April 18, 2016

Hospitals, others beef up data security amid tougher oversight

PHOTO | Steve Laschever
PHOTO | Steve Laschever
Thomas Murphy and Iris Mauriello help oversee privacy compliance at UConn Health, which has installed software on employee cell phones that can remotely wipe out private data in the event of theft or loss. The program is called “bring your own device.”
PHOTO | Steve Laschever
UConn Health’s Iris Mauriello and Thomas Murphy discuss ways the care provider safeguards patient data.

If a hospital admits a celebrity, patient with an unusual disease or someone who's been in a high-profile accident, medical staff might be understandably curious.

But as privacy laws tighten, the risks of sneaking an unauthorized peek at that patient's medical records — the equivalent of medical rubbernecking — outweigh the rewards. At UConn Health in Farmington, compliance managers and IT staff say they monitor such cases particularly closely. If an unauthorized staffer is caught viewing those records, they risk termination. UConn Health has also encrypted all of its laptops.

It's just one example of how medical providers, insurers and others have beefed up their security to avoid data breaches, as state and federal regulatory oversight of patient privacy toughens.

The latest development: The federal Department of Health and Human Services (HHS) is launching new audits this year to make sure providers and others are compliant with privacy rules laid out within the 2003 federal Health Insurance Portability and Accountability Act (HIPAA). They will also be checking providers' breach-notification protocols created by Congress in 2009, requiring entities subject to HIPAA to promptly notify affected individuals after a breach.

The stakes are high for both patients and handlers of private data.

Major medical data breaches

Medical data breaches have affected more than half of Connecticut's adult population, including last year's Anthem breach, which was the largest of its kind to date — jeopardizing 1.7 million Connecticut residents' information.

In response, Connecticut lawmakers mandated that covered entities report breaches to the state Attorney General within 90 days and provide free credit monitoring to affected patients and individuals.

That same year, four Connecticut institutions — Middlesex Hospital in Middletown, Cigna Home Delivery Pharmacy, Shelton's Advanced Radiology Consultant and Rocky Hill's Numotion — reported to federal regulators that they suffered data breaches affecting at least 500 individuals each. Numotion's breach was the largest, potentially affecting 2,722 people, according to HHS data.

Not all breaches result in significant impacts on consumers, but they carry the potential for identify theft and other fraud.

On the federal front, HHS expects to conduct 200 audits this year, checking in on privacy, security and breach-notification procedures. There could be as many as several million HIPAA-covered entities in the country, which means the odds of being audited are low.

Still, it's the largest audit of its kind to date, and entities caught with serious violations face further investigations and potential fines. Though HIPAA-related fines are rare, serious violations can draw heavy penalties. Since 2009, the largest fines doled out by HHS ranged from $1 million to nearly $5 million (none of those have been in Connecticut).

Most violations will be resolved with lesser measures, and HHS has said it hopes to provide technical assistance and guidance on how to better protect patient data.

Aggressive enforcement

The audits add one more enforcement layer for Connecticut organizations that deal with patient data (called "covered entities"), including IT contractors and others who have access to providers' and insurers' databases.

The Connecticut Hospital Association (CHA) supports Congress' addition of business partners and vendors to the universe of covered entities, said Michele Sharp, CHA's vice president for communications.

"Overall, this greatly improves privacy and security," Sharp said. "Audits and focused reviews are a natural step in ensuring that all entities across the healthcare continuum remain vigilant in their adherence to HIPAA rules."

Contractors have played a role in some Connecticut breaches. In 2012, an employee of Hartford Healthcare's contractor, EMC Corp., reported a stolen, unencrypted laptop containing data on nearly 7,500 patients. Attorney General George Jepsen investigated the breach, and reached a $90,000 settlement with the companies late last year.

Since taking office in early 2011, Jepsen has squeezed approximately $200,000 in data-breach settlements from four providers, health plans and contractors, according to records provided by his office.

