It is a familiar story: a government agency initiates a HIPAA law enforcement action based on alleged violations of the HIPAA Security Rule.
- The provider did not develop or implement a comprehensive information security program.
- The provider did not use readily available measures to identify foreseeable security risks on its networks.
- The provider did not train employees on safeguarding patient personal information.
- The provider did not require periodic changes to passwords and other user authentication measures.
- The provider did not update the operating systems of its computers, making them vulnerable to known security risks.
- The Provider did not take steps to prevent or detect unauthorized access to personal information on its computer networks, or to prevent installation of software by employees not authorized by the organization.
Sounds like an investigation by the Office of Civil Rights into a HIPAA security breach, right? Wrong! These findings come from a HIPAA Law enforcement action by the FTC against a clinical laboratory that not only did not take preventive measures, but employees used applications that virtually guaranteed to result in exposure of PHI outside the organization.
HIPAA Law enforcement actions can have their roots in common errors
The problem started when the billing manager uploaded a peer-to-peer (P2P) file sharing software application on his computer, and began designating certain files, including files containing PHI, for sharing. This permitted other users of the same file sharing application to access these files. Four years later (!), police found information that came from the shared files in the possession of suspects arrested for identity theft.
So how did this become an FTC case? In this case, the FTC took this action under Section 5(a) of the Federal Trade Commission Act prohibiting unfair acts or practices affecting commerce. It was unfair of the laboratory organization to manage its information systems so poorly that the personal information of thousands of its “consumers” was not protected with no countervailing benefit to consumers.
Whew!
This is not the first time the FTC has brought a HIPAA law enforcement action involving the privacy or security of PHI. In a 2009 settlement with CVS Caremark, a large retail pharmacy chain, the FTC determined that CVS was engaging in deceptive trade practices by not disposing of PHI properly. The FTC emphasized the CVS language on its privacy notice that “CVS/pharmacy wants you to know that nothing is more central to our operations than the protection of your health information”. Disposing of patient information, including pill bottles with patient labels, in the dumpsters outside the stores, after making sweeping assurances about protecting privacy, was a real trigger for the FTC. Who knew anyone would take such claims, often made for marketing or PR purposes, seriously!
Learning from a growing list of HIPAA Law enforcement actions
So what lesson can we take from these and other examples of HIPAA law enforcement actions (e.g., fines and long monitoring periods)? There is no substitute for a HIPAA Security Rule assessment, for written policies and procedures on security and privacy, and for monitoring your systems for compliance with your policies. Besides, the HIPAA Security Rule regulations have required such an assessment for 10 years now!
There is already a high level of distrust of electronic health records among the public. HIPAA law enforcement actions inevitably reveal other weaknesses in the HIPAA Privacy Rule and HIPAA Security Rule compliance by the organization. And they are expensive to defend and can be very damaging to your reputation. Don’t let your healthcare organization become a victim of negative publicity by victimizing your patients through poor security of their health information!