Are you a covered entity (CE) or business associate (BA) as defined by HIPAA? There are literally millions of organizations in the U.S. that fall under these definitions, and possibly additional millions of BAs outside of the U.S. providing services to U.S.-based CEs. The impact is significant, and truly world-wide. If you are a CE or BA, did you know that your information security and privacy activities, or lack thereof, could cause physical harm to patients and insureds, and that you can receive significant penalties under the new HIPAA rules based upon those impacts?
Final Rule harm consideration for sanctions levels
The HIPAA/HITECH Final Rule was released Thursday, January 17, 2013. Among many other changes, there were significant changes for the privacy breach activities and associated penalties. The considerations of harm have introduced new types of variables that should make business leaders reassess their compliance efforts with particular regard to their breach response efforts. The harm variables now include:
- Number of individuals affected
- Time period during which the violation occurred
- Nature and extent of the harm resulting from the violation, consideration of which may include but are not limited to:
- Whether the violation caused physical harm
- Whether the violation resulted in financial harm
- Whether the violation resulted in harm to an individual’s reputation (new with the recent Final Rule)
- Whether the violation hindered an individual’s ability to obtain healthcare
The nature and extent of harm is not entirely new, but it is significant. Most businesses don’t think about how these variables can impact any penalties that are applied following a breach. When I’ve spoken with a wide range of CEs and BAs, a large portion of the CEs and basically all of the BAs did not realize these harm considerations would even be a factor in penalties. It is worth thinking about, and also determining how to lessen the risks that these specific types of harm would occur. For now let’s focus on the extent of harm factors that could be related to physical harm.
Did the violation cause physical harm?
Can you imagine some of the ways in which a breach of protected health information (PHI), and any associated patient information, can cause physical harm? Actually there are an unlimited number of ways. Here are a few scenarios in which a PHI breach could (and in some actual situations have) cause physical harm. Use these to help you start thinking about such situations.
A. Inadequate BA employee practices
Consider a bio-med equipment vendor that has remote access into the systems within the hospital bio-med system so that they can provide administrative support and management. It is common for such vendors to establish a few IDs and then have their staff share them. Let’s suppose in this scenario the bio-med vendor re-uses the same five user IDs for all staff that support the equipment. The vendor fires one of the administrators. The disgruntled administrator from the BA remotely logs into the bio-med system, accesses the patient data and changes the dosages for the administration of medicine for the hospital patients receiving the medicine through the devices. Many patients are subsequently killed or lapse into comas. The level of physical harm related to this breach would be significantly high. Not to mention the likely civil suits and possible subsequent judgments.
B. Access to prescription bottle labels
Consider if prescription bottles, with the full prescription information still intact, are thrown into publicly accessible dumpsters behind the locations of a pharmacy chain. Dumpster divers then rummage through the dumpsters every night, collecting all the prescription bottles and filling all the prescriptions they can that have refills. The legitimate patients then cannot refill their prescriptions because the limits have been reached, and they then go without their medication until they can get the situation resolved, potentially leading to health complications and hospitalizations. There have also been situations where the criminals getting the bottles then went to the homes of patients who had drugs that they wanted and robbed them, resulting in physical harm. The physical harm impacts could be significantly high. And, again, so could be civil suit judgments.
C. Use of another’s insurance coverage
Consider this situation: An insurance company has transposed the fax number of a large regional hospital and faxes over a dozen health insurance claims to the wrong number. As bad luck would have it, the recipient sees an opportunity to take that information and use it to commit medical identity theft by selling the insurance information to those who cannot get health insurance otherwise (this is one form of “medical identity theft”). The resulting healthcare activities of those stealing the insurance result in changes to the real patients’ medical records, resulting in inaccurate information about their health, and leading to the wrong medications, surgeries and other treatments. The level of physical harm to the associated patients could be significantly high. A few years ago I actually spoke with a person who experienced this situation. Once more, the civil suits, and possibly costly judgments, would follow.
Bottom line for all CEs and BAs, from the largest to the smallest…
All CEs, and now BAs, need to consider the types of harms that could occur as a result of the wide range of PHI breaches. CEs and their BAs need to then update their breach response plans accordingly. By better understanding the harms, CEs and BAs will be able to provide more effective targeted training and awareness, and help to prevent such harms from happening in the first place.
CEs will also need to notify their BAs of the changes and ensure they have appropriate breach response plans in place since the CEs will now, as indicated in the Final Omnibus Rule, clearly bear some shared liability and responsibility for actions that occur within theirs BAs, and their BAs’ subcontractors.
Additional information about PHI breach harms
Here are some additional sources of information about potential PHI breach harms:
- No Harm Done? Assessing Risk of Harm under the Federal Breach Notification Rule
- HIPAA/HITECH Final Omnibus Rule released January 17 2013 and published January 25, 2013
also
https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf
- HIPAA Rule Alters Definition of ‘Breach’
- HHS ISSUES FINAL BREACH NOTIFICATION RULES – The end of “no harm, no foul”?
- No Harm, No Foul, No More—New HIPAA “Breach” Standards Seek to Provide Consistency, Objectivity
- Breaches of Unsecured Protected Health Information
- Breach Risk of Harm Assessment
This post was written as part of the IBM for Midsize Business (http://Goo.gl/t3fgW) program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.
Tags: audit, awareness, BA, BA Agreement, BA contract, breach, breach harm, breach response, business associate, compliance, contracted workers, customers, data protection, due diligence, e-mail, electronic mail, email, employees, employment, Final Rule, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, liability, Mega Rule, messaging, midmarket, non-compliance, Obmnibus, outsource, oversight, patients, personal information, personally identifiable information, personnel, physical harm, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, right to audit, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, walk through