We Still Aren’t “Getting It”!

Here we are, more than six years after the Privacy Rule deadline in 2003, and I am still trying to teach Covered Entities (CEs) and Business Associates (BAs) that Protected Health Information (PHI) is a valuable commodity to criminals. The crooks know that PHI has real, monetary value, but CEs and BAs are still learning this most important HIPAA lesson.

Until HIPAA-regulated entities really start to “get it” about the dollar value of stolen PHI, criminals will continue to have the advantage. That’s not a good situation.

It’s critical to understand that PHI (medical charts, billing files, etc.) has economic value to criminals. PHI is worth money on the international black market and is bought and sold 24 hours a day over illegal channels. More and more criminals know this and are exploiting it. Even Los Angeles’ notorious street gangs, once known for their lock on drugs, prostitution and gambling, are moving into identity fraud – the LA Times reported in 2008.

It’s easy to see bundles of records as so much paper, even when we understand intellectually that personal medical information is highly sensitive and confidential.

Try This with Real Dollars

Try this metaphor on for size: Imagine that a real US $20 bill is stapled to the inside front cover of every single file or record in your facility. Now imagine leaving piles of such “monetized” medical records simply laying around with no armed guard or other security. We wouldn’t do it. Instinctively, we know that bundles of cash deserve special protection. Unfortunately, most workers in healthcare jobs don’t automatically think that way about PHI. But PHI is equivalent to currency in the criminal mind.

In Value to Criminals: Medical Record = Wallet

In fact, much of the actual data in a person’s wallet is identical to the data in their medical records, with less clinical information of course. Name, home address, SSN, birth date, phone numbers, family contacts and pictures, banking and credit card data, allergy notices and other “first responder” medical data, etc. All these items reside in both wallets and medical records. And we know how devastating it would be if our own wallet fell into criminal hands.

Teach Your Workforce that PHI Has Value to Criminals

Some entities fear teaching this concept to their workforce because, they say: “we don’t want to give them any ideas!” They’re afraid that telling employees that PHI is worth money to criminals will tempt employees to go out and find crooks to sell PHI to. I believe that’s a mistaken view. Banks are filled with workers who all know their product is ‘valuable’, and banks take security appropriate steps to manage that risk – at least, most of the time!

Use Human Nature to Help Protect PHI

If I accidentally left my own wallet in your HIPAA-regulated facility, any honest employee that found it would know automatically – instinctively – to do two things right away:

1. Notify Mr. Weintraub that his wallet was obviously misplaced and has now been found.
2. Lock up the wallet and keep it safe while in posession of it.

If you see parallels here between 1.) Breach Notification; and 2.) Securing and Protecting PHI, then you deserve kudos. Because that’s exactly what’s what this is all about.

If your workforce knew that PHI is worth money to criminals, they would instinctively protect it, much as bank employees instinctively protect the cash they work with. To a healthcare workforce that’s ignorant of this, PHI may be sensitive, personal, and confidential – but it’s still only so much data, so much paper.

But to criminals, PHI spells “CASH!”

Okay, it’s almost true… damn close anyway!

Yours truly took a long needed mini-vacation last weekend to Yosemite National Park – my first-ever visit to spectacular Yosemite. My 55th birthday was last weekend, and the idea was to get away from the pressures, the meetings, the calls — away from HIPAA — for a few days to clear my head.

So there I was, driving into Yosemite valley in the rental car, awestruck at the raw beauty, the magnificence, the splendor… the ARRA (American Recovery and Reinvestment Act)?

Yes readers, in the midst of the Yosemite wilderness, imagine my surprise when I rounded a curve in the steep road and saw this…

ARRA at Work in Yosemite

I was dramatically reminded, as people in the HIPAA world easily forget, that the ARRA is accomplishing much more than expanding HIPAA. There, in the wilds of Yosemite, was the ARRA, funding road and infrastructure improvements to one our greatest national parks!

So the next time somebody asks you what the ARRA has achieved, point to HIPAA expansion, breach notifications, tougher sanctions… and yes, Yosemite!

While the health care community has been busy caring for patients and trying to protect PHI (Protected Health Information), crooks have been busy finding new ways to get their hands on it.  And as usual, technology has opened helpful new channels faster than HIPAA entities can cope.

Various types of online social networks are apparently the “next big thing” in relationships, and they are changing the nature of human interactions. But social networks also pose a major threat to the PHI Covered Entities (CEs) and Business Associates (BAs) are entrusted with.

Peer-to-Peer Networks Expose PHI

Researchers at Dartmouth College probed peer-to-peer (P2P) networks recently to try and determine the extent to which private medical data is exposed on these networks. Over a two-week period, what they found was shocking…

• A spreadsheet from an AIDS clinic with 232 client names,including Social Security numbers, addresses and birth dates.
• Databases for a hospital system that contained detailed information on more than 20,000 patients, including Social Security numbers, contact details, and insurance records, along with diagnosis information.
• A 1,718-page document from a medical testing laboratory containing patient Social Security numbers, insurance information, and treatment codes for thousands of patients.
• More than 350 megabytes of sensitive patient reports from a group of anesthesiologists.