"Protected health information is perhaps the most sensitive of personal information, and consumers are right to expect that it be safeguarded," Jepsen said.

He described his approach to HIPAA enforcement as aggressive.

"In that spirit, I am monitoring these [HHS] audits and keenly interested to learn the level of compliance," he said.

Low chance of audit

Given the low chances of being audited and HHS' disinclination to levy fines, state oversight may actually present more of a liability to providers, said Susan Huntington, an attorney with Day Pitney in Hartford.

"I think it's important to make the point that just because [HHS] closes a file without enforcement or a fine or penalty … doesn't necessarily mean the state will take the same action," Huntington said.

Another factor that makes Connecticut somewhat unique is a 2014 state Supreme Court decision that determined a patient affected by a data breach that leads to penalties under HIPAA, can still bring a negligence lawsuit under state law.

"[HHS] may impose a fine or corrective action plan that's modest compared to what the follow-on legal action might be," said James Bowers, senior counsel at Day Pitney. "It's not necessarily a sigh of relief when [HHS] is done with you."

Compliance enforcement

Two of Greater Hartford's largest health systems, Hartford Healthcare and UConn Health, have grappled with past data breaches, but they say they've beefed up their procedures and protocols to protect patient data.

Besides its EMC-related breach in 2012, Hartford Healthcare also reported a 2011 breach affecting as many as 93,500 people.

The breach occurred after a Hartford Hospital employee saved private health information on an unsecured hard drive to work from home, and then lost the drive. That data included names, addresses, birthdates, social security numbers and other information.

The hospital offered free identity protection to those affected and disabled employees' abilities to save sensitive data on a device through computer USB ports. It also installed programs meant to prevent malicious software and implemented encryption controls.

Beefed up training

After the EMC incident, the health system beefed up its employee training around when it is legally required to sign a formal business-associate agreement, meant to ensure a contractor will take measures to safeguard health data. No such agreement was in place at the time of the EMC breach, according to settlement records.

David Haig, vice president of compliance, audit and privacy at Hartford Healthcare, said the health system has more than 20 employees working regularly on compliance or IT security, adding that enhanced training for all employees has helped keep privacy issues top of mind since the breaches.

Staff who don't complete privacy training aren't eligible for raises.

"We're really aimed to get that into their consciousness," Haig said. "There's definitely a need for continuous vigilance."

Cynthia Snyder, Hartford Healthcare's system director of privacy compliance, said all mobile devices and thumb drives used by employees are now encrypted. If encrypted devices are lost or stolen, HIPAA doesn't require a breach notification because of how difficult it is to crack the encryption.

UConn’s Experience

In 2013, a UConn Health employee authorized to access patient data was caught perusing medical files of patients for which she had no responsibility — a violation that impacted as many as 1,382 patients.

Iris Mauriello, UConn Health's compliance integrity and privacy officer, said that experience has led to beefed up efforts to monitor rubbernecking of certain records by medical staff.

"We look at all the access associated with those visits," she said.

Among other tactics, UConn Health also compares record access patterns among employees in similar positions, in an effort to catch discrepancies.

Mauriello said HIPAA is "probably one of the most massive programs the whole institution has to grapple with."

UConn Health also encrypts its laptops and has a "bring your own device" security program in which phones and other devices owned by employees are given capabilities to remotely wipe out patient data, should a phone be lost or stolen, said Thomas Murphy, UConn's chief information security officer.

If that security software is removed from a phone, the patient data is erased.

Read more

Hospital consolidation brings competitors closer together

TV studio helps Hartford HealthCare shape its message

CT docs join lawsuit frenzy against medical-waste giant

Breaking silos: the big 'C' in CT's bioscience ambitions is collaboration

Amid budget headwinds, CT's bioscience gains solidify

Bioscience CT Milestones

State late to modernizing health industry oversight

Nonprofit health providers in budget-ax crosshairs

Virtual Care: CT preps for telehealth rollout


Type your comment here:

Most Popular on Facebook
Copyright 2017 New England Business Media