The Importance of Data Encryption and Security Rules: Breaches of Electronic Protected Health Information
Under HIPAA and HITECH
By Cindy Gallee
Recently there have been many instances of breaches of private information from the retail, banking and government sectors. In fact, there were 62% more reported private information breaches in 2013 than in 2012 across all sectors.1 The healthcare industry is not immune to privacy breaches and the stakes are just as high or higher for healthcare institutions. Patients entrust their most private information to their healthcare providers with the expectation that it will be kept secure. However, over thirty million people were affected by major breaches of their healthcare information since the enactment of the Breach Notification Rule in 2009,2 and this number is expected to exponentially increase with the changes to the Rule that occurred in 2013.
The largest and most significant breaches of protected healthcare information have been due to one cause: the lack of technical or administrative safeguards on the information. More specifically, these losses most often occur through the loss or theft of unsecured, unencrypted electronic devices or computers.
Privacy and Security Laws in Healthcare. The three main federal statutes that address the privacy and security of healthcare information are: the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule,3 the HIPAA Security Rule,4 and the Health Information Technology for Economic and Clinical Health Act (HITECH),5 the latter which is part of the American Recovery and Reinvestment Act of 2009 (ARRA).6 Parts of all these rules were amended by the 2013 Modifications to the HIPAA Privacy,
Security Enforcement and Breach Notification Rules under the HITECH Act and the Genetic Information Nondiscrimination Act (the Omnibus Rule).7 There has been increased activity in the last year concerning breaches of private and protected healthcare information due to provisions in the HITECH law as amended by the Omnibus Rule, but since these laws are inter-connected, a brief overview of the other laws follows.8
HIPAA Privacy Rule. The HIPPA Privacy Rule was enacted in 1996 and is a comprehensive set of federal standards to protect the privacy of patients’ medical records and all healthcare information that is maintained by covered entities, which include doctors, hospitals, and health plans. The rule covers patient access to their medical records and governs how patients’ health information is used and disclosed. Protected health information is individually identifiable health information that can be linked to a particular person.
HIPAA Security Rule. The HIPAA Security Rule was promulgated in 2003 and goes a step further than the Privacy Rule by extending patient protection to healthcare information that is in electronic form. The HIPAA Security Rule addresses these protections by requiring covered entities to employ administrative, physical and technical safeguards. Administrative safeguards are actions such as policies and procedures to manage and protect electronic protected health information. Physical safeguards are those measures that protect electronic health information from natural and environmental hazards and unauthorized intrusion. Technical safeguards include the technology employed to protect electronic health information.
HITECH Act. The HITECH Act is Title XIII of The American Recovery and Reinvestment Act of 2009 (ARRA). ARRA contains incentives for the adoption of electronic health records, but HITECH also strengthens the HIPAA Privacy and Security Rules by requiring notification of breaches of healthcare information and providing for increased penalties for violation. In January 2013, HITECH was significantly amended by modifications collectively called the Omnibus Rule. These modifications changed the standard for determining liability in the case of a breach of protected health information, and applied security rule provisions including direct liability for business associates. A business associate is any person or entity that performs functions or activities that involve the use or disclosure of protected health information on behalf of a covered entity. The Omnibus Rule amendments significantly changed the landscape of HIPAA Security compliance, opening up more entities to liability, strengthening enforcement and increasing penalties.
Liability under the Omnibus Rule. The Breach Notification section of the HITECH Act, as amended by the Omnibus Rule, states, “A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.”9 A breach is defined as the acquisition, access, use or disclosure of protected health information not permitted by the Rule, which compromises the security or privacy of the protected health information.10
Prior to the Omnibus Rule under the interim HIPAA breach notification rule, healthcare entities would apply a “harm standard” to determine whether a reportable breach had occurred. This analysis would not require reporting of a breach unless there was a significant risk of financial, reputational or other harm to an individual. However, the Omnibus Rule creates the presumption that any unauthorized access, use or disclosure of protected health information is a reportable breach unless the healthcare entity can demonstrate a low probability of compromise based on a four-factor test. This test involves assessing: 1) the nature and extent of the information involved in the incident; 2) the unauthorized person who used the protected health information; 3) whether the information was actually acquired or viewed; and 4) the extent to which the risk was mitigated following the unauthorized disclosure.11 The change in the harm standard has resulted in more incidents now determined to be reportable breaches.
