HIPAA Compliance for Medical Practices
84.7K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Health system's data breach insurance claims get challenged

Health system's data breach insurance claims get challenged | HIPAA Compliance for Medical Practices | Scoop.it

What happens when a health system with liability insurance fails to secure protected health information of its patients and is hit with a $4.13 million class action settlement for it? The civil actions of one insurance company are suggesting the claims money doesn't come easy if you fail to follow minimum required security practices.

The three-hospital Cottage Health System in California back in December 2013 notified 32,755 of its patients whose protected health information had been compromised after the health system and one of its third-party vendors, inSync, stored unencrypted medical records on a system accessible to the Internet. Resultantly, the data may have been publicly available on search engines like Google.

The health system, which had a liability policy with Columbia Casualty Company, is now being challenged by the insurance company in court. The Chicago-based insurance company, which operates as a subsidiary of Continental Casualty Company, is challenging the claims of Cottage Health System, which thus far total nearly $4.13 million settlements filed by patients, saying the health system "provided false responses" to a risk control self assessment when it applied for a liability policy.

Columbia officials in a complaint filed this May point to an exclusion pertaining to failure to follow minimum required practices. This exclusion, they write, "precludes coverage for any loss based upon, directly or indirectly, arising out of, or in any way involving '(a)ny failure of an Insured to continuously implement the procedures and risk controls identified in the Insured's application.'"

The health system's data breach, as Columbia officials allege, was caused by Cottage's "failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network."

In its application for the liability policy, Cottage Health System made "misrepresentations" regarding its security practices, and as such, Columbia is seeking reimbursement from the health system for the full $4.13 million that it had paid to Cottage thus far, in addition to attorney fees and related expenses.

In part of the application, Cottage answered "yes" to performing due diligence on third-party vendors to ensure their safeguards of protecting data are adequate; auditing these vendors at least once per year and requiring these third-party vendors have "sufficient liquid assets or maintain enough insurance to cover their liability arising from a breach of privacy or confidentiality." The vendor who contributed to the data breach, inSync, according to the complaint, does not have sufficient assets or insurance that covers the breach.

No comment yet.

HIPAA Data Breaches on the Rise

HIPAA Data Breaches on the Rise | HIPAA Compliance for Medical Practices | Scoop.it

CHICAGO -- The number of health data breaches has been increasing in recent years, and the most frequent type was theft, Marion Jenkins, PhD, said here at the annual meeting of the Healthcare Information and Management Systems Society.

Since 2009, there have been 1,185 data breaches as defined by the Health Insurance Portability and Accountability Act (HIPAA), said Jenkins, who is chief strategy officer at 3t Systems, a healthcare consulting firm in Denver. And the pace is accelerating, with an increase of more than 50% in the last 12 months. Breaches have so far affected 133 million patient records.

The smallest reported breach was of 441 records at the Hospice of Northern Idaho. "You don't have to be a really large organization to end up on the list," Jenkins said. The largest breach involved 80 million records at the health insurer Anthem; the latter case, which involved hacking, was "particularly disturbing" because it involved both employee and patient data, he added.

Paper, Electronic Data Covered

HIPAA requires providers to "secure all electronic protected health information against accidental or intentional causes of: unauthorized access, theft, loss or destruction, from either internal or external sources," Jenkins explained. HIPAA security regulations govern electronic records, while HIPAA's privacy rules apply to paper records.

Healthcare providers should also be aware that in addition to regulating the privacy of paper records, HIPAA also covers data from all types of electronic media -- not just EHRs and data stored on laptops and computers, but also any data that winds up on memory sticks and cards, smartphones, and even fax machines and copiers, since most of them aren't just fax machines and copiers any more but also function as scanners and printers, which means they hold electronic data, Jenkins said.

The amounts of money involved can be astronomical, according to Jenkins, who noted that two companies with large breaches -- Sutter Health and SAIC -- are both facing multibillion-dollar class action lawsuits.

In terms of the cause of the breaches, thefts were the most common, at 55%, followed by unauthorized access (19%) and "loss" (12%). The rest of the breaches -- 14% -- were listed as "other," according to Jenkins, citing data from the Department of Health and Human Services.

The largest single source of data breaches has been laptops, accounting for 25% of breaches. That fact "begs the question: why is healthcare data on a laptop?" Jenkins said. Laptop theft is a particular problem: Stanford Children's Hospital in California is a five-time data breach offender, and at least three of the breaches involved laptops being stolen from physicians' cars.

Laptops were followed by paper records (23%), other portable electronic devices (12%), computers (11%), and servers (10%). Another 19% were listed as "other."

Making It Easier to Do the Right Thing

One reason people end up having protected health information on a laptop is that, in many cases, it takes so long to get into the EHR system that people think, "'By golly, when I get into the system, I'm going to download the data and put it on my local workstation so I can get some dang work done," Jenkins said. "As IT professionals, we have to design and implement systems that make the right way the easiest way.

"It won't work to try to make longer usernames and passwords, because they'll just put in the longer usernames and passwords and download the data so they can work on it locally; that drives them even more toward the behavior we don't want them to do. We need to have the cloud services [be] the fastest way rather than downloading the data so they can get their work done."

Some organizations say they don't have anything to worry about because they use an electronic health record (EHR) that is "HIPAA-certified." However, said Jenkins, there are two problems with that assertion; first, there is no such thing as a HIPAA-certified EHR. Second, "the EHR isn't the problem ... it's the user behavior when they're pulling reports, pulling data out of the EHR and then having a breach with that," he said.

Moving healthcare data to the cloud does not necessarily solve a problem with data breaches. Although some cloud services are HIPAA-compliant, "most public cloud services [such as Gmail and Hotmail] are not," Jenkins said. "And if you have poorly designed and poorly run IT, and you simply move it to the cloud, you just shifted your local problems to the cloud; you didn't solve them."

If, on the other hand, moving records to the cloud is done properly, "it's a heckuva lot better than having [the data] on a laptop," he added.

What's Missing From HIPAA

There are some things the HIPAA regulations don't address, Jenkins said, such as how long passwords have to be or how often they should be changed. Regulations also don't address timeout or logoff intervals or the type of encryption required for use with Wi-Fi -- technically, that means WEP encryption is HIPAA compliant, even though it's easily breached, he noted.

He said he was "shocked" that the words "laptop" and "smartphone" don't appear in the HIPAA regulations.

What are the biggest data breach threats to a healthcare organization? That depends on the amount of records being held. Those with 500,000 to 1 million records are attractive targets to hackers; but "in little organizations, the biggest threat is from an internal user," he said.

"Now that credit card companies can shut down cards quickly once they are stolen, credit card numbers aren't worth very much to hackers, maybe a dollar each on the open market," Jenkins said. "Health records are five to ten times more valuable [because] they can use them to do unauthorized or fraudulent Medicare or Medicaid billing; they set up a sweatshop where they can bill over and over again."

No comment yet.