As a society, have we become complacent with the daily headlines telling us of yet another Protected Health Information (PHI) mega breach?
Have we arrived at the point of asking our healthcare provider(s), if they have reported or experience a breach of their patients PHI?
Recent numbers of patient records being breach show:
6 billion: The cost associated with cyber-attacks, attributed specifically to healthcare.
94 percent of healthcare organizations have indicated they've had some type of a breach.
Healthcare sustains about two and half times the cost for each record that is lost.
Healthcare information is about 10 times more valuable than any other data on the black market: "There's tremendous incentive for breaches to take place."
68 percent of breaches that occurred have been in healthcare.
175.5 million records have been lost.
317 million new pieces of malware last year.
1 million new threats every single day.
$4.5 billion was lost in 2014.
But, what about the individuals that have had their PHI comprised and violated? To the individual this breach has real consequences.
It is reported that the cost to the patient to resolve and repair their information after a breach of PHI is estimated to be $13,500.
In reviewing the Wall of Shame on the Health of Human Service (HHS), Office for Civil Rights (OCR) website, it demonstrates that it rarely punishes health care providers for individual violations. Instead, the OCR typically settles for pledges to fix any problems and issues reminders to the violating organization of what the privacy law requires. The OCR website doesn't even tell the public which health providers have reported small breaches — or how many.
OCR Director Jocelyn Samuels stated that these breaches are "heartbreaking stories" and "the kinds of harm that Health Insurance Portability and Accountability Act (HIPAA) is intended to address." She went further to insist her agency isn't afraid to pursue formal sanctions when they are warranted, but said its primary role is helping health providers to follow the law. "Our preference is always to promote voluntary compliance," Samuels said.
For patients, Samuels' agency is usually the only place they can seek vindication. HIPAA does not give people the right to sue for damages if their privacy is violated. Patients who seek legal redress must find another cause of action, which is easier in some states than in others.
Indianapolis lawyer, Neal Eggeson was contacted by a patient by the name of Frances, after being attacked on Facebook by a former friend employed at an unnamed hospital. The January 2014 a Facebook post stated, “FRANCES ... IS HPV POSITIVE!" It also included her date of birth and ended with a plea to friends: "PLZ HELP EXPOSE THIS HOE!"
The Facebook poster was a patient care technician at the local hospital where Frances was treated. The hospital which had the breach of Frances’ PHI, was contacted and a confidential settlement was obtained for Frances. (Eggeson asked that the facility not be named in this story.) Even though Frances former friend no longer works at the hospital, she still hasn't fully recovered. She sees a therapist and has a hard time trusting others.
Many of the individual breaches appears to be driven by personal animus, jealousy or a desire for retribution. The smaller breaches involving sensitive health details (PHI) is spurring disputes and legal battles across the country:
A Tampa Bay, Florida nurse, snooped into her nephew's partners PHI, finding that the individual once had a baby, which was given up for adoption. The secret was announced at a family funeral. The nephew’s partner filed a complaint with the hospital; the nurse admitted what she had done, was fired, and had to relinquish her nursing license.
A New Jersey mother sued a local hospital, alleging that one of its employees shared details about her 11-year-old son's attempted suicide with people at his school. The boy was subsequently "bullied by his peers, called names and made fun of," her lawsuit says.
An HIV patient had been sued over a $326 debt by the medical group that had been treating him. The medical group's court filing gave the man's name, home address, Social Security number and date of birth — and included a billing statement containing the phrase "Last Diagnosis: HIV." The victim’s first concern was getting the court record sealed. A jury saw to it that the patient was awarded $1.25 million dollars for pain and suffering.
So, does the OCR focus on the larger, splashy mega breaches?
Let’s look at the numbers. Since 2009, the OCR has received information about 1,400 large breaches. During the same time, more than 181,000 breaches affecting fewer than 500 individuals have been reported. In September of 2015, the HHS inspector general issued a pair of reports that criticized the OCR, including its handling of small breaches. The inspector general said the OCR did not investigate the small breaches reported to it or log them in its tracking system.
" <The>OCR does not record that information and therefore it's not available for staff to be able to look over time" for repeat offenders, said Blaine Collins, regional inspector general for evaluation and inspections in San Francisco. "Boy, that's critical for monitoring and oversight,” stated Collins.
Judith Lindsay, CHP and CEO of JAL Consult tackles all the elements of HIPAA compliance puzzle. Successfully assisting organizations to make sense of it all by implementing the correct policies and procedures that are reasonable and appropriate for their entity. Judith provides consulting, training and is available for speaking engagements. To read more about the world of compliance subscribed to JAL’s insightful newsletter at www.jalconsultantsaz.com OR follow JAL on Twitter @ judithconsult
Personal Information Collected Online
•Personal Information means personally identifiable information such as information provided via forms, surveys, applications or other online fields including name, postal or email addresses, telephone, fax or mobile numbers, or account numbers.
•Before or at the time of collecting personal information, JAL will identify the purposes for which the information is being collected.
•JAL will collect and use personal information solely for the purpose of fulfilling specific contracted engagements or for other compatible purposes, unless consent is obtained from the company and/or individual concerned or as required by law.
•JAL will retain personal information as long as necessary for the fulfillment of a specific contract or for a specific purpose.
•JAL will collect personal information as deemed lawful and where appropriate with the knowledge and/or the consent of the individual or company.
•Personal data should be relevant to the extent of necessary purposes and should be accurate, complete and up-to-date.
•JAL will protect personal information by reasonable safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.
•JAL will make readily available to customer’s information about our policies and practices relating to the management of personal information. Terms and Conditions
JAL is committed to conducting our business in accordance with these principals in order to ensure that the confidentially of personal information is protected and maintained. By accessing this website, you are agreeing and bounded by these Website Terms and Conditions of Use, all applicable laws and regulations. If you do not agree with these Terms and Conditions, you are prohibited from using or accessing this website. The materials contained in this Web Site are protected by all applicable copyright and trade mark laws.
Our Online Notices are subject to change. Please review it periodically. If we make changes, we will revise the “Last Updated” date at the top of this Notice. Any changes will become effective the date the revised Notice is posted on the Site.