According to the article above…

In all, researchers found hundreds of documents revealing sensitive information on tens of thousands of patients.

The full Dartmouth report is also available as a PDF download (858 Kb).

Personal Social Networks Are Another PHI Threat

P2P networks are different creatures than what are sometimes called “personal social networks” (PSNs). Personal social networks include sites like MySpace and Facebook, where people go (usually) to meet and fraternize with other like-minded people.

Exposure of PHI on personal social networks has already been identified as a growing problem. Increasingly, people are use their MySpace, Facebook, and other social network pages to vent their gripes about their doctors and their medical care.

So here are some critical questions you should consider…

• Do you know if you or your practice has been mentioned (positively or negatively) in any of your patients’ social network pages?
• What would you do if you found your patients’ PHI exposed on such sites? What could you do?
• How extensively are your employees using social networks? Are patients being discussed? Is any PHI being disclosed?
• Do you have a written policy regarding personal social networks, P2P networks, and similar online social channels?

It’s later than you think on this front. Your patients, vendors, and the crooks out there are likely farther along than you are in dealing with these issues. The HIPAA implications are enormous, especially with the ARRA’s new Breach Notification rule kicking in shortly.

Overall, the most important question you need to answer is:

Where’s your PHI?

One of the least understood and most ignored requirements in HIPAA is called “Workforce Clearance” (WC). This “addressable” requirement is part of the Security Rule’s Administrative Safeguards, and appears at 164.308(a)(3).

“Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.”

A Danger and an Opportunity

Hidden in these few words is one of the greatest dangers – and opportunities – for both Covered Entities and Business Associates. The danger and the opportunity both derive from the fact that many data breaches and thefts of PHI are perpetrated by insiders.

• Insiders at Tenet were recently charged with theft and HIPAA violations.
• A Johns Hopkins employee who worked in the hospital’s patient registration area was recently charged with fraud after stealing patient files.
• Kaiser Permanente’s Bellflower Hospital was recently fined $250,000 because employees were snooping into an octuplet mom’s (“Octomom”) medical records.

The danger to CEs is that some trusted insider will be tempted to steal, sell, or hold Protected Health Information (PHI) hostage for personal gain. The opportunity is the chance to avoid HIPAA violations and bad publicity by making sure the people inside your entity are trustworthy and responsible.

“Workforce Clearance” Really Means “Background Checks”

In truth, many of these incidents might have been prevented if the entities involved had followed HIPAA’s “Workforce Clearance” requirement more strictly. The essence of Workforce Clearance is really background screening of employees, often referred to as “background checks.”

While many entities do perform some background screening for new hires, many entities do only a cursory check, and often with the lowest bidder. Unfortunately, this is a recipe for disaster.

People with Problems are More Prone to Crime

The simple fact is, people with criminal backgrounds and those with huge amounts of debt are more often involved in PHI thefts and breaches than those without such problems. And well-done background checks frequently identify high-risk individuals.

Background Screening – Rule of Thumb

A general rule of thumb is that the positions that carry the greatest responsibility should have the most intensive background checks. Positions such as IT Director, Senior Admin, Security Director, Medical Records Director and Manager should all have thorough background screening performed for applicants before they are hired. Some HIPAA entities are also re-screening workers in key positions periodically, to discover potential people problems in advance.

Background screenings for critical positions should include:

• Confirmation of previous employment history.
• Multi-state, or nationwide criminal background checks.
• Credit history reports.
• Driving history and violation reports.

Don’t Cut Costs on Workforce Clearance

While many CEs and BAs try to rein in costs by cutting back on background screening, the smartest entities are stepping up their use of background checks. They are moving to comply with HIPAA’s addressable “Workforce Clearance” requirement. They are also being smart, by reducing the risk from another “reasonably anticipated” threat to the PHI they are entrusted with.

After years of easy-going (some would say non-existent) enforcement, HIPAA enforcement finally appears to be heating up. Consider the following…

• HHS conducted it’s first-ever, on-site inspection for HIPAA compliance in March 2007 at Piedmont Hospital in Atlanta, Georgia.
• In 2007 HHS granted new and expanded subpoena authority to the Office for Civil Rights to use in HIPAA violation investigations.
• As of 2009, over 400 cases have now been referred to the US Department of Justice over possible criminal violations of HIPAA.
• The 2009 HITECH Act, part of the ARRA, expanded HIPAA investigations and enforcement, to include, for the first time, mandatory investigations and penalties for cases involving “willful neglect”.
• HHS re-delegated HIPAA Security enforcement in August 2009, moving it from the CMS to the OCR. The OCR now handles investigations and enforcement for both the Privacy and Security Rules.
• Announced August 2009, HHS is hiring more investigators to accommodate the growing number of complaints and it’s new, combined Privacy and Security enforcement duties.

Combine these with the ever-growing number of breaches, and the ARRA changes to HIPAA enforcement, and you have an blossoming enforcement situation every Covered Entity (CE) and Business Associate (BA) should be concerned about.

CEa and BAa simply must get their HIPAA “ducks in a row” as we approach 2010. The major provisions of the ARRA and the HITECH Act kick in on February 18th 2010, and HIPAA enforcement will continue to heat up. Be ready and be careful!

