White Paper #6. Privacy and Security

Transcription

1 The Complexity of America s Health Care Industry White Paper #6 Privacy and Security Next Wave Health Advisors and Lynn Harold Vogel, Ph.D. The Complexity of America s Health Care Industry Next Wave Health Advisors 1

2 White Paper #6 Privacy and Security Challenges in Health Care There is likely no other industry in the American economy for which federal legislation mandates requirements regarding privacy and security so specifically as has happened in health care. When health care began to adopt computerized record keeping for clinical records in the early 1990s, concerns about how to protect patient data became paramount. An early report from the National Institute of Medicine emphasized, among other aspects of a computerized patient record, the importance of maintaining the security and privacy of patients medical records. 1 When thinking about personal data, there are two types of data individuals typically wish to keep to themselves: data about their finances, and data about their health. While data about an individual s finances can certainly have an impact on status and others perception of well-being, health care data can have more far-reaching implications, providing knowledge about an individual s fitness for work, insurability, life style choices, personal history, immunities and sensitivities, etc. While one s financial data captures a particular moment in time, one s health data can reflect an entire life time. If an unauthorized person gains access to an individual s financial accounts and illegally transfers funds out of those accounts, in many cases the banks or financial institutions who were hosting the account will take responsibility for the loss and restore the amounts taken. So while the money may be gone for a time, and take time and (probably a lot) of effort to have it restored, over the long run, there are unlikely to be continuing consequences. One other area of risk for financial data loss is with credit cards, although the value here lies not in the card itself but in the financial data it contains and in particular the credit card number itself. The risk here is not in the theft of the card itself but the fact the data 1 Dick R, Steen EB (eds). Institute of Medicine. The Computer-based Patient Record. Washington DC: National Academy Press,

3 contained on the card (or in the financial records which have recorded the usage of the card) can be replicated and then used without authorization. As with the financial account cited above, the actual loss of the card data may be short term since most card issuers take responsibility for the loss of the data and any subsequent unauthorized charges made to the card. Health data, on the other hand, once exposed cannot be restored. Once an individual s HIV status has been revealed, for example, there is simply no way to undo the loss and the consequences of the exposure of health data can extend for years and impact every aspect of an individual s life. In addition, an individual s health data on file with a provider organization whether hospital, ancillary provider or physician office typically contains more than just the individual s health status. A medical record, whether on paper or electronic, can contain not only an individual s name, age and address, but identifying data such as social security number, any credit card numbers if a card has been used to pay for services, insurance policy and plan numbers, diagnostic codes, names and addresses of spouses and children and any other data collected during the course of receiving services from a health care provider. The value here is one can in effect recreate a person s identity from what is stored as part of their medical record, and subsequently submit false billing claims to both public and private payers or going further, re-create the person s identity and then use it (perhaps in conjunction with credit card data) to collect public benefits, purchase virtually anything available with a credit card, apply for a loan for a car, etc. Unlike credit card fraud, which can be revealed shortly after the data is exposed through purchases made with the card, it can take months or years before the loss of one s health data becomes apparent. One measure of the value of health data is to look at how such data is viewed by the after market, i.e., those who are interested in purchasing such data after it has been exposed. One expert has noted: Stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number, according to Don Jackson, director of threat intelligence at PhishLabs, a cyber crime protection 3

4 company. He obtained the data by monitoring underground exchanges where hackers sell the information. 2 It should not be surprising then, the number of data breaches cyber-attacks on health care institutions has increased dramatically over the past several years: According to a recent study conducted by the Ponemon Institute and sponsored by ID Experts, 91 percent of health care organizations have suffered at least one data breach in the past two years, 39 percent have experienced two to five data breaches, and 40 percent have suffered more than five. The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data also found criminal attacks in the health care sector are up 125 percent since No person working in the health care industry today whether hospital administrative employee, physician or other clinician, payer, or IT company should be unaware of both the risks and the protections surrounding health care information. We have outlined some of the risk issues above; at this point we turn to the efforts to establish protections for health care data. The foundation of health care data protections lies in the Health Insurance Portability and Accountability Act (HIPAA) 4. This legislation, enacted in 1996, was intended as a broad-based effort to reform health care particularly in regard to the collection and management of patient data. 2 Caroline Humer and Jim Finkle, Your medical record is worth more to hackers than your credit card, September 24, Cited in CFR

