If you are in the healthcare industry, there’s a very good chance you have been or will be involved in one of the many data breaches happening right now. Since 2009, about 29 million patient health records have been compromised; Redspin Inc. reports an astounding 138-percent increase occurred in 2012 alone.
These numbers are not only concerning as a patient, but also come at a hefty price to those responsible. Last year, the U.S. Department of Health and Human Services (HHS) announced stronger privacy and security protections under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The HIPAA Omnibus rule came into effect September 2013, and promised to “bring hefty fines, more audits and added enforcement pertaining to the issue of patients’ protected health information,” reports claimed.
In fact, fines levied at the HHS level can be as much as $1.5 million per incident per year.
But it wasn’t the HHS that imposed the nearly $7 million in HIPAA fines this year to Puerto Rican insurance holding company, Triple-S Management Corp. It was Puerto Rico’s Health Insurance Administration. And this time, the fine was unprecedented.
What’s even more interesting about this case is that the data breach wasn’t a theft, like the approximately 83 percent of data breaches that happened in 2013; nor did it fall into the 35 percent of cases where loss or theft of a portable electronic device was the cause.
This time, the data breach was a mistake, and it involved direct mail.
According to reports, Triple-S Management Corp.’s subsidiary, Triple-S Salud Inc. (TSS) sent mail that inadvertently displayed and compromised more than 13,000 Medicare Health Insurance Claim Numbers (assigned by the Social Security Administration).
The Puerto Rico Health Insurance Administration said TSS did not take the required steps in response to the breach.
Some say the costly mistake could garner an additional fine from HHS; but so far, only 17 out of the more than 90,000 data breach cases brought to HHS’s Office for Civil Rights (OCR) have resulted in fines.
Suffice it to say, data breaches in healthcare aren’t going away any time soon. What’s more, a seemingly simple mistake can cost millions. Here’s how you can prepare …
HIPAA Data Breach Prevention Plan
There’s an important lesson and equally important consideration emerging from this latest HIPAA data breach case. I’ll outline both as key components in your data breach prevention plan.
1. A data breach could be a simple mistake, avoidable through risk analysis.
Back in September, OCR’s director, Leon Rodriguez, told HealthcareITNews.com his department would be “holding people accountable” for patient data breaches, but pointed out breaches were preventable through preparation.
The failure to perform a “comprehensive, thorough risk analysis and then to apply the results of that analysis” was one of the biggest problems HIPAA-covered entities faced, said Rodriguez.
In a previous post, I outlined some ways organizations can prepare for a data breach in general. In the healthcare industry, this includes assessing risk by walking through key questions like:
- What is the most likely source of a data breach?
- Who is responsible for patient privacy at the organization?
- What kind of data do we collect? How long do we store it?
- Where is our data physically located?
- How do we dispose of sensitive data?
- What training do we currently provide our employees on patient privacy and handling sensitive information?
Then, do as Rodriguez recommends, and put what you’ve learned into action before a data breach ever occurs. That way, if and when a situation arises, your organization can carry out the proper procedures to avoid any additional penalties.
2. A data breach can be covered by insurance, including fines levied.
Many cyber insurance policies in the healthcare industry cover broad forms of data exposure, from technology being compromised to other ways patient health information could be revealed – including mistakes similar to those made by TSS in Puerto Rico.
Some scenarios might include:
- Improper destruction of patient health records.
- Unknowingly exposing patient information through the various ways data is stored, as was the case with Affinity Health Plan and a leased photocopier.
What you may not know is that under the network security and privacy breach components of an insurance policy, fines related to a data breach can be covered. This is fairly unique because most types of insurance policies exclude fines and penalties.
However, most cyber policies sublimit the coverage for fines and penalties, so it is important to read the fine print to understand how much coverage you would have for fines in a data breach.
Other data breach costs that can be covered include forensic IT work, PR/communication strategy, notifying customers and providing identity theft monitoring coverage and more. Your insurance broker should be able to help you navigate and negotiate the terms you need.
Preventative Care is the Best Care for Healthcare Organizations
Healthcare is one of the most challenging industries when it comes to protecting sensitive data, because managing health, not technology, is the primary focus of health organizations.
But a thoughtful plan of action including risk assessment and securing the proper insurance will allow you to focus on the human side of healthcare, knowing that you are prepared to handle a data breach.