The series of examples in this article suggests that healthcare providers are still failing to meet HIPAA standards. The federal law, HIPAA, which stands for the Health Insurance Portability and Accountability Act of 1996, is hardly a new concept in the healthcare industry. As technology evolves, healthcare providers of all sizes are required to implement appropriate safeguards as HIPAA mandates to keep patients’ sensitive information protected, whether it is stored in paper form or electronically. The two key aspects that organizations need to keep at the forefront of their privacy and security plans are the HIPAA Privacy Rule and the Security Rule. However, there is no denying that even though organizations are putting in efforts to protect a patient’s information, they somehow still fail to meet HIPAA standards.
Recent examples where HIPAA standards were not met
Saint Francis Healthcare Partners
A sophisticated cybersecurity incident caused an unauthorized individual to access the email system of Saint Francis Healthcare Partners. The hospital has notified 38,592 patients regarding the incident, stating that some of their protected health information (PHI) may have been obtained by hackers.
Forensic investigation determined that the attack which took place on December 30th, 2019, has potentially compromised patients’ PHI but it took them until March 20th, 2020 to figure that out. The types of information stored in the email system that may have been compromised include names, medical record numbers, medical histories, clinical and treatment information, dates of service, diagnoses, health insurance account numbers, provider names, prescription information, and types of procedures performed. Although the investigation suggested that no patient’s information was accessed, stolen, or misused yet. That being said, if the hospital had a proper risk assessment system in place and performed risk assessments regularly to meet HIPAA standards, all this fuss could have been avoided.
Houston Methodist Hospital
The hospital has notified 1,987 heart patients regarding an incident where some of their PHI stored on portable storage devices were stolen in mid-February from a vehicle of a vendor representative. The individual who worked at the 3D imaging technology department in the hospital left the hard drives in a vehicle from where it was stolen.
The hospital reported that the hard drives were stored in a locked room, and removal of the devices was a violation of the hospital’s established HIPAA Security Rule’s technical safeguards. Although the representative believed that the room was locked because it was already a late hour of the day.
The types of information stolen included medical images, names, genders, dates of birth, and code numbers. The Law enforcement was informed of the theft and the hospital also hired a private investigation, but the hard drives could not be found anywhere. This incident is a clear example of how important training and awareness are for all the members of the workforce. Regular training and awareness on HIPAA standards could have made the employee more cautious about handling devices that contain PHI, thus avoiding such problems for both the hospitals and the employee.
Ascension Eastwood Clinic
In an attempt to notify their patient’s about transitioning to telehealth due to COVID-19 to reduce the spread of the diseases, an employee accidentally exposed patients’ information in an email. The employee did not add the patients’ email addresses to the BCC field of the email so they could, therefore, be viewed by other patients. Email addresses and in some cases, the patient’s full names were disclosed to other patients as a result of the error.
The United States Department of Health & Human Services’ Office for Civil Rights breach portal indicates that 999 patients were affected. This blunder could have been easily avoided if the clinic had a system in place to suggest proper email etiquettes as per HIPAA standards. That being said, proper training and awareness also are questionable in regard to this incident.
What can be done?
As the above-mentioned examples show, HIPAA standards are often not met due to inadvertent mistakes, lack of regular risk assessment, or a lack of proper training and awareness programs.
Perpetrators often use compromised and stolen patient information to commit medical identity theft. However, leading hospitals such as The University Health Care System and The Terrebonne General Medical Center use RightPatient – a biometric patient identification platform to better protect patient’s information from medical identity theft.
HIPAA standards, on the other hand, can be met by using a HIPAA compliance solution such as HIPAA Ready. This robust cloud-based software solution allows organizations to regularly perform risk analyses and internal audits. With HIPAA Ready, an organization will be able to discover what areas of their facility are risk-prone and need better protection. HIPAA Ready also allows organizations to easily deploy training for their staff members across the organization with a few simple clicks. Simplify compliance with HIPAA Ready to avoid blunders that can lead to severe consequences.