5 Two broad objectives were included in HIPAA: 1. Title I - Ensure individuals would be able to maintain their health insurance between jobs (referred to as health care portability); 2. Title II - Ensure the security and confidentiality of patient information/data, and in addition mandate uniform standards for electronic data transmission of administrative and financial data relating to patient health information (this is the accountability portion of the legislation). 5 Regulations which have been released by the federal government to guide the implementation of the HIPAA legislation generally fall into three areas: Administrative Simplification: Regulations which create uniform standards and requirements for the electronic transmission of health information. Security: Requires providers and others who maintain health information to maintain the security and integrity of individually identifiable health information. Privacy: Sets forth general rules for the uses and disclosures of individually identifiable health information by providers and others. 6 The complexity of the health care industry, which is the theme of this White Paper series, is increased most directly by the security and privacy provisions contained in Title II of HIPAA. The impact on every player in the health care industry has been significant, and any IT company interested in marketing products or services to health care customers needs not only to be aware of HIPAA requirements, but prepared to accommodate HIPAA requirements in what they offer. It is no coincidence that the enactment of HIPAA occurred in about the same timeframe as the initial efforts were underway to computerize patient records. When patient health information was collected, stored and managed on paper, you actually had to physically retrieve the paper record in order to read it. Given the volume of paper generated by patients with long histories of disease and/or care, one might argue there was a

6 reasonable amount of security and confidentiality associated with paper records. With computerization, this type of physical security no longer existed and the accountability aspects of HIPAA became paramount. Here is a bottom line summary of the rights HIPAA has provided to patients and must be accommodated: Health care providers and insurance companies have to explain how they'll use and disclose health information; Patients can ask for copies of all of their health information, and make appropriate changes to it, and can also ask for a history of any unusual disclosures; Patients have to give formal consent for any sharing of their health information; Patients have the right to complain to HHS about violations of HIPAA rules; Health information is to be used only for health purposes; When health information gets shared, only the minimum necessary amount of information should be disclosed; Psychotherapy records get an extra level of protection. 7 Two concepts form the core of HIPAA regulations in regard to providers and IT companies doing business in the health care industry, Protected Health Information (PHI) and Covered Entities and their Business Associates: Protected Health Information (PHI) includes any individually identifiable health information transmitted or maintained in any form or medium by a Covered Entity or its Business Associate; a subset of PHI is labeled as individually identifiable health information which includes any information related to an individual s physical or mental health or the provision of or payment for health care, and is identifies the individual 8 ; Covered Entity includes health care providers, health care plans (including insurance companies and HMOs) and clearing houses which process health data according to electronic standards. In addition, covered entities in the process of managing their business may engage business associates to assist with health care activities and functions, and these entities must have a written contract, or other arrangement, that establishes specifically what the business associate has been engaged to do and requires the business associate to

7 comply with the Rules requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules. 9 As one might imagine, there is a wealth of materials available on HIPAA legislation and the resulting implementation rules. While too extensive to review in more detail here, we would note the consequences for not complying with the rules can be significant. The American Recovery and Reinvestment Act of 2009 (ARRA) established a civil penalty structure for HIPAA violations according to the following tiered levels 10 : HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) they violated HIPAA HIPAA violation due to reasonable cause and not due to willful neglect HIPAA violation due to willful neglect but violation is corrected within the required time period HIPAA violation is due to willful neglect and is not corrected $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $1,000 per violation, with an annual maximum of $100,000 for repeat violations $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million Table 1. Penalties for HIPAA Violations

