In February, Anthem Inc., the country’s second-largest health insurer, announced that hackers breached its IT system and gained unauthorized access to the personal information of as many as 80 million of its current and former clients and employees.
The information accessed included names, birthdays, medical identification numbers, Social Security numbers, street addresses, email addresses and employment information. Although your practice may not be the primary target of hackers, it may nonetheless be vulnerable to security breaches that could have a devastating effect on both you and your patients.
Like Anthem, many physician practices electronically maintain and transmit personally identifiable information. A security breach involving personally identifiable information presents an even greater risk of identity theft than a breach of payment card data. This type of breach can also lead to medical identity theft (i.e., the use of stolen information to obtain medical care or purchase drugs). Medical identity theft can subject an individual to financial liability (for example, liability for services not rendered). It can also compromise patient care if inaccurate information is entered into the individual’s medical records.
If your practice is a “covered entity” as defined by HIPAA and has not recently performed a security risk assessment, now is the time to do so. Among the many other requirements mandated by the HIPAA Security Rule, a covered entity must adopt reasonable and appropriate security policies and procedures and perform risk analyses as part of its security management processes. To comply with such requirements, a covered entity must, at minimum:
- evaluate the likelihood and impact of potential risks to its electronic personal health information (ePHI)
- implement appropriate security measures to address the risks identified in its risk analysis
- document the chosen security measures and, where required, the rationale for adopting those measures
- maintain continuous, reasonable, and appropriate security protections
For a covered entity to remain HIPAA-compliant, security risk assessment and management should be an ongoing process. The Department of Health and Human Services Office of Civil Rights (OCR), the agency responsible for the administration and enforcement of the HIPAA Security Rule, expects a covered entity to regularly review its records to track access to ePHI and to detect security incidents; to periodically evaluate the effectiveness of its security measures; and to regularly reevaluate potential risks to its ePHI.
A covered entity must also maintain written copies of its security policies and procedures and written records of actions, activities or assessments required by HIPAA for six years after the later of either the date of their creation or last effective date. Additionally, a covered entity must periodically review and update its documentation in response to environmental or organizational changes that affect the security of its ePHI.
The OCR has published helpful guidance regarding a covered entity’s risk analysis and management obligations. Its Guidance on Risk Analysis Requirements under the HIPAA Security Rule and security rule educational papers series, including Security 101 for Covered Entities, are available at the following links:
Between April 2003 and Dec. 31, 2014, the OCR has received more than 106,522 HIPAA-related complaints. The OCR has investigated complaints against a variety of providers, including national pharmacy chains, hospital chains, major medical centers, group health plans and small private practices. Private practices top the list, in order of frequency, of the types of covered entities that have been required by the OCR to take corrective action to achieve voluntary compliance.
The penalties that can be assessed against a covered entity for failure to comply with the HIPAA Security Rule are significant. Violations of the Security Rule due to willful neglect are punishable by at least $10,000 per violation and up to $50,000 per violation, with an annual maximum of at least $250,000 for each repeat violation and no greater than $1,500,000 total for the year. Given the significant penalties which can be assessed against a physician practice for violations of the HIPAA Security Rule and the potentially significant financial losses and other harm which can be inflicted on patients by general and medical identity theft, physician practices should evaluate their security risk assessment and management processes in the wake of the Anthem security breach and regularly evaluate such processes thereafter.
Kathleen Quiroz is a Partner and member of Strasburger & Price, LLP’s Health Law Practice Unit in San Antonio. She can be reached at 210-250-6000.