Two attorneys recently analyzed the cost of a data breach in an article in The Metropolitan Corporate Counsel. Analyzing calculable costs such as breach notification, civil monetary penalties, litigation, and credit monitoring services is necessary to determine the full financial impact a data breach can have on an organization, the article said.
A breach can also result in what the article describes as “non-calculable costs,” such as reputational damage. In cases involving more than 500 affected individuals, this can include information about your breach posted on the HHS website. Other nonmonetary costs include undesirable media attention and the loss of patient and public trust, according to The Metropolitan Corporate Counsel.
The article concluded that the potential monetary and nonmonetary costs associated with a breach are reason enough for HIPAA-covered entities to implement effective privacy and security procedures.
The PHI of approximately 90,000 UW Medicine patients was compromised when a health system employee opened an email attachment containing malicious software (malware) in October, according to a statement on the UW Medicine website.
The malware accessed data from the health system’s Harborview Medical Center and University of Washington Medical Center patients. The files may have contained patient names, dates of birth, medical record numbers, addresses, telephone numbers, dates of service, amounts charged for services, Social Security numbers, and Medicare numbers where applicable, according to UW Medicine. The health system does not believe the breach was a targeted effort to obtain patient data, according to the statement.
Q. I work for a physician practice with five locations. One location is home to our walk-in clinic, which provides care for patients throughout our organization and the general public. We want to create a smartphone application that will allow patients to reserve appointment windows at our walk-in clinic. We would require patients to enter only their full name and email address to reserve a time. How can we ensure the application is HIPAA-compliant?
A. Smartphone applications can include encryption requirements. You should encrypt transmissions of even limited PHI if it is reasonable to do so. If the cost is prohibitive or it makes the application unusable, you likely do not want to encrypt transmissions. If you elect not to encrypt transmissions, it is highly recommended you inform patients of the risks associated with sending unsecure PHI over the Internet. Also, be sure to document that you’ve assessed the risk and, if you elect not to include data encryption, you are accepting the risk.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLP, in Portland, Ore., answered this question. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Email your HIPAA questions to Associate Editor Jaclyn Fitzgerald at email@example.com.
Minnesota-based Allina Health System recently fired a medical assistant at its Inver Grove Heights Clinic for inappropriately accessing medical records of 3,807 patients from February 2010 to September 2013, Pioneer Press reported.
Allina Health System includes 11 hospitals and more than 50 clinics. The privacy breach was not limited to patients seen at the Inver Grove Heights Clinic, according to Pioneer Press. The unidentified medical assistant accessed patients’ demographic, clinical, and insurance information, along with the last four digits of their Social Security numbers. There was no evidence that the medical assistant used the information for financial gain, according to the article.
Allina Health System offered complimentary identity monitoring services to affected patients, who received letters notifying them of the breach. In response to this incident, the health system is reevaluating its patient information policies and is examining computer security, Pioneer Press reported.
This is not the first time Allina Health System fired employees for snooping through medical records. In 2011, the health system terminated 32 employees for inappropriate medical record access following a mass overdose in Blaine, Minn., according to Pioneer Press.
Representative Chris Collins, R-New York, asked four security experts a series of yes–or–no questions about the Obamacare website during the House of Representatives Science, Space and Technology Committee hearing, according to Reuters. When asked if they thought the site was secure, the experts unanimously answered “no.” When asked if the site should be shut down pending the resolution of security issues, three experts said “yes” and one said he did not have enough information to respond, according to the article.
The website collects PHI including names, dates of birth, Social Security numbers, email addresses, and more.
What are your thoughts about the ongoing HealthCare.gov security issues?