HIPAA CASE STUDY- BREACHES OF PHI IN HEALTHCARE Amanda Foster Erin Frankenberger

Healthcare Security Breach Facts 61% of organizations are not confident of where PHI is physically located 69% of hospitals don’t have the proper controls or policies to detect and respond to breaches 29% of hospitals feel that protection of PHI is a priority Between over 18 million patient records were breached Between there was an increase of 32% in the amount of records breached. Laptops and other portable devices (tablets, smartphones etc.) are the number one cause for PHI breaches. (Redspin, 2011)

Case study: HHS Settlement 2010 a Physician’s laptop was stole while abroad Computer contained PHI Information was not encrypted Massachusetts Hospital reported the incident to HHS HHS found six areas of noncompliance with HIPAA privacy and security rules. Hospital did not have to admit guilt HHS was paid $1.5 million in a settlement

What is HIPAA? The Health Portability and Accountability Act of 1996 Provides continuity of care Control’s fraud Assists in controlling abuse in healthcare Reduce healthcare costs Guarantee security and privacy of health information

What is PHI? Names Geographical identifiers Dates directly related to the individual Phone numbers Fax numbers addresses Social security numbers MR numbers Health Insurance beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers (license plate, serial numbers...) Device identifiers URL’s IP address numbers Biometric identifiers (finger prints, retinal and voice prints) Full face photographic images Any other unique identifying code or characteristic

What is considered a Breach? Unauthorized use or disclosure of PHI Anything that may compromise the security or privacy of PHI If the disclosure poses a significant risk to the individual Some exceptions: a) unintentional access by an employee b) case of inadvertent disclosure of PHI

What is the Main Cause of PHI Breaches in the Healthcare Industry? Main cause is lost or stolen laptops. A growing concern is ‘BYOD’ or bring your own device includes the use of: a) Smart phones b) Tablets c) Any other high tech data collecting device

What is encryption of data? Encryption technology uses cryptography to code digital data and information.(LaTour, 2010) Information can be transmitted over communications media, and the sender will know that only the recipient can make sense of the information There is symmetric or single-key encryption, where the computer software assigns a secret key or code For the encryption to work, both the sending computer and the receiving computer must have the same key The second type of encryption is asymmetric also known as public key infrastructure (PKI) in which both computers are not required to have the same key to decode messages There is a private key that belongs to one computer and a public key is given to the desired computer in which it wants to exchange the encrypted data

What other protective measures can be implemented to prevent PHI breaches from occurring? Firewalls are hardware and software security devices situated between the routers of a private and public network(LaTour, 2010) They protect computer networks from any unauthorized outside users and they can also protect entities within a single network Audit trails are another preventative measure which can provide evidence of computer system utilization These chronological sets of records can assist in determining if there were any security violations, and can often identify areas for improvement Some suggested data elements that are tracked in healthcare information systems audit trails are: date and time of event,patient ID, user ID, access device used, type of action (read, print, update, or add), source of access, software application used, reason for access (patient care, research, billing, etc)

Are there any regulations or legislation in place for the use of mobile devices? Mobile Health Applications (mHealth apps) are coming under the microscope in legislation There is no formal regulation regarding how PHI is collected through mobile devices Hank Johnson, a representative from Georgia proposed the Application Privacy, Protection and Security Act of 2013 (APPS) It is only in the draft phase, but if it were to be approved developers would have to disclose how they collect personal data and what other parties would have access to this data

What are the repurcussions of breaching PHI? Civil: $50,000 per incident, up to$1.5 million per calendar year for violations that are not corrected Criminal: $50,000 to $250,000 in fines and up to 10 years in prison In addition, institutions that fail to correct a HIPAA violation may be fined up to $50,000 per violation.

When must a breach be reported and to whom? The HHS website states that once a breach has been identified, the covered entities must inform the affected individuals A written notice by first class mail or if the individual elected to receive notices electronically The notifications have to be provided no later than 60 days following the breach discovery The written notice must include a description of the breach and the steps the individuals must take to protect themselves from harm There should also be included, information regarding what the covered entity is doing to investigate the breech, and how they will prevent future breaches After notifying the media, they must contact the Secretary through the HHS website, and they must fill out a breach report form. If more than 500 individuals are involved, then the covered entities are required to provide notice to media outlets serving the State or jurisdiction (usually done in a press release) Then they must notify the Secretary within 60 days If there were less than 500 patients affected they would then report the breach on an annual basis If the breach happens due to a business associate, they must notify the covered entity following the discovery of the breech.

To improve the situation... There should be tighter standards for the use of electronic devices The use of personal devices should be prohibited Office devices (laptops) should not be allowed outside of the facility Organizations should stritly adhere to policies and procedures involving electronics

References Breaches Affecting 500 or More Individuals. (2013, February 7). United States Department of Health and Human Services. Retrieved from Dolan, P. L. (2012, September 28). Large settlement for data breach sends message to lock up laptops and smartphones - amednews.com. American Medical News. Retrieved from assn.org/amednews/2012/09/24/bisg0928.htm Latour, K.M., & Eichenwald, S. (2010). Health information management: concepts, principles, and practice (3rd ed). Chicago, Ill.: AHIMA.

References Low-Tech Security Risks Still Leading Cause of Breaches. (2011, July 19). Journal of AHIMA. Retrieved February 18, 2013, from tech-security-risks-still-leading-cause-of- breaches/?mobile_switch=mobile Nordqvist, C. (2012, December 7). Data Breaches - A Growing Problem In Healthcare Organizations. Medical News Today: Health News. Retrieved from Redspin. (n.d.). Breach Report 2011 Protected Health Information. Retrieved from