logo
    • Magazine
    • Membership
    • Donate
  • Racial Justice
  • Economic Justice
    • Collections
  • Climate Justice
  • Health Justice
  • Leadership
  • CONTENT TYPES
  • Subscribe
  • Webinars
    • Upcoming Webinars
    • Complimentary Webinars
    • Premium On-Demand Webinars
  • Membership
  • Submissions

A Nonprofit Breaches Patient Health Information Privacy and Pays the Price

Meredith Betz
September 17, 2018
Share
Tweet
Share
Email
Print
Compliance and Safety LLC. [CC BY-SA 3.0 ], from Wikimedia Commons

September 12, 2018; Becker’s Hospital Review

Breaches of patient privacy in the US healthcare field cost $6.2 billion each year. When we hear of massive HIPAA breaches, we most often associate them with large hospitals and their systems. However, any nonprofit organization that collects electronic personal health information (ePHI), including social service organizations, needs to pay very close attention to risk assessments for data breaches—both if they perform them and how well.

The Arc of Erie County in Buffalo, N.Y., found this out the hard way. The nonprofit, which serves people with developmental disabilities, will pay $200,000 in penalties for violating HIPAA. (The 1996 Health Insurance Portability and Accountability Act was enacted in 1996 to ensure that US organizations protect the privacy and security of health information.) In early February 2018, the Arc of Erie County learned clients’ ePHI, including full names, Social Security numbers, gender, race, primary diagnosis codes, IQ scores, insurance information, addresses, phone numbers, dates of birth, and ages, were exposed on its website.

Even though the agency reports that the site was only for internal use, HIPAA has strict guidelines on how healthcare organizations need to handle ePHI. It mandates a thorough risk analysis of their systems. Had the Arc of Erie County conducted such analysis, they would have been aware of their vulnerability due to an openly accessible patient record system. Since 2015, 3,751 of The Arc’s clients were affected when unauthorized third parties accessed information. Officials said there is no evidence of malware on the system or ongoing communications with outside IP addresses.

Now, the nonprofit has been ordered to provide a risk analysis, review all its policies and procedures, and submit its findings to the attorney general’s office within 180 days from the settlement.

“The Arc of Erie County’s work serves our most vulnerable New Yorkers and that comes with the responsibility to protect them and their sensitive personal information,” New York Attorney General Barbara Underwood said in a news release. “This settlement should provide a model to all charities in protecting their communities’ personal information online.”

Nonprofits on shoestring budgets may see the cost of a risk analysis as prohibitive, but breaches will cost them much more than hefty fines. Ensuing lawsuits, the costs of cleanup, and new security technology could run into the hundreds of thousands of dollars. Even more significantly, their brand value would be diminished, and recouping the public’s trust—not to mention their donors’—could take years.

Sign up for our free newsletters

Subscribe to NPQ's newsletters to have our top stories delivered directly to your inbox.

By signing up, you agree to our privacy policy and terms of use, and to receive messages from NPQ and our partners.

Even organizations that have taken measures to secure their security systems can be targets for breaches of ePHI. In May 2018, Alive Hospice in Tennessee reported that two employees whose email accounts contained protected health information were duped by phishing scams that allowed hackers to access their data. Alive’s review of its email systems in December of 2017 revealed that the two accounts contained ePHI. The organization took proactive damage recovery and has provided individuals impacted by the breach with 12 months of credit monitoring and identity theft protection services without charge. So far, Alive’s investigation into the breach has found no evidence to indicate any of the information was viewed or downloaded by the attackers, and neither have any reports been received to suggest any misuse of patients’ personal health information.

Calyptix Security cites Verizon’s 2018 Protected Health Information Data Breach Report, stating that the majority of breaches occur within organizations. Employee misuse or failure to protect patient information often provides a portal for third parties to access and use it.

All healthcare nonprofits should familiarize themselves with HIPAA’s list of best practices to ensure compliance:

  1. Drafting and distributing policies, authorization forms and other HIPAA-required documents regarding how health information is used and protected
  2. Encrypting emails that contain sensitive data
  3. Avoiding faxing confidential information
  4. Using passwords to restrict access to electronic protected health information
  5. Turning monitors so they’re not visible to others while working with electronic protected health information
  6. Logging off computer systems when leaving the work area

Nonprofit organizations who collect ePHI need to be vigilant in assessing their vulnerability to breaches of information and protecting data access. Even an employee or volunteer who becomes aware of a patient diagnosis through patient records and inadvertently reveals it in a public conversation is putting the organization at risk of a HIPAA violation.

In today’s opioid addiction epidemic and the ramping up of programs to support people with addiction, it is critical that nonprofit health organizations take heed of the danger of breaches. No one is presumed innocent in violating HIPAA, nor should they be.

For more information on the need for nonprofit ePHI protection, here’s another take on it from NPQ.—Meredith Betz

Share
Tweet
Share
Email
Print
ABOUT THE AUTHOR
Meredith Betz

G. Meredith Betz is an organizational consultant and nonprofit executive with leadership experience in development and organizational dynamics in healthcare, arts and culture and education nonprofits. As an executive coach and consultant to nonprofit organizations she trains nonprofit boards best practices in governance and in building a culture of philanthropy within their organizations.

More about: right to privacyHealth EquityManagement and LeadershipNonprofit Newsonline databases

Become a member

Support independent journalism and knowledge creation for civil society. Become a member of Nonprofit Quarterly.

Members receive unlimited access to our archived and upcoming digital content. NPQ is the leading journal in the nonprofit sector written by social change experts. Gain access to our exclusive library of online courses led by thought leaders and educators providing contextualized information to help nonprofit practitioners make sense of changing conditions and improve infra-structure in their organizations.

Join Today
logo logo logo logo logo
See comments

NPQ_Winter_2022Subscribe Today
You might also like
HLTH 2022: Obstacles to Health Equity
Sonia Sarkar
Leaders Say Public Health Ethics Is Necessary for Social Justice
Nineequa Blanding
How do water shutoffs impact low-income communities?
Iris Crawford
Slow Food Wants to Bring Justice, Education, and Joy to the Food Experience
Brandy Collins
Art Is a Catalyst for Healing
Nineequa Blanding
How Can We Support Youth Mental Health?
Nineequa Blanding

Popular Webinars

Remaking the Economy

Black Food Sovereignty, Community Stories

Register Now

Combating Disinformation and Misinformation in 21st-Century Social Movements

Register Now

Remaking the Economy

Closing the Racial Wealth Gap

Register Now
You might also like
HLTH 2022: Obstacles to Health Equity
Sonia Sarkar
Leaders Say Public Health Ethics Is Necessary for Social...
Nineequa Blanding
How do water shutoffs impact low-income communities?
Iris Crawford

Like what you see?

Subscribe to the NPQ newsletter to have our top stories delivered directly to your inbox.

See our newsletters

By signing up, you agree to our privacy policy and terms of use, and to receive messages from NPQ and our partners.

Independent & in your mailbox.

Subscribe today and get a full year of NPQ for just $59.

subscribe
  • About
  • Contact
  • Advertise
  • Copyright
  • Careers

We are using cookies to give you the best experience on our website.

 

Non Profit News | Nonprofit Quarterly
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.