The Health Insurance Portability and Accountability Act of 1996 (HIPAA) controls the privacy and access of all protected health information (PHI) in the United States. One of the goals of the legislation is to help move the healthcare industry toward electronic health records (EHR). The value to patients and providers is faster and more accurate care, since clinicians, insurance companies and all related business organizations will have access to the same information.
In 2009, the US Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH Act) to further clarify and address the privacy and security concerns associated with the electronic transmission of health information. Language in the law extends HIPAA provisions to business associates of covered entities. This means that any organization that works with a healthcare provider is also subjected to the same laws and penalties.
Since more health information has become electronic, more of it is susceptible to data breaches. A recent study by Redspin, Inc., a California provider of IT security assessments, shows that 385 breaches of PHI affecting about 19 million records have been reported since August 2009 in the US. Part of the HITECH Act stipulates that an organization must report any breach over 500 people to the US Department of Health & Human Services (HHS) within 60 days. So these numbers don’t take into account smaller breaches.
A couple of statistics in the Redspin report stand out.
- 97% increase in total records breached since 2010
- 59% of all breaches involved a business associate
- 76% increase in records breached involving a business associate since 2010
- 39% occurred on a laptop or other portable device
If you look at the cost to a business of these breaches, it can be staggering. The average number of patients per breach was 49,394, which is almost double the numbers from 2010. The Ponemon Institute calculates that the cost per compromised data record is $214. That makes the average cost just over $10 million per breach!
Exposure to a healthcare provider is not just how it handles PHI, but also how any third-party vendors, suppliers, consultants and contractors manage it. If a hospital sends patient information to a lab so the lab can do some blood work, the hospital has to make sure the lab has proper security measures to safeguard the patient information. Currently the laws only penalize the covered entity, in this case the hospital. If there is a breach at the lab, the hospital will ultimately have to pay for the lack of security. Fortunately the breach notification laws provide for liability to extend directly to business associates by the end of 2012.
Waiting on the legislative and enforcement process to deter breaches by forcing business associates to improve security will not solve the problem now. Since a large percentage of breaches occur through the loss of a laptop or other portable device, safeguarding this information now is critical. The only effective way to do this is by encrypting it.
A lot of this information is most likely in spreadsheets, documents, image and audio files. Protecting them with a persistent security policy that lets the creator of the information decide who can access it will help deter breaches. If a hospital needs to share these documents with a business associate, it can encrypt the document with a policy that defines who can view the information and for how long. If the document is accidentally shared with the wrong people or organization, the hospital can throw a kill switch and make the document unreadable by anyone. If a hacker or other unauthorized person opens the document, it will look like random characters.
Many business associates of healthcare organizations may not have the appropriate security in place to properly manage PHI. With data breaches increasing at an alarming rate, healthcare organizations should take the initiative for that security by encrypting any files they share. That ensures that only those people who need the information can access it.
As the saying goes, physician health thyself.