L E G A L E S E
Patient Health Information Breaches: What Now? Rusty Comley, JD and Abram Orlansky, JD; Watkins & Eager, PLLC
A
ll medical professionals understand the importance of protecting their patients’ private information. As anyone reading this is well aware, the federal government’s regulatory attempt to enforce this important privacy interest is called the Health Insurance Portability and Accountability Act, or HIPAA—and the resulting regulations promulgated by the Department of Health & Human Services.
HIPAA contains various structures regarding the use and disclosure of patients’ “Protected Health Information” (PHI). When it comes to HIPAA compliance, though, one thing all medical professionals must understand is the truth of the old cliché, “it happens to the best of us.” That is to say, even those who follow the rules in every way and have sensible, workable HIPAA policies to which they adhere faithfully may occasionally find themselves dealing with a breach of patient PHI. When and if that happens, there is a well-defined set of steps to take. What is a “Breach?” It is important to first ensure you understand when a “breach” has occurred under HIPAA regulations. According to 45 C.F.R. § 164.402, a breach happens when a patient’s PHI—including medical, personal, and/or financial information—is acquired, accessed, used, or disclosed in a manner which compromises its security and/or privacy, and is not specifically allowed by the HIPAA regulations. Certain exceptions do apply, such as when an employee of an entity covered by HIPAA accidentally accesses PHI in good faith and does not further disclose the information. Another example that should not necessarily be considered a “breach” is when office personnel mistakenly fax a patient record to the wrong pharmacy or medical clinic. Because both the pharmacy and medical clinic have a legal obligation to protect the privacy, security, and confidentiality of patient information, there is a low probability that the information disclosed was compromised, and therefore, that any breach occurred. Breaches come in various forms and sizes. On one end of the spectrum, we have assisted clients who mistakenly provided online access to one patient’s information to another patient with a similar name. In a case of similarly small magnitude, we have also assisted where a physician left a briefcase with patient documents in his car, and his car was stolen with the briefcase still inside. The other end of the spectrum includes largescale cyberattacks, like the one perpetrated against Community Health Systems in 2014 which affected the health records of 4.5 million patients. Preventing Breaches in the First Place It should go without saying that the most important step your practice must take with respect to these issues is to ensure you take every reasonable precaution to avoid breaches at the outset. Have a strong, easy-to-follow HIPAA policy in place and incorporate it into your practice’s daily operations. We have assisted several clients in crafting new or updated HIPAA policies that are designed to be workable within each practice’s unique situation. Pay special attention to any communications involving patients’ protected health information, and engage in some self-analysis about the way your records are stored, used and transported, and the security or lack thereof in your system. Use encrypted communications wherever possible. It is vitally important to stress that your HIPAA policies and procedures must be kept up to date, and you must make every effort to fully comply with your own policies and procedures. HIPAA enforcement is the purview of the federal Department of Health and Human Services (“HHS”), and specifically its Office for Civil Rights (“OCR”). The entire purpose of OCR is to protect patients’ nondiscrimination and health privacy rights; one of the ways in which it accomplishes this goal is by investigating violations of HIPAA and enforcing its rules. In the event of a breach (or any other HIPAA violation), a patient has no legal right to sue in court. Therefore, a complaint to OCR is the sole enforcement mechanism available to affected patients. Note, however, that civil liability can arise if the PHI involved in the breach also contains personal or financial information that assists in fraud against or identity theft of the affected patients. In recent years, OCR has become more aggressive in enforcing HIPAA’s strictures. When its investigation reveals a violation, OCR can resolve it either by: 1) simply obtaining the covered entity’s agreement to a corrective action plan, or 2) obtaining such a plan and imposing a civil monetary penalty. In 2012 (the most recent year such data is available on the OCR website), 36% of all complaints resulted in corrective action— up from just 22% in 2004, the first full year of data. One recent example illustrates how a security breach can open the door to a much larger problem for a covered entity. In November 2015, Lahey Hospital and Medical Center in Burlington, Massachusetts, agreed to pay $850,000 and to follow a strong corrective action plan due to deficiencies in its HIPAA policies. The only reason OCR was investigating in the first place was a breach: a single laptop computer was stolen from an unlocked room in the hospital, whose hard drive contained 599 individuals’ PHI. JOURNAL MSMA
267