The large data breaches that compromise the protected health information (PHI) of thousands of people are the ones that receive all the attention, but the smaller violations of the Health Insurance Portability and Accountability Act (HIPAA) can be just as harmful, if not more so, to those involved. Healthcare leaders too often devote most of their attention to the large breaches and not enough to the more common, smaller violations, experts say.
A breach involving 500 to 10,000 patients generally is considered small in the healthcare community. The ramifications of a large data breach are well known, notes Deborah Gersh, JD, an attorney with the Chicago law firm of Ropes & Gray, but a breach involving only 500 patients still can be serious for the hospital or health system. The Health and Human Services (HHS) Office for Civil Rights (OCR) uses 500 affected individuals as the cutoff for reporting HIPAA breaches; a breach of 500 or more must be reported immediately, but smaller breaches can be reported annually. Once a breach of 500 or more is reported and posted on the OCR web site, the information is available to anyone.
“There are people who troll the site looking for breaches that have the potential for class action on the state level,” Gersh warns. “And the report of 500 or more triggers an automatic inquiry by OCR. That can be a fairly robust response that will be a significant event for the healthcare provider.”
In addition, OCR will want to see the healthcare entity’s HIPAA risk analysis. Even if the analysis was conducted under privilege, OCR takes the position that it can access the document because the analysis is a required document for HIPAA compliance, Gersh says. OCR will retain a copy of the analysis in its records, which are subject to Freedom of Information Act requests and other public access.
“Sometimes that analysis is very honest in describing the things that could be improved, particularly when the company gets a third party to conduct the analysis and make it as objective as possible,” Gersh says. “That can place the company in a very vulnerable position if that information is disclosed and someone wants to use it against the hospital in litigation.”
ACTION PLAN CAN BE COSTLY
A small breach can lead to a corrective action plan, just as with larger breaches, and that plan can create significant costs for the healthcare entity, Gersh says.
The plan may call for updating security and data management systems, improvements that can be a financial challenge for smaller hospitals or systems, she says. They already are squeezed by the cost of system updates that used to come every few years but now are sometimes needed on a monthly basis, and adding improvements from a corrective action plan can make their data management costs rise even more. (A noteworthy civil monetary penalty from OCR involved fewer than 500 records. See the story later in this issue.)
“I see a lot of smaller hospitals and doctors’ offices struggle with that,” Gersh says. “A corrective action plan commonly calls for more training for staff, and that carries a price both in terms of paying someone for the training and also in terms of staff time away from their jobs. These costs add up, and a corrective action plan can force you to make improvements and updates that you had not budgeted for yet.”
The smaller violations involving 500 or fewer patients are less likely to be the result of a deliberate intrusion by hackers, who typically can access many thousands of records once they gain access. They are more likely to occur from carelessness by employees who leave a laptop in a public place, for example, Gersh says. That likelihood of occurrence means that hospital administrators must not lose focus on educating employees about physical data security while focusing on the complexities of digital security, she says.
Administrators should seek opportunities to reinforce the need for physical security of documents and hardware, Gersh suggests. Some facilities have a HIPAA security huddle with staff at regular intervals, in which employees and administrators can discuss any questions and note possible security risks, she notes. Others send casual “Did you know…” reminders by email to reinforce good security practices. In either format, the administrator might point out that patient charts were left unattended at a nurses’ station, for example, or that a jump drive was left at a computer station.
“The anecdotal reports have a big impact on staff,” Gersh says. “The employees can see how all the talk about HIPAA security manifests itself in their daily routines.”
Instilling the right culture may require educating the top brass, in addition to the front-line employees who handle PHI. The culture of a healthcare institution must emphasize that smaller HIPAA violations are as important as the larger ones, and the culture emanates from the C-suite, says Susan Tellem, RN, BSN, APR, a partner with Tellem Grody Public Relations, in Los Angeles, which assists providers with the response to HIPAA violations.
“It’s death by a thousand cuts. If you don’t have a culture that takes these smaller violations seriously, they add up, and it becomes a bigger problem,” Tellem says. “This is a top down issue, and the board of directors often doesn’t even understand HIPAA. The CEO and the board of directors need to understand that it’s not just the big fish that they should worry about, that the culture has to instill a respect for HIPAA security on an individual level.”
The impact on the individual whose data is compromised can be significant whether that one person comprises the entire breach or whether the person is one of thousands, Tellem notes. When private information is released, there is the possibility that someone will use that data in a way that harms the person financially or in a personal way, and the healthcare entity that failed to protect it will be held responsible.
A large breach immediately brings the likelihood of fines from OCR, the associated costs of a corrective action plan, and bad publicity for the institution. But with a smaller breach, there is still the potential for major liability, Tellem notes.
“If someone loses a job or a patient is revealed to have HIV or mental health problems, something not always looked kindly upon by the general population, that becomes a liability for the institution, which can face huge lawsuits,” Tellem says. “Those lawsuits will generate publicity, which also harms the hospital’s reputation. All of that can come from failing to protect just one patient’s protected health information.”
One area of particular risk is when a healthcare entity wants to tell a patient’s story or use before-and-after photos, Tellem notes. Although highly desired for marketing purposes, the healthcare provider must be certain that the patient has provided written permission for the use of the story or photos in all intended formats. Don’t overlook getting permission for the material to be used in social media, she advises.
Tellem agrees with Gersh that ongoing staff education is key to preventing smaller HIPAA breaches, with anecdotes about how privacy can be compromised inadvertently.
“Use breaches at other institutions as an example so that it doesn’t happen at yours. If you just say ‘be careful with patient data,’ that doesn’t mean much,” Tellem says. “But if you talk about how a nurse somewhere else took a selfie that happened to show patient data in the background, they can relate to that. Front-line employees might not think they have much to do with preventing a loss of 50,000 records, but you can remind them that they have a lot of control over the security of each individual record they handle.”