The Metadata Era

Two weeks ago, the Department of Health and Human Services (HHS) issued final regulatory rules that place a new group of data processors and third-party consultants directly under HIPAA’s data security compliance regulations.

Some Background

In 2010, HHS issued a “notice of proposed rulemaking”, seeking comments from stakeholders as it worked out updated regulations for HIPAA that had been mandated by Congress.  One of the areas that regulators wanted to resolve was precisely who is subject to HIPAA’s central Security Rule, which defines steps organizations must take to maintain reasonable technical safeguards for electronic protected health information (e-PHIs for short).

The regulators first proposed that “business associates”  handling e-PHI for, say, hospitals or HMOs, would fall directly under HIPAA laws. While not considered a medical provider, they could be still held liable—with civil and criminal penalties—for compliance failures.

Without this type of extension, health organizations could conceivably outsource their data protection obligations to others, and then depending what was in the private contract with the business associate, it would be feasible that no one at all could be held responsible for a breach or other security lapse.

What Has Changed

With the finalized rules (which by the way run over 500 pages) not only do business associates come under HIPAA, but a new class of consultants and subcontractors who perform work on behalf of the business associates also have HIPAA obligations.

In effect, the final rules say that any company that has access to e-PHI is treated just like a hospital or HMO. By the way, HIPAA/HITECH’s Breach Notification Rule, which originally required health companies and their business associates to report e-PHI disclosures, is now extended to medical data subcontractors as well.

The ultimate intent is to close off any holes in security and enforcement when the business associates themselves outsource data processing to others.

HIPAA’s Much Wider Impact

US yearly health care expenditures run over $3 trillion. With an historic shift to digital medical records and new investments in advanced health IT technologies, the final rules will have a major impact on many data processing companies that perhaps would not have considered themselves in the medical business—think of cloud-based providers, analytic services,  and software vendors and resellers.

Lawyers and  health care analysts will, no doubt, be mulling over the new HIPAA rules for months to come. And I’ll have more to say on this in future posts. Need to quickly catch up on HIPAA?  Take a look at our free whitepaper.

While I was conducting some research on compliance laws for a customer, I found myself reviewing the penalties written into the 1996 Health Information Portability and Accountability Act, otherwise known as HIPAA. The act calls for health organizations “to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of the information”. So far so good. But what happens when a hospital doesn’t comply with implementing these safeguards, or if a medical worker makes a wrongful disclosure by obtaining “individually identifiable health information relating to an individual”?

It’s one thing to be aware of these laws and their penalties in an abstract way, and yet another to see the wheels of justice grind away when there are real-world violations.

Let’s look at the wrongful disclosure penalty clause of HIPAA first, which does mention imprisonment.

Has anyone ever gone to jail for snooping in a file and viewing electronic protected health information or e-PHI, which is essentially a medical-style PII?

The answer is … yes. The Department of Health and Human Services, which is in charge of enforcing the HIPAA rules through its Office for Civil Rights, has been particularly vigilant in recent years in protecting medical privacy rights.

Back in 2003, a California medical researcher and surgeon, who had been given a dismissal notice by his university employer, decided to access several hundred medical records over a three-week period before leaving his job. Since this was a Los Angeles hospital, its patient pool included many well-known celebrities and other high-profile figures—for starters, Leonardo DiCaprio, Tom Hanks, and Drew Barrymore.

HHS was notified of the incident and the case was ultimately referred to the US Department of Justice, which decided to prosecute the doctor. In 2010, the doctor pleaded guilty to misdemeanor charges in violation of HIPAA’s medical privacy protections, and specifically admitted to, that’s right, obtaining individually identifiable health information “without a valid reason, medical or otherwise”. From what we know about the incident, there was no evidence that the doctor was trying to sell the medical records.

The doctor was ultimately sentenced to three months in a federal prison —the first person to be incarcerated under HIPAA’s penalties.

In other words, merely peeking at a file led to a prison term. Of course, HIPAA does make allowances for employees accidentally viewing records, or for medical workers who need to interact with medical data as part of their job, but the evidence in this case showed intentional actions, not part of a job function, to access e-PHIs.

What about less drastic measures, say, fines? It is far more likely that a medical organization or health provider will be facing monetary penalties, not jail time, for their HIPAA violations, most commonly for not implementing proper security safeguards.

You can read about incidents here and here involving medical information breaches, which led HHS to levy fines in excess of one million dollars against a hospital and a state health department for not having procedures in place to secure personal medical information. In both cases, medical records leaked out into devices (a laptop and a USB drive) that were either lost or stolen.

There are a few lessons to be learned from these medical information security cases. In the incident involving the doctor, better file-level auditing and alerting might have led to detection much earlier instead of allowing for three weeks of unlimited access. And at least one of those breaches might have been prevented with a combination of policy and technology that restricted e-PHI access to certain users and/or certain devices.

If you’re an IT person or HIPAA officer in a medical organization and reading this, there’s no need to panic. According to the Office for Civil Rights, most complaints it receives are resolved without serious actions through either voluntary compliance or corrective actions. However, if you’d like to avoid the HIPAA enforcement process altogether, you may want to start accessing your risk areas. Here are a few questions you may want to ask yourself to get started:

•         Do you know where your e-PHI data resides?
•         Do you know who can access it?
•         Do you know who does access it?
•         What is the request process for someone who legitimately needs access to medical records?
• Does legitimate access get revoked when no longer needed?  How?

These questions represent the tip of the iceberg, of course, when it comes to HIPAA regulatory compliance and data protection.

If any of them gives you pause, you might want to rethink your compliance strategy.