The Department of Health and Human Services (HHS) has announced a settlement over a data breach with the county of Skagit in Washington state. While the settlement was ultimately over a number of issues — including the inadequate protection of PHI for nearly 1,600 people — the initial breach that instigated the settlement involved a mere seven people. The proper use of encryption software could have prevented the entire situation, assuming it was an appropriate approach, because HIPAA regulations allow for safe harbor if sensitive data is either encrypted or destroyed.
First Settlement with a County Government
The HHS’s deputy director of health information privacy was quoted as saying:
“This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size…. These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.” [phiprivacy.net]
The message appears to be that government entities are not exempt from HIPAA rules (obviously, they were not exempt to begin with, per the letter of the law, but there’s the law and there’s the actual practice of doing things), and the number of people being affected doesn’t really factor in on whether the Office of Civil Rights (OCR) will be going after a covered entity or not when there is a breach of HIPAA.
Indeed, reviewing past settlements, these can involve situations that affected less than 200 people (Mass General Hospital, settled for $1 million in 2011) to over 1 million people (BCBS Tennessee, settled for $1.5 million in 2012).
The message, then, is loud and clear (and consistent): all HIPAA breaches, regardless of how small or big, and whatever the entity may be, need to take HIPAA and HITECH amendments seriously. There is no “pass” just because you fit (or don’t fit) a certain superficial profile.
What to Do
So what is a HIPAA covered entity to do? There are many things that need to be considered. HIPAA/HITECH guidelines are complex, long, sometimes incomprehensible, and seemingly contradictory. However, there are certain areas where guidelines are clear, even if they’re not actually found in the regulations per se, but within the decisions that OCR has taken.
First, ensure that PHI encryption is used when digitally storing patient information. While the use of medical encryption programs is not a requirement, they’re not optional, either. The rules essentially state that encryption or something as good as encryption must be used to protect ePHI. There are loopholes to this, but the chances of a covered entity finding itself in such a situation are pretty rare.
Second, make sure that everything is documented. This includes the fact that you encrypted PHI. There’s a difference between doing something and proving that you did something. In the former, you’re taking care of your patients; in the latter, you’re taking care of yourself. If something goes wrong, you have to be able to prove that you played by the rules. For example, AlertBoot’s cloud-based full disk encryption and mobile device management for smartphones and tablets always (always!) generates an automatic report for each device that is protected. The report has been used as documentation when the regulatory agencies and other overseers come around knocking.
Third, remember that HIPAA/HITECH is not just about ePHI. Paperwork is still based on paper, and these need to be secured in some fashion as well.
There’s more, of course, but these should get you started in tackling some of the bigger, immediate things that need to be done.
Related Articles and Sites: