As the federal government prepares to spend up to $27 billion in stimulus funds to promote electronic medical records, a health technology industry survey suggests that a number of hospitals, health clinics, and insurance firms are violating federal security rules on patient data and putting sensitive health information at risk.
The November survey by the health technology trade association Healthcare Information and Management Systems Society (HIMSS) found that one in four of the 196 health organizations that responded do not conduct a formal risk analysis to identify security gaps in electronic patient data .
The survey results were first reported last last year, but widely overlooked is that failure to conduct a formal risk analysis is a violation of the Health Insurance Portability and Accountability Act (HIPAA), which became law in 1996. Performing a risk analysis is crucial to assuring that patient information does not fall into the wrong hands, experts say. “This is a fundamental activity,” said Lisa Gallagher, senior director of privacy and security at HIMSS. “Everything they do [to mitigate the risk of a data breach] should be based on this security assessment.”
IThe prospect of data breaches is not merely a theoretical concern. In 2009, hospitals and insurance companies were plagued by high-profile losses of sensitive patient data. In November, the insurer Health Net announced that a portable hard drive containing medical claims of as many as 1.5 million members in Arizona, Connecticut, New Jersey, and New York had been lost or stolen. In October, a laptop containing social security numbers and other personal information of patients at the Children’s Hospital of Philadelphia was stolen from a car parked at a hospital employee’s home.
Despite the recent cases — and the survey’s findings of substantial lapses — no organization has ever been punished for violations of HIPAA’s data risk analysis provision, which is overseen by the Department of Health and Human Services (HHS). Since 1996, the agency has received approximately ten complaints that noted possible failure to perform risk analysis or risk management, according to Susan McAndrew, deputy director for health information privacy at HHS’s Office for Civil Rights; the civil rights office took over enforcement of HIPAA data security rules last July from the Centers for Medicare and Medicaid Services. None of the cases has resulted in penalties, which potentially range from $100 to $50,000 for a single violation and up to $1.5 million a year for multiple violations.
McAndrew said the agency hasn’t issued any fines because the goal of enforcement is to nudge doctors, hospitals, and insurers into compliance, not to punish them. “We have not needed to evoke a penalty scheme in order to get the corrective action,” McAndrew said. However, the office has so far declined to make public the names of any medical entities that have been pushed into compliance.
McAndrew said the health care information society’s survey shows that the Office for Civil Rights needs to provide training on data security, but does not amount to a report card on the agency. “I don’t think under any measure that you can say enforcement in this office is lax in terms of HIPAA,” she said. “This is a top priority.”
But industry insiders characterize the situation differently. They say there have been few patient data security cases at HHS because the agency relies on media reports, complaints, and referrals from other agencies to learn of potential HIPAA rules violations, which has not generated a wide number of leads or investigations. “There has been some perception that organizations have under-resourced this since they view it as not being actively enforced,” said Gallagher of the health care information society. “The HIPAA police are not coming around.”
Pam Dixon, executive director of the World Privacy Forum, a consumer privacy organization that specializes in health data issues, said the HIMSS report proves enforcement has not kept up with the escalation of threats to patient data and needs to be far more aggressive. “The Office for Civil Rights has not [enforced] HIPAA in a way that deters bad actors,” Dixon stated. “They defer way too much to industry. That is the essential problem.”
Because HIMSS surveyed a small percentage of health organizations and relied on self-reported data, it is impossible to know from the survey how many hospitals, clinics, and insurance companies have violated HIPAA health data security rules. But Gallagher, who worked as an information security consultant for 25 years, believes that there are many. “I keep in touch with industry peers,” Gallagher said. “And this is consistent with what they are saying.”
Stricter enforcement could be in the offing, although just how soon is not clear. The HITECH Act, which passed as part of the American Recovery and Reinvestment Act of 2009 (the so-called ‘stimulus’ bill), gave HHS the authority to perform HIPAA compliance audits. McAndrew said the agency is exploring options on how it will conduct the audits, but could not provide further detail on when the audits are likely to begin.
The stimulus bill also will provide doctors with between $44,000 and $64,000 each in Medicare and Medicaid incentives to switch from paper to electronic medical records. Hospitals will be eligible to receive millions to make the switch. Privacy advocates fear that the move will create a spike in patient data and thus cause a spike in data breaches as well.
HIPAA rules are the best protection patients have to ensure health organizations are keeping their personal data safe, said Linda Sherry, director of national priorities at the consumer rights organization Consumer Action. If HIPAA is not working, the push for electronic health records could be derailed by patients’ privacy fears, she said. “If [doctors and hospitals]are not doing the job they are supposed to do, sensitive information could be compromised and used against you by employers, insurance companies, or whoever.”
In addition to poor patient data controls, the HIMSS survey highlights other privacy failures by the medical industry: inadequate data security controls, cases of medical identity theft, and insufficient budgets for information security.
In November, Gallagher presented testimony on the HIMSS survey to the Health Information Technology Standards Committee, a federal advisory group charged with developing recommendations on standards and certification criteria for the use and exchange of electronic health information. “You can talk about enforcement, and you can threaten, but at some point you have to support the process,” Gallagher said recently. The solution, she added, is finding a way to direct federal dollars to data security, not just health record implementation.