8 8

9 Complaints about HIPAA violations are typically made to the Office of Civil Rights (OCR) in the U.S. Department of Health and Human Services (HHS), and can come from individuals or groups of patients or from public media exposure. The subsequent investigation can focus on any or all of the following areas: Administrative security Physical security Technical security Structural requirements Policies, procedures and documentation requirements 11 Keep in mind, privacy issues and security issues, while regulated under the same set of legislations, represent two different challenges: 1. Privacy the HIPAA Privacy rule covers protected health information regardless of where it is stored; The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." 12 An excellent discussion of the Privacy rule can be found in HHS 18 page Summary of the HIPAA Privacy Rule Security the HIPAA Security rule covers electronic protected health information so information transmitted orally or on paper is not covered. The Security rule is more involved than the Privacy rule since it requires covered entities (see definition on pg. 6) to establish policies and procedures to ensure protected health information is only available to authorized users and steps are taken by the organization not only to track who is viewing this electronic information but to prevent unauthorized persons from having access. This is a summary of what covered entities are expected to do in order to comply with the Security rule: Ensure the confidentiality, integrity, and availability of all e- PHI they create, receive, maintain or transmit; 11 Articles/H/HIPAA-Violation-Equals-Trouble-for-Healthcare-Organizations.aspx#sthash.UpAlVLxw.dpuf C.F.R

10 Identify and protect against reasonably anticipated threats to the security or integrity of the information; Protect against reasonably anticipated, impermissible uses or disclosures; and Ensure compliance by their workforce. 14 HIPAA breach notification requirements did not take effect until 2009, and since then 31.4 million people have had their health information compromised because of privacy and security breaches. Interestingly, of some 80,000 HIPAA breach cases filed between 2003 and 2014, only 22 organizations were actually fined. Most of the investigations resulted in a corrective action plan, since the HIPAA regulations do permit corrections to be made without the actual levy of fines. However the visibility and amount of fines levied is increasing. Since 2009, fines totaling more than $25.1 million have been levied. In 2014 alone, nine violations resulted in fines of more than $10 million. 15 These included a fine of $4.8 million for allowing patient data to be exposed to the Internet when lacking technical safeguards and an inadequate risk management plan, a fine of $2 million for 2 organizations for having unencrypted laptops. 16 A recent Indiana Business Journal report on data security in health care was sparked in part by several significant data breaches for Indiana companies. 17 Using estimates developed by the American Action Forum, the report estimated the overall cost of health care data breaches since 2009 likely ranged from $17B to over $37B, which at the high end is more than the $30B spent by the federal government in incentives to health care providers to adopt electronic medical records. This estimate likely does not include the additional costs health care providers are incurring every day from the purchase of new security products and services and the staffing needed to oversee security measures which are now routine at health care providers all over the country. Over 300 data C.F.R (a) Major data breaches in the state of Indiana over the past year included unauthorized access to 80,000,000 records in Anthem Blue Cross, a three-time breach affecting 68,000 records from St. Vincent s Health, 43,000 records lost from a laptop belonging to Aspire Indiana, 38,000 records from stolen hard drives from the Indiana State Medical Society, and 3.9 million records from Medical Informatics Engineering. 10

11 breaches (as distinct from the HIPAA complaints mentioned earlier) have been documented for 2014, well above the 16 reported just a decade earlier. As we noted at the outset, privacy and security mandates are likely much more stringent in the health care industry than in any other industry. There is nothing more personal than an individual s health information. With HIPAA legislation and subsequent HHS rules, it is clear IT companies operating in the health care market particularly those with products and services that collect, manage or store patient information have to meet the very high standards the federal government has established, or risk serious consequences. Next Wave Health Advisors (NWHA) NWHA Advisors have substantial experience with managing IT environments within the restrictions and mandates of HIPAA legislation and rules. In many situations, they have participated in drafting and implementation organizational policies and procedures to ensure their health care organization is in compliance with all HIPAA requirements. In addition, many of the Advisors have participated in, and responded to, HIPAA audits which are periodically carried out by HHS auditors. IT companies working in the health care industry can take advantage of this expertise to improve not only their product offerings and the success of the implementation of their products, but can do so with experienced senior IT executives with truly inside knowledge of the intents, purposes, and risks associated with HIPAA compliance. 11

12 12