Monday, September 01, 2008

Medical Alert: HIPAA gets six figure teeth

Ten years ago I started to alert my clients to the emergence of privacy as the new "driver" of data security. Eight years ago I started to warn them about the specific implications of the Health Insurance Portability and Accountability Act ( HIPAA). In the slide deck that I created for my first HIPAA seminar I made sure my audiences were aware of the penalties built into HIPAA, such as fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.

I can't tell you how many doctors and hospital administrators greeted that slide with disbelief. And, given the lingering arrogance so endemic to America's crumbling health care community, some doctors went so far as to suggest I was simply scare-mongering to scrounge up security consulting work. The attitude among many was something like this: "Nobody would dare to levy fines on us because of some esoteric aspect of patient data storage."

Well, here we are in the Summer of 2008 and the penny has finally dropped. In fact, ten million pennes have dropped. because the HHS, the U.S. Department of Health & Human Services, has collected $100,000 from a hospital that allowed unencrypted personal health data to leave the premises, as detailed in this this comprehensive posting by Sara Kraus over on the privacy law blog.

Providence Health & Services, a Seattle-based not-for-profit health system, was forced to paid $100,000 to HHS and enter into a Corrective Action Plan with the government to avoid a “civil monetary penalty.” That three-year plan is like probation and is no cake walk. Failure to comply could result in more penalties and Providence could still face criminal liability.

The immediate trigger fort this HHS action was "five incidents in 2005 and 2006 in which unencrypted electronic protected health information (“ePHI”) of Providence patients was stored on backup tapes, optical disks and laptops that were taken off-site from Providence by members of its workforce, and then misplaced or stolen, potentially compromising the health information of over 386,000 patients."

So if you are in any way responsbile for health care data, I urge you to read the details in the blog post linked above. You do not want to be next on the HHS hit list. Also note that, as I predicted, there is a cumulative effect to the various and diverse privacy legislation passed during the last ten years. The incidents at Providence might have been hushed up but state notification laws required patients be advised of the loss of their information. Further note that there was no evidence that any personal information was wrongfully used as a result of these incidents. When HHS investigated it focused on Providence's failure to implement policies and procedures to safeguard the ePHI. And that failure cost $100,000.

(FYI, the picture is a hippo skull on which the massive teeth of the beast can be clearly seen -- thanks to Wikimedia for the image.)