It seems like every new cellphone model these days comes with a camera. And many, like the Apple iPhone, also contain audio recorders. In fact, it’s getting hard to find digital devices that don’t record images, video, or audio. But for Covered Entities (CEs) and Business Associates (BAs) trying to protect PHI, these devices create serious privacy and security challenges.

“Reasonably Anticipated” Threats

HIPAA requires CEs and BAs to protect PHI against all “reasonably anticipated” threats. The problem is, many CEs and BAs don’t know how serious the “digital device” threat is to their PHI. On the other hand, HIPAA entities can’t claim that these threats couldn’t be “reasonably anticipated”, because this  issue is being covered in the general, technical and medical media increasingly often.

So what’s a concerned CE or BA to do?

What Can Be Done?

The first step is to research the potential for abuse in your organization. You should be able to answer the following questions:

1. How and where are digital devices and recordings being used in your facility now?
2. How will you deal with employees and physicians’ use of digital devices for recording images, video, and audio?
3. How will you deal with patients and visitors using these devices?
4. What are the legitimate recording uses, if any, for such devices in your facility?

Based on the answers to these questions, you should create clear policies and guidance for the workforce, patients and visitors. Policies should be circulated to everyone and employee “sign-offs” should be obtained to establish workforce “agreement” to abide by the policies. Consider having patients sign a form laying out the rules and restrictions on recording with digital devices. And consider posting signs in patient and visitor areas that say “No Photography Allowed”, “Recordings Prohibited”, or something similar.

A Variety of Approaches

CEs and BAs today are taking a variety of approaches to digital devices and the recordings they can produce, including:

• Banning all cameras, camera-phones, and audio recording devices from the premises. (Very hard to enforce.)
• Banning digital devices from patient-care areas. (Easier to enforce, but still problematic.)
• Establishing clear policies and restrictions on usage, but not banning the physical presence of relevant digital devices. (More realistic, but still difficult to enforce, as many devices are small and can be used surreptitiously.)
• Ignoring the problem or deferring the issue till “later.” (The riskiest approach of all.)

No “Magic Bullet”

There is no “magic bullet” solution for the privacy and security challenges posed by digital recording devices. Nevertheless, CEs and BAs must attempt to address these challenges somehow, even if only to demonstrate to a judge or jury — after a breach — that they were not guilty of “willful neglect”. Remember, HIPAA violations that involve “willful neglect” carry new investigative and penalty requirements under the recent ARRA expansion to HIPAA. Be careful!

Where will it end? It seems that incidents of medical records breaches are still on the rise, with no end in sight.

Whether it’s from stolen laptops, rogue wi-fi hotspots, employee snooping, or determined hackers, data breaches and losses are skyrocketing. The problem is so acute, that even organizations that track data breaches are amazed at the scope of the data breach problem.

Medical Records Have Financial Value to Criminals

Why is this happening in such a big way? The answer is money. Medical records, and other comprehensive personal records like mortgage applications, have financial value to criminals. Criminals buy and sell people’s personal records on underground websites and channels because those records are used to create false identities and commit fraud.

The attractiveness of medical records to criminals is one of the main reasons why the HIPAA regulations require such strong protections for PHI. Covered Entities think their records are just paper. But to criminals, medical records are gold.

Foreign crime syndicates see the potential payoff from I.D. theft. And even common street gangs are, in some cases, turning away from drugs and prostitution and moving into I.D. theft.

HIPAA Requirements are Only a Starting Point

Remember, HIPAA’s Privacy and Security Rule requirements are only a minimum “floor” of protection that every entity should have in place no matter what. It also takes effective training, awareness of how criminals work, and due diligence to prevent data breaches. And you can be sure of one thing: prevention is easier and much, much cheaper than dealing with a data breach. Be careful!

Well, it’s happened yet again. Another case of un-shredded medical records abandoned or disposed-of in the regular trash stream. This time its in Massachusetts, as the Boston Globe reported here in April 2009.

It seems an Acton, Mass., family doctor closed his practice suddenly and had hundreds of patient files in storage.  The doctor was apparently evicted from his office as he was being pursued by state regulators for practicing without a license! As a result, the records in storage were in limbo, and were nearly auctioned off to the highest bidder, along with equipment and miscellaneous items belonging to the “doctor.”

This incident has a happy ending, as a local hospital has stepped up and offered to “rescue” the records. But not every case like this ends on an upbeat note. This kind of situation is created more often by careless Covered Entities who simply toss un-shredded records in the trash.

HIPAA Requires Destruction Before Disposal

Let’s be crystal clear here folks: HIPAA regulations require PHI to be destroyed before it is disposed of; and its is a HIPAA violation to dispose of PHI that has not been destroyed or rendered indecipherable. And HHS released new guidelines (PDF download) in 2009 on PHI destruction.

Don’t fall into such an obvious trap! Make sure your entity has a clear policy and procedures on PHI disposal and destruction. Train staff on the policy and procedures, and be certain your policy is followed consistently every time. This is a preventable HIPAA violation – be careful!