How to avoid a costly medical record security breach
April 2, 2012
We would like to educate healthcare professionals about the realities of medical record security breaches, and eliminate the “it couldn’t happen to me” attitude. The fact is - it can, and it is, happening to medical practices just like yours, all across the United States, and with significant consequences!
The HHS “Wall of Shame” (http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html) lists 400 reported medical record security breaches from September 2009 to March 2012, each involving more than 500 patients. The cumulative impact involves over 19 million patient records - about 6% of the U.S. population in just 2.5 years, from hospitals and medical practices, both large and small, encompassing nearly every specialty of medicine. The most common root causes of these actual medical record security breaches:
- Thefts (54%) such as stolen laptops with PHI stored on the local hard drive
- Unauthorized Access/Disclosure (22%) such as lost or stolen backup tapes, disks, etc.
- Lost/Improper Disposal (17%) such as papers with PHI that are lost or not properly destroyed
- Intentional Hacking (7%) including stolen passwords, exploiting inherent Windows® vulnerabilities, Trojan horses, exploiting defaults, Main in the Middle, wireless attacks, social engineering, etc.
In 2009, the laws changed such that medical record security breaches are now treated with the same force & effect as breaches of financial records. The HIPAA Breach Notification Rule defines a medical record breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI) such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.” with exceptions related to inadvertent and unintentional disclosures where the information cannot be further used or disclosed.
In the event your medical practice has a medical record security breach, you are required to do the following:
- Notice to Individuals: Provide written notice to all affected patients following the discovery of a breach of unsecured PHI. This notification must include a description of the breach; the types of information that were involved; the steps affected individuals should take to protect themselves from potential harm; a brief description of what your medical practice is doing to investigate the breach, mitigate the harm, and prevent further breaches; as well as, contact information for the medical practice.
- Notice to Media (> 500 patients affected): Provide notice (e.g. press release) to prominent media outlets serving the affected region including television, newspapers, etc. This notification must include the same details as the Notice to Individuals above.
- Notice to Secretary of Health and Human Services (> 500 patients affected): Provide notice to the Secretary of Health and Human Services by filling out and electronically submitting a breach report form on the HHS.gov website. The details of the medical record security breach will be posted on the HHS “Wall of Shame”.
From there, you should expect that your practice will be thoroughly investigated and scrutinized by federal investigators and auditors who will determine how rigorous your practice was in attempting to secure PHI, and how negligent you were in allowing unauthorized use or disclosure of PHI. Based on these findings, civil and/or criminal penalties will be imposed.
Civil penalties established in Section 13410(d) of the HITECH Act of 2009 are based on a tiered strategy that reflect increasing levels of culpability, and corresponding increasing penalty amounts:
- Tier 1: Violator had no knowledge of the violation, and by exercising reasonable diligence, would not have known of the violation. FINES: $100+ per identical violation (i.e. affected patients), not to exceed $25,000 in a calendar year, and no more than $50,000 per violation, not to exceed $1.5 million for all identical violations in a calendar year.
- Tier 2: Violations due to reasonable cause. FINES: $1,000+ per violation (i.e. affected patients), not to exceed $100,000 for all identical violations in a calendar year, and no more than $50,000 per violation, not to exceed $1.5 million for all identical violations in a calendar year.
- Tier 3: Violations caused by “willful neglect” that were corrected. FINES: $10,000+ per violation (i.e. affected patients), not to exceed $250,000 for all identical violations in a calendar year, and no more than $50,000 per violation, not to exceed $1.5 million for all identical violations in a calendar year.
- Tier 4: Violations caused by “willful neglect” that were not corrected. FINES: $50,000+ per violation (i.e. affected patients), not to exceed $1.5 million for all identical violations in a calendar year.
Additionally, criminal penalties established in Section 13410(d) of the HITECH Act of 2009 may be imposed if PHI was knowingly obtained in violation of the law.
- Up to $50,000 and 1 year in prison for knowingly obtaining or disclosing PHI
- Up to $100,000 and 5 years in prison if the offenses are committed under false pretenses
- Up to $250,000 and 10 years in prison if the offenses are committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.
So what’s a medical practice to do? Protect yourself by using an EHR platform with industry-leading security, that addresses every mode of medical record security breach, so that you can confidently avoid civil (and criminal) penalties, the pain & distraction of a federal investigation, and the long-term impacts on the reputation of your medical practice.
The SiliconMesa® EHR platform virtually eliminates the top 4 root causes of actual medical record security breaches:
- Thefts (54%): With SiliconMesa® EHR, there is no PHI stored locally on your PC, laptop, tablet, or smartphone. All data is securely accessed “over the cloud” from the HIPAA-compliant SiliconMesa Data Center with 256-bit encryption of all data, both “at rest” and in-transit using our secure SSL tunnel.
- Unauthorized Access/Disclosure (22%): With SiliconMesa® EHR’s 2-factor authentication, every user is required to authenticate using their mobile phone (or land line) before ever entering a username and password. Also, SiliconMesa will backup all of your data, so there is no need to deal with lost or stolen backups.
- Lost/Improper Disposal (17%): With SiliconMesa® EHR, you can effectively eliminate the need for PHI records on paper - go paperless!
- Intentional Hacking (7%): The SiliconMesa® EHR platform is built upon Security Enhanced Linux (SELinux) - not Windows(R). SELinux was co-developed by the U.S. National Security Agency to protect our country’s most sensitive defense and intelligence data. Also, the SiliconMesa Data Center keeps all firewalls, servers, and storage devices up-to-date with the latest security upgrades so you don’t have to worry about it.
Contact SiliconMesa today, to setup your 30-day risk-free trial, and get the piece of mind you need to focus on doing what you do best - caring for your patients!