Data security

Health care in the time of data breaches: 3 things to know

A HIPAA expert outlines what physicians need to understand about preparation, fines and retaining patients.

When patients’ protected health information (PHI) is breached, the financial impact can be hefty. In 2014, New York-Presbyterian Hospital paid $3.3 million in settlements after 6,800 patients’ PHI inadvertently became available through online search engines. Inappropriately accessing PHI can pose serious personal consequences, too. Former UCLA researcher Huping Zhou was sentenced to four months in federal prison in 2010 after viewing PHI for his coworkers and various celebrities when he was not authorized to do so.

Stringent penalties such as these are meant to be eye-opening for health care organizations, says Art Gross, CEO of health care IT consulting firms HIPAA Secure Now! and Entegration. “Although the Health Insurance Portability and Accountability Act (HIPAA) has been around for a long time, it’s been widely unenforced—a lot of patient information hasn’t really been protected,” he explains. As enforcement has grown stricter, he says, physicians should be aware of the following:

1. Preparation is vital

Besides conducting regular security risk assessments in your practice, you should also develop a breach response plan, including a sample notification letter. If a HIPAA violation occurs, you’ll need to determine which information was accessed and contact affected patients. If 500 or more patients’ data was affected, you’ll also need to notify the U.S. Department of Health and Human Services (HHS).

“HHS has made it clear that organizations that act quickly and decisively to stop a breach will fare much better than those that didn’t have a plan, didn’t notify the affected individuals and didn’t make changes to prevent future breaches,” Gross explains. “If you do the right thing, you’ll likely be rewarded even though it’s a bad situation.”

2. Fines will be large and ‘symbolic’

Gross says he doesn’t expect to see a spike in the number of organizations being penalized. “But the fines that are given out are going to be very large and very symbolic,” he says, citing a small Colorado pharmacy that recently agreed to a $125,000 settlement after a HIPAA violation.

3. Patients will demand more security

“Patients will be saying, ‘I gave you my driver’s license and insurance card—how do I know I’m not going to file my taxes and find out someone else is using my information?’” Gross says. Ultimately, he predicts, patients will consider data security as well as quality of care when they’re selecting a health care professional—and if they don’t feel confident that their personal information will be protected, they will go elsewhere.