There are three exceptions to a disclosure being determined to be a breach. A disclosure is not a breach if: 1) the disclosure was an unintentional access to protected health information in good faith in the course of performing one’s job, and such access does not result in further impermissible use or disclosure; 2) the disclosure was inadvertent disclosure of protected health information by a person authorized to access the information to another person authorized to access information at the same healthcare entity; or 3) the disclosure was improper but the healthcare entity believes in good faith that the recipient of the information would not be able to retain the information.12
Another significant change in the Omnibus Rule is the direct liability for business associates. As stated earlier, business associates handle protected health information on behalf of a covered entity. But with the Omnibus Rule the definition of a business associate is expanded to include entities having contracts with business associates and which create, receive, maintain or transmit protected health information on behalf of the entity. Specifically, this includes entities that provide data transmission services with respect to protected health information, or who simply maintain the information without accessing or viewing the information. Under the Omnibus Rule, business associates are directly liable for many provisions of the privacy and security rules as if they were covered entities. In addition, the Omnibus Rule includes an agency provision whereby covered entities are held liable for certain actions of their business associates.13
Penalties and Enforcement under the Omnibus Rule. The Health and Human Services’ Office for Civil Rights (OCR) is responsible for enforcement of the HIPAA Privacy and Security Rules and likewise responsible for the enforcement of the HITECH Act. OCR responds to complaints filed with it from the public, but the OCR is also charged with conducting annual targeted audits. If after investigation and review of evidence OCR determines that a covered entity or business associate is not in compliance, OCR will attempt to obtain voluntary compliance, corrective action, or a resolution agreement.
A resolution agreement is a contract between Health and Human Services (HHS) and the covered entity where the covered entity agrees to perform certain corrective actions and to make reports to HHS for a period of three years. Resolution agreements usually include payment of a resolution amount. The OCR may also decide to impose civil monetary penalties. If a complaint is potentially a violation of the criminal provision of HIPAA, OCR may refer the case to the Department of Justice.14
The Omnibus Rule changed the penalty structure to a tiered system. Penalties range from $100 to $50,0000 per violation with a cap of $1.5 million for all violations of an identical provision. Criminal penalties range up to a maximum of 10 years imprisonment. There are four categories of violations with increasing levels of culpability, the highest being willful neglect. Now struck from the law is a previous bar on the imposition of penalties if the healthcare entity did not know of the violation and would not have known with the exercise of reasonable diligence. But there is a prohibition on penalties for violations that are corrected within a thirty-day period unless the violation was due to willful neglect.15
HHS Wall of Shame. The HITECH Act requires HHS to post a list of breaches of unsecured protected health information affecting five hundred or more individuals, colloquially called the “Wall of Shame.” Earlier this year, HHS had posted a total of over nine hundred breaches affecting over thirty million individuals since the inception of the list in 2009. Several mega breaches are responsible for the largest percentage of individuals on the overall list who were affected by breaches of their private, protected health information. Of these mega breaches, the majority involve incidents attributable to a lack of security of electronic devices leading to the loss or theft of electronic equipment storing protected health information.16
Examples of Breaches. Recent breach incidents and settlements are useful to examine the trends concerning causes and results of security violations. Highlighted below are significant breaches in terms of number of patients affected and/or financial liability caused by lack of security of electronic devices. Each of these examples is an incident that could be considered a mega breach- and they also have distinct commonalities. Each incident involves the theft or loss of either laptop or desktop computers that contained unencrypted protected health information, from an administrative office.
