HIPAA compliance concerns surround Unity Health Insurance’s missing portable hard drive

HIPAA Final Rule Compliance Impact on MSPs and VARs
With growing concerns over HIPAA compliance, it is important to know the requirements and put them into place properly.

Update: September 21, 2015

Lately, it seems like there’s another data breach in the news every week. Just a couple weeks ago, Excellus Blue Cross Blue Shield announced that more than 10 million of its members’ personal information had been compromised in a massive cyber attack. Although the insurer wasn’t aware of the attack until this August, the attack actually occurred in December 2013. A subsequent investigation discovered the hackers had uninterrupted access to members’ personal information from that time onward.

Although this blog post is a from last year, and deals with an accidental, physical data breach rather than a malicious attack by outside hackers, it is still highly relevant today. HIPAA regulations lay out strict requirements for the safeguarding of electronic protected health information (ePHI). Two key measures HIPAA covered entities (CEs) should take to ensure compliance include maintaining high levels of data security and having secure, offsite backups of patient data. Read on to learn more.

Original Post: Feburary 2, 2014

With the increasing amount of business conducted online and records being stored electronically in today’s high technology world, privacy and security have become hot topics of discussion. Recently, security breaches to major retailers and email providers have been making national news and drawing concern from millions.

Here in Wisconsin, a recent security breach has customers of Unity Health Insurance concerned for the safety of their health records. This week, Unity said that a portable hard drive containing information for more than 40,000 members was missing from the University of Wisconsin-Madison School of Pharmacy. While Unity spokeswoman Jennifer Woomer-Dinehart said there was no reason to believe the drive was stolen with malicious intent, the loss of the drive could still go against the privacy and security standards laid out by the Health Insurance Portability and Accountability Act (HIPAA).

Under HIPAA’s Privacy Rule, all covered entities, or healthcare practices, health insurance companies, etc. and their business associates, including certain suppliers and those in charge of destruction of information, are required to safeguard personally identifiable health data, or protected health information (PHI). Electronic protected health information (e-PHI) is also covered, and includes data such as the patient information in digital form that was on the lost hard drive. HIPAA’s Security Rule mandates that all covered entities and business associates must take certain security measures to ensure the safety of e-PHI.

Disclosure of e-PHI, intentional or unintentional, is a violation of HIPAA and can carry heavy penalties. Unintentional violations carry a $100-$50,000 or more fine per violation, with a maximum year cap of $1.5 million. Intentional disclosure is a criminal offense and can be punishable with higher fines or imprisonment. Security breaches are no simple matter.

Unfortunately, this is not an uncommon situation due to carelessness within an organization’s technology practices. According to a survey conducted by SearchHealthIT, 40% of respondents in the healthcare industry said their organization had no “bring your own device” (BYOD) policy. This means that there are no restrictions for healthcare professionals using personal devices for professional purposes. BYOD coupled with informal file sharing using websites such as DropBox or email attachments pose a security risk for e-PHI.

The Security Rule lays out guidelines for necessary safeguards for e-PHI, including:

  1. Encryption and Destruction: All data at rest must be either encrypted or destroyed. All data being transmitted must also be encrypted. Many covered entities struggle with this requirement due to unencrypted physical backup methods (such as external hard drives, or tape or CD backups).
  2. Employee Training: Organizations are required to document their policies and train their employees on HIPAA requirements. Employers are liable for any noncompliance violations by their employees.
  3. Offsite Backup: Covered entities and business associates must securely backup retrievable, exact copies of electronic health information. Backups must be recoverable and stored offsite in case of disaster such as fire or flood. Data must also be backed up frequently so as to have exact copies, not day old copies. Recoveries also need to be tested in order to ensure they are functioning.

It is important to know these requirements and put them into place if you fall under the covered entity or business associate category.