Data Encryption and the HIPAA Data Breach

  ©iStock.com/davewhitney

©iStock.com/davewhitney

With the rise of medical identity theft and news reports of major electronic personal health information (ePHI) breaches, the past few years have seen an increased focus on new HIPAA (Health Insurance Portability and Accountability Act of 1996) rules and the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH), which was passed into law along with the stimulus package in 2009.

Medical Identity Theft

Medical identity theft has taken a back seat to the risk posed by financial identity theft. However, with the increased number of startling cases, medical identity theft is beginning to take more of a national spotlight. A few examples include a California resident who saw $12,000 billed to her health care credit card for a liposuction procedure she never had. Another case saw a Texas resident discovering over $100,000 of unpaid medical bills on his credit report, including nearly $20,000 for a life-flight helicopter trip for someone who had stolen his medical identity.

The Privacy Rights Clearinghouse recorded 277 medical identification breaches in 2013, potentially exposing over 5.4 million medical records. The threat to patients is not always just financial, as inaccurate medical information can be entered in their chart reflecting diseases or treatments they never had, which could result in improper treatment decisions.

One incredible recent incident from August 2014 involved hackers, believed to be operating from China, accessing over 4.5 million records from Community Health Systems based out of Franklin, Tennessee.

ePHI Breaches

Breaches of ePHI happen many different ways: malicious attacks by hackers, loss or theft of portable devices such as laptops, insiders or employees who access data without authorization, and unintended disclosures by health entities.

One breach in 2010 occurred when the theft of 57 hard drives from a different Tennessee facility put the ePHI of over 1 million people at risk. Another major breach occurred when an unerased digital copier hard drive was found to have over 400,000 patients’ information stored on it. There was also an incident at a Florida MRI center where two employees were involved in an identity theft scheme, resulting in 1,500 confirmed thefts, and the potential exposure of up to 40,000 individuals.

In the past, hackers were not considered to be a major threat to ePHI, as a majority of data breaches had been the result of accidents or unintended consequences of thieves seeking to steal computers or laptops for parts. In other words, the ePHI had not been the target. However, recent developments show this may be changing. In addition to the Community Health Systems case, there was a major breach in May 2009 when hackers stole over 500,000 patients’ pharmaceutical records from Virginia’s state prescription drug database. The hackers demanded a $10 million ransom. These incidents highlight the growing concern of hackers accessing ePHI, and the importance of properly protecting ePHI.

Why Encryption Is Important

For anyone storing or collecting health data, the first step if an ePHI breach occurs is to determine whether disclosures to affected individuals and/or the department of Health and Human Services (HHS) are necessary. In many instances, health care entities must notify affected individuals without delay, and in no case later than 60 days after learning of a breach. If the breach affects more that 500 people, a disclosure to the media is required within 60 days. Further, HHS must also be contacted within 60 days. However, if the breach affects fewer than 500 people, the disclosure to HHS can be done on an annual basis.

This is where encryption comes in. HITECH provides requirements for disclosure of only “unsecured” data breaches. In other words, if the data meets HIPAA’s encryption requirements, no notifications are required because there is little risk of the encrypted data being accessed. Encrypting data helps ensure compliance with current and future HIPAA regulations and avoids the potential expense of dealing with a breach notification if data is ever compromised. Encrypting ePHI might be seen as a technically daunting task, however, tools like NotesFirst® are making it easier.

Cloud storage is the way of the future, and it is important to know whether the sensitive data you are storing is secured and properly encrypted. That’s why NotesFirst® designed its own encryption process, following the strictures of the National Institute of Standards and Technology for 256-bit advanced encryption standards. Tools like NotesFirst® are helping to safely propel the management of medical information into the future by:

     • Improving the ability to capture important information,
     • Facilitating seamless cloud storage of important information, and
     • Keeping it all safe with advanced encryption standards.

Despite the risks posed by digital data breaches, innovators like NotesFirst® are providing solutions to the daunting task of improving a provider’s access to information, while preserving the privacy of patients.

N. Nedim Halicioglu is an experienced healthcare lawyer specializing in the analysis of medical privacy concerns, startup companies and general civil litigation. He is a consultant and advisor to NotesFirst, Inc.