Horizon Blue Cross Blue Shield. In November 2013, two laptops were reported stolen from Horizon Blue Cross Blue Shield’s Newark, New Jersey headquarters office. The laptops had been cable locked to workstations and were password protected at the time of the theft. However, unencrypted data containing protected health information of 840,000 patients including names, addresses, dates of birth, social security numbers, and clinical information had been compromised. Patients have been offered credit monitoring and identity theft protection services.17
AHMC Healthcare. The administrative office of a California six-hospital system reported two laptops containing protected health information of 729,000 were stolen in October 2013. The laptops were password protected and were in an area that was security guarded and under video surveillance. A suspect in the theft has been arrested. The unencrypted, compromised data contained patients’ names, social security numbers, insurance identification numbers, clinical information and financial information.18
AvMed Health Plan. The example of the AvMed Health Plan breach involves a situation where OCR has not yet taken enforcement action, but a class action lawsuit has been settled for $3 million. This incident involves a 2009 theft of two unencrypted laptops containing protected health information of 1.2 million patients. The settlement occurred in April 2014 and includes payment both to patients who were victims of identity theft and also to patients who arguably overpaid premiums without the benefit of data security.19
Sutherland Healthcare Solutions. Sutherland is a business associate, vendor of the Los Angeles County Department of Health Services and Department of Health. Sutherland is a billing service that reported in February 2014 eight desktop computers had been stolen, containing unencrypted protected health information of 338,700 patients. The compromised data included patient names, social security numbers, billing information, patient demographic information and clinical information. A class action lawsuit has been filed.20 This is an example of the trend of holding business associates just as accountable as covered entities under the security laws.
Advocate Health Care. The Advocate Health Care incident is a security breach of protected health information that is the second largest data breach in HIPAA history. Four unencrypted desktop computers were reported stolen from administrative offices in Park Ridge, Illinois in July 2013. Protected health information of 4.03 million patients was contained on the computers. Compromised patient information included patient names, addresses, dates of birth, social security numbers and clinical data. All affected patients have been notified and have been offered credit monitoring services. A class action lawsuit has been filed alleging violations of two state privacy laws.21
Financial Liability for Healthcare Breaches. The above examples illustrate the high dollar amounts involved for breaches of protected health information, both in terms of settlements with OCR and as a result of subsequent lawsuits brought by patients. This is not to mention the other costs associated with breaches, such as the cost of eroded public trust, the cost of the breach notification, and also the cost of adequate compliance with security measures. According to the 2013 Ponemon Institute Research Report, the cost of a data breach averages $188 per patient record breached.22 A more shocking number is the institute’s finding that the average total organizational cost of a data breach in the U.S. is $5,403,644 per incident.23
Recommendations. Analyzing the largest breaches on HHS’ Wall of Shame, there are several commonalities where compliance actions could have prevented the violations. First, although not specifically mandated by the security laws, encryption of all electronic devices that store protected health information is key to defending a breach. In the steps to determine if a reportable breach occurred, if the information could not be compromised (i.e., the information was encrypted) the breach is not deemed a reportable incident. HHS provides guidance to render protected health information unusable, unreadable, or indecipherable to unauthorized individuals.24
Encryption is number one, followed by destruction. Director of OCR Leon Rodriguez has commented on the subject of encryption, saying “Encryption is an easy method for making lost information unusable, unreadable and indecipherable.”25 Also, through the HIPAA audit process, OCR has found a facility’s lack of risk analysis into the pros and cons, or feasibility, of encryption to be a red flag. Another main recommendation concerns business associates. Business associates are now being held directly liable for security violations. Covered entities must insist in their business associate contracts with vendors that there is evidence that the business associate is complying with the privacy and security rules. These are protections a healthcare entity, either covered entity or business associate, can use to prevent breaches of protected health information. These protections should be part of an overall and ongoing risk compliance process which includes a detailed risk analysis, reviewing and revising policies and procedures, employee training, and having an effective breach response plan.
Summary. Compliance with privacy and security laws in healthcare is serious business and when violations occur, they could be financially devastating to the organization. The HIPAA and HITECH laws have been strengthened in the last year by the Omnibus Rule to increase enforcement and change the penalty structure. Current OCR Director Jose Rodriguez has said that healthcare groups and their business associates need to get their privacy and security houses in order, as they will be facing new audits and more monetary enforcement surrounding data breaches.26 As a result, breaches of protected healthcare information have dramatically increased in the last year. The best protection to guard against the most common breach concerning the loss or theft of unsecured and unencrypted electronic devices is data encryption, which is easily deployable and much less costly than a finding of a breach violation.
