Life's a Breach and then You're Fined

October 12, 2009
Sean Johnson

The easiest way to avoid any kind of HIPAA problems is to make sure that your patients’ personal health information (PHI) is secure – by definition, secure PHI cannot be breached. Best to get prepared now because as HIPAA informs, the penalties they-are-a-comin.

Gerry Hinkley, a lawyer from San Francisco who specializes in healthcare regulatory matters, wants to know if you are ready for the new HIPAA privacy and security mandates. If you aren’t, then it’s time to do your homework. Just as Bob Dylan told us that the times-they-are-a-changin, HIPAA has taken it a step further to inform you that the penalties they-are-a-comin. And no one likes penalties, especially financial penalties. If that wasn’t obvious then it became crystal clear when Hinkley’s session became the can’t miss session of the day, as physicians packed it in to the point where it was standing room only.

Although Hinkley touched on a number of subjects, the main focus of this discussion was personal health information and what can happen to you if your patients’ records are breached. It may seem like a simple cut-and-dry explanation, but it’s anything but. There are multiple tiers of violations, new regulations, and harsher penalties. After all, there has to be a distinction between an employee mistakenly accessing something that they shouldn’t and then making sure to fix the problem and hospital employees who maliciously steal records and sell them, such as in the case of the Octomom in California. The easiest way to avoid any kind of HIPAA problems is to make sure that your patients’ personal health information (PHI) is secure — by definition, secure PHI cannot be breached.

What is a breach?

But before going any further, what exactly constitutes a “breach”? Well, the HIPAA definition is as follows: unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of the PHI (ie, poses a significant risk of financial, reputational, or other harm to the individual). Taking it a step further, “access” is defined as the ability to read, write, modify, or communicate data or otherwise use any system resource. Got it? Ok, moving on then…

What do you need to do in the event of a breach?

Even the most careful physician out there can run into a breaching problem. That is why it’s important to know exactly what to do should you ever encounter a situation where a patient’s PHI has been breached. For starters, you have 60 days to report the breach to the patient. If the breach results in imminent danger, a telephone call must be made in addition to the necessary paperwork. If the breach affects 500 or more people in a state or region (which happens more frequently than you would think), you must promptly disclose the breach to prominent media outlets, as well as the Secretary of Health and Human Services (HHS). In the event of any breach, the notification must include the following information: what happened, the date of discovery, the date of the breach, steps that the affected individual should take for protection, and contact information.

What penalties am I susceptible to in the event of a breach?

These are the penalties imposed, courtesy of Mr. Hinkley’s slide presentation:

  • Tier A (if offender did not know, and by exercising reasonable diligence would not have known, that he or she violated the law): $100 for each violation, up to $25,000 for identical violations
  • Tier B (if the violation was due to reasonable cause and not willful neglect): $1,000 for each violation, up to $100,000 for identical violations
  • Tier C (if the violation was due to willful neglect but was corrected): $10,000 for each violation, up to $250,000 per year
  • Tier D (if the violation was due to willful neglect and was not corrected): $50,000, up to $1,500,000 per year

As I mentioned before, the easiest way to avoid being in a situation where a security breach may occur is to secure your patients’ PHI. If you have encryption settings or passwords, don’t make it easy for others to crack the system. (If your password is “password,” you’re likely going to be held accountable for not properly securing data.)

In the end, there’s always going to be some degree of risk involved (especially considering that these HIPAA regulations are ripe for whistleblowers), but if you take the necessary steps and precautions to do everything in your power to make sure your patients’ information is held secure, you should not have to worry.