September 12, 2018; Becker’s Hospital Review
Breaches of patient privacy in the US healthcare field cost $6.2 billion each year. When we hear of massive HIPAA breaches, we most often associate them with large hospitals and their systems. However, any nonprofit organization that collects electronic personal health information (ePHI), including social service organizations, needs to pay very close attention to risk assessments for data breaches—both if they perform them and how well.
The Arc of Erie County in Buffalo, N.Y., found this out the hard way. The nonprofit, which serves people with developmental disabilities, will pay $200,000 in penalties for violating HIPAA. (The 1996 Health Insurance Portability and Accountability Act was enacted in 1996 to ensure that US organizations protect the privacy and security of health information.) In early February 2018, the Arc of Erie County learned clients’ ePHI, including full names, Social Security numbers, gender, race, primary diagnosis codes, IQ scores, insurance information, addresses, phone numbers, dates of birth, and ages, were exposed on its website.
Even though the agency reports that the site was only for internal use, HIPAA has strict guidelines on how healthcare organizations need to handle ePHI. It mandates a thorough risk analysis of their systems. Had the Arc of Erie County conducted such analysis, they would have been aware of their vulnerability due to an openly accessible patient record system. Since 2015, 3,751 of The Arc’s clients were affected when unauthorized third parties accessed information. Officials said there is no evidence of malware on the system or ongoing communications with outside IP addresses.
Now, the nonprofit has been ordered to provide a risk analysis, review all its policies and procedures, and submit its findings to the attorney general’s office within 180 days from the settlement.
“The Arc of Erie County’s work serves our most vulnerable New Yorkers and that comes with the responsibility to protect them and their sensitive personal information,” New York Attorney General Barbara Underwood said in a news release. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”
Nonprofits on shoestring budgets may see the cost of a risk analysis as prohibitive, but breaches will cost them much more than hefty fines. Ensuing lawsuits, the costs of cleanup, and new security technology could run into the hundreds of thousands of dollars. Even more significantly, their brand value would be diminished, and recouping the public’s trust—not to mention their donors’—could take years.
Even organizations that have taken measures to secure their security systems can be targets for breaches of ePHI. In May 2018, Alive Hospice in Tennessee reported that two employees whose email accounts contained protected health information were duped by phishing scams that allowed hackers to access their data. Alive’s review of its email systems in December of 2017 revealed that the two accounts contained ePHI. The organization took proactive damage recovery and has provided individuals impacted by the breach with 12 months of credit monitoring and identity theft protection services without charge. So far, Alive’s investigation into the breach has found no evidence to indicate any of the information was viewed or downloaded by the attackers, and neither have any reports been received to suggest any misuse of patients’ personal health information.
Calyptix Security cites Verizon’s 2018 Protected Health Information Data Breach Report, stating that the majority of breaches occur within organizations. Employee misuse or failure to protect patient information often provides a portal for third parties to access and use it.
All healthcare nonprofits should familiarize themselves with HIPAA’s list of best practices to ensure compliance:
- Drafting and distributing policies, authorization forms and other HIPAA-required documents regarding how health information is used and protected
- Encrypting emails that contain sensitive data
- Avoiding faxing confidential information
- Using passwords to restrict access to electronic protected health information
- Turning monitors so they’re not visible to others while working with electronic protected health information
- Logging off computer systems when leaving the work area
Nonprofit organizations who collect ePHI need to be vigilant in assessing their vulnerability to breaches of information and protecting data access. Even an employee or volunteer who becomes aware of a patient diagnosis through patient records and inadvertently reveals it in a public conversation is putting the organization at risk of a HIPAA violation.
In today’s opioid addiction epidemic and the ramping up of programs to support people with addiction, it is critical that nonprofit health organizations take heed of the danger of breaches. No one is presumed innocent in violating HIPAA, nor should they be.
For more information on the need for nonprofit ePHI protection, here’s another take on it from NPQ.—Meredith Betz