1 Symantec Corporation. “Internet Security Threat Report.” Volume 19, Published April 2014
2 McGee, Marianne Kolbasuk. “Health Breach Tally: 30 Million Victims.” HealthcareInfoSecurity.com, Mar. 31, 2014. http://www.omnibus.healthcareinforsecurity.com/health-breachtally-30-million-victims
3 65 Fed. Reg. 250, 82462 (Dec. 28, 2000) (incorporated at 45 C.F.R. Parts 160 and 164); modifications to the Rule, 67 Fed. Reg. 157, 53181 (Aug. 14, 2002) (incorporated at 45 C.F.R. Parts 160 and 164) (HIPAA Privacy Rule).
4 45 CFR Part 160 and Subparts A and C of Part 164 (2003) (HIPAA Security Rule).
5 Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No. 111-5, 123 Stat. 226 (Feb. 17, 2009), codified at 42 U.S.C. §§300jj et seq.; §§17901 et seq. (HITECH Act).
6 Pub. L. No. 111-5, 123 Stat. 115, 516 (Feb. 19, 2009) (ARRA).
7 HHS Office of Civil Rights, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules” 7
8 Fed. Reg. 5566, (Jan. 25, 2013, available at: http://www.gpo.gov/fdsys/8 pkg/FR-2013-01-24/pdf/2013-01-73.pdf (Omnibus Rule). In addition, states may also have separate laws that in some cases are more specific than the federal regulations.
9 45 CFR Section 164.404 (a)
10 45 CFR Section 164.400
11 Omnibus Rule
12 Omnibus Rule
13 Omnibus Rule
14 U.S. Department of Health and Human Services website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/howocrenforces.html
15 U.S. Department of Health and Human Services website at http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html
16 U.S. Department of Health and Human Services website at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
17 Beeson, Ed. “Horizon BCBS notifying 840,000 members after laptops stolen with personal data.” NJ.com, Dec. 6, 2013. http://www.nj.com/business/index.ssf/2013/12/horizon_bcbs_notifying_840000.html
18 Ouellette, Patrick. “AHMC Healthcare reports 729,000-patient data breach.” HealthITSecurity.com, March 13, 2014. http://healthitsecurity.com/2014/03/13/ahmc-healthcare-reports-729000-patient-data-breach
19 Melodia, Mark S.; Boranian, Steven; Lah, Federick; and Geist, Melissa A.; “AvMed Data Breach Class Action Gets Final Approval – Payment To Be Made To Class Members Who Did Not Experience ID Theft.” PHIprivacy.net, Mar. 6, 2014. http://www.phiprivacy.net/avmed-data-breach-class-actionsettlement-payment-to-be-made-to-class-members-whodid-not-experience-id-theft
20 McGee, Marianne Kolbasuk. “Class Action Suit Filed in L.A. Breach Seeking Damages in Wake of Computer Theft Incident.” HealthcareInfoSecurity.com, Mar. 19, 2014. http://www.healthcareinfosecurity.com/class-action-suit-filed-in-labreach
21 Conn, Joseph. “Advocate Health Care Sued Following Massive Data Breach.” ModernHealthcare.com, Sept. 6, 2013.http://www.modernhealthcare.com/article/20130906/NEWS/309069953
22 Ponemon Institute LLC. “2013 Cost of Data Breach Study: Global Analysis.” Sponsored by Symantec, May 2013, https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf
24 U.S. Department of Health & Human Services website, http://www.hhs.gov/ocr/priacy/hipaa/administrative/breachnotificationrule/brguidance.html
25 Press Release. U.S. Department of Health & Human Services, HHS Announces First HIPAA Breach Settlement Involving Less Than 500 Patients (Jan. 2, 2013), http://www.hhs.gov/news/press/2013pres/01/20130102a.html
26 McGann, Erin. “Q&A: OCR Director Leon Rodriguez talks udits and enforcements to come.” HealthcareITNews.com, Dec. 18, 2012, http://www.healthcareitnews.com/news/qa-ocrdirector-leon-rodriguez-audits-and-enforcement-come
Cindy Gallee received her law degree from DePaul University College of Law and her baccalaureate degree from Indiana University. She is the Manager of Medical Content and is the Compliance Officer at Context4 Healthcare located in Naperville, Illinois and which is a leading provider of software solutions for billing compliance and for the detection of fraud, waste and abuse in the healthcare industry. She holds a Registered Health Information Administrator credential and a Certification in Healthcare Compliance.