HIPAA violations can have serious legal consequences.
Case in point: A federal grand jury has indicted a former employee at the University of Pittsburgh Medical Center for allegedly stealing patient data. The defendant disclosed to other people the names, birth dates and Social Security numbers of patients – information later used to file false tax returns. The law carries of maximum sentence of 80 years in prison, a fine of more than $4.7 million, or both.
In another case, a former researcher at the UCLA School of Medicine has been sentenced to four months in federal prison for HIPAA violations. Upon learning that he was being dismissed from his job, the UCLA employee accessed the medical records of his superior and coworkers, as well as more than 320 patient records (many of them celebrities) during the following four weeks. Charges were filed in 2009 and the defendant pleaded guilty in early 2010 to four misdemeanor counts of illegally reading private and confidential medical records.
Not only do these cases demonstrate the long reach of HIPAA enforcement, but also the importance of bumping up security and other safeguards to prevent these types of medical data breaches.
What is a breach?
A breach occurs when 1) there has been “unauthorized” access, use or disclosure of “unsecured” PHI that violates the HIPAA Privacy Rule, and 2) the disclosure “compromises the security or privacy” of the PHI, which means that it “poses a significant risk of financial, reputational or other harm to the individual.”
What is “unsecured” PHI?
The rules define “unsecured” PHI as any information that has not been rendered unusable, unreadable or indecipherable to unauthorized individuals through the application of a technology such as encryption and destruction.
Encryption - Proper encryption should use an algorithmic process to transform data into a form that is meaningless without a confidential process or key (which also must be protected).
Destruction - Hard copy PHI, such as paper or film, needs to be thoroughly shredded or destroyed so that it cannot be read or reconstructed.
How do I protect my business?
To steer clear of HIPAA violations and breaches, you should:
Establish breach notification procedures and update policies - Develop guidelines for determining when a breach has occurred, who will prepare individual notifications, and when a breach will trigger a requirement for notice to the media or immediate notice to HHS. Amend your HIPAA privacy and security policies, too, to cover the security breach notification rules.
Maintain a breach incident log - Set up a system to log security breaches affecting fewer than 500 individuals, which you must file with HHS within 60 days after the end of the year.
Revise business associate agreements - Discuss with your business associates (and put in writing) when they should notify you of a breach by their organization, what information should be reported, and which party will issue the required notifications.
Train employees on proper procedures - Employees should understand when they have encountered a breach and how to report it. A successful training program will provide formal instruction on HIPAA-related policies and procedures, as well as build awareness through workplace postings and other employee materials.