of healthcare data. Examples of breaches include loss of unencrypted devices (whether laptops, flash drives or other devices), usage of non-secure services, inattention to paper records, employee snooping, and more. Each new report raises questions as to why lessons were not learned from prior breaches, how much information was exposed, what the cost will be, in addition to other issues.

Each breach helps to highlight a different aspect of non-compliance with HIPAA. For example, not encrypting data shows non-compliance with an addressable element of the HIPAA Security Rule. Even though encryption is an addressable element (which on a basic level means organizations can evaluate how to implement the measure or document why it is not necessary), given the prevalence of electronic information and the ease with which it can be accessed, it can almost be viewed as mandatory. Employee snooping is a failure of both HIPAA Privacy and Security Rule compliance, since individuals should only have access to and use or disclose protected health information within the scope of their job responsibilities. For a last example, not properly disposing of or securing paper records raises an issue of HIPAA Security Rule compliance because it is necessary to secure protected health information in all forms.

Regardless of the manner in which a breach occurs, the consequences and fallout are both wide and long reaching. Depending upon the nature of the breach and cause of the breach, an organization may face fines and penalties from the government, mitigation costs in the nature of credit monitoring or other services, and legal costs in defending against claims from those impacted by the breach. The impact is not just financial though. Organizations that suffer a breach may also need to implement new compliance measures and lose the trust of their patients or customers. The loss of trust is a real danger because without patients or customers, an organization faces a diminished base to earn money from in the future.

What is at the root of all of the breaches in healthcare? Some suggest an inattention to security requirements over the years, which has left all healthcare organizations vulnerable. Another viewpoint is that the rush to adopt electronic and digital tools without considering the ramifications is another issue because so much data is being created without careful attention to where it is going. Yet another stance is that organizations do not take compliance seriously enough and have not bothered to take the time to learn and understand what HIPAA or other laws require. It is likely that the reality lies somewhere in the middle of these and other reasons.

However, now is not the time to worry about the past and what could or should have been done. Instead, organizations should take all of the recent breach examples as opportunities to really learn from the experiences of others. While it is likely a matter of when, not if, a breach will occur, measures can be taken to delay that outcome as long as possible. One good starting point is to go through all relevant HIPAA requirements and fully appreciate what HIPAA does and requires. Many misconceptions about HIPAA persist despite having been around for close to 20 years at this point. Once an organization or individual dives into HIPAA and sees what it really does, there is an appreciation for how it can fit into the normal flow of an organization and foster actions that will protect and secure sensitive information. Additionally, organizations should place an emphasis on overall security, especially electronic security. While it is probably impossible to stay ahead of those interested in breaking into a system, if ongoing actions are taken to monitor and updates systems, then improper access can be made more difficult.

Adopting and implementing an atmosphere of compliance and vigilance may seem time-consuming and without a clear return on investment. This may be a somewhat shortsighted view though because preventing something bad from happening is almost if not more valuable than putting the money somewhere else.

This all comes back to the fact that breaches are everywhere and will happen to everyone. Even though everyone will be on the wrong side a breach at some point, it is possible to take steps to reduce that likelihood and be able to minimize costs when the day eventually comes.

To discuss more about breaches, tune in to HIPAA Chat on I joined Steve Spearman to discuss recent breaches and fines. HIPAA Chat airs weekdays at 12 noon ET.

About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.