Why Companies Should Be Aware of Risks Associated with Protected Health Information

Pharmacy stakeholders who work with electronic health care data need to be vigilant against security breaches.

Now more than ever, it seems as though both consumers and industry stakeholders are being constantly bombarded with health care data analytics. Driven by federal and state policies to ensure a healthier population, data have been a useful tool to rein in excessive costs and promote improved quality of care. However, with increased data usage comes unintended consequences: since 2009, there have been over 1100 large data breaches affecting 500 or more individuals that have been reported by health care providers and their business partners to the US Department of Health and Human Services (HHS) Office for Civil Rights.¹ Shockingly, these statistics are only from reported cases. With our increased reliance on health care data, protected health information (PHI) has become a valued commodity for cyber attackers. Since our utilization of health information technology (HIT) will only continue to increase, the question of what can be done to minimize risks must be addressed. This article will demonstrate how we arrived at this point while outlining some suggestions interested stakeholders may want to examine that could ensure protection for your health care clients.

The foundation of our fundamental shift toward increased data utilization can be traced to the enactment of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Although HIPAA has several aspects to it, the most commonly referred to section involves the statute’s privacy rule. The privacy rule standards address the use and disclosure of individuals’ health information, called “protected health information,” by organizations subject to the privacy rule (covered entities), as well as standards for individuals’ privacy rights to understand and control how their health information is used. The primary goal of the privacy rule is “to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public’s health and well-being.”²

However, the rule “does not protect individually identifiable health information that is held or maintained by entities other than covered entities or business associates that create, use, or receive such information on behalf of the covered entity.”³ If this is the case and a breach happens that involves a third party not subject to the rule, where does responsibility lie? Whereas organizations create standard operating procedures regarding PHI to comply with HIPAA, the statute is not ironclad and creates gray areas that may need further definition in response to market occurrences. Even with the imperfections of HIPAA, one can argue that few could have foreseen the ways in which our usage of PHI has morphed from 1996 to today.

It wasn’t until the enactment of the American Recovery and Reinvestment Act (ARRA) of 2009 that the industry’s reliance on health care data began to increase. As everyone can remember, the US economy was fresh from the 2008 stock market crash and new policies were enacted in an attempt to improve the economic outlook. The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as a part of ARRA to encourage the adoption and meaningful use of HIT. Looking back, it was clear that one of the administration’s priorities was getting health care costs under control as an essential element of economic recovery. The irony is that at the time, many believed that the amount of money being spent to enact HITECH demonstrated the most significant change in health care in several years. The passage of the Affordable Care Act (ACA) in 2010 showed that not only were there more significant changes to come to the industry, but that HITECH would play an influential role in this transition.

The federal government spent billions to support the growth of electronic health records (EHRs), but what is the incentive for a provider to utilize EHR? The answer may lie within the statute itself. According to the Health Resources and Services Administration, ARRA authorizes the Centers for Medicare & Medicaid Services to provide a reimbursement incentive for physician and hospital providers who are successful in becoming “meaningful users” of EHRs. These incentives commenced in 2011 and will gradually be phased out. Starting in 2015, providers are expected to have adopted and be actively utilizing EHRs in compliance with the ”meaningful use” definition, or they will be subject to financial penalties under Medicare.⁴

With the environment in place for increased use of EHRs through the ACA exchanges and other mediums, the marketplace began to conform to these changes. Topics such as mobile health, telehealth, fitness apps, and the faster distribution of personal health records between acountable care organizations and hospitals are all emerging examples of how HIT is ushering in a new era of cost containment, operational efficiency, and improved patient care. History has shown us, however, that emerging technology often outpaces laws and regulations, and the risk of all of this free-flowing information falling into the wrong hands has increased dramatically.

What kind of information is at risk and why would a hacker target it? PHI that hackers are after often includes items such as Social Security numbers, birth dates, home and e-mail addresses, and diagnosis codes that can be used to buy prescription drugs online, purchase medical equipment, or create false identifications, to name a few. It seems that health care data is now more valuable than credit card data since health care data fraud takes longer for a consumer to both realize and report. This year has seen major breaches of PHI:

• On January 29, 2015, Anthem learned of a cyber attack to its IT system, which started as early as December 2014. The information accessed may have included names, birth dates, Social Security numbers, health care ID numbers, home addresses, and employment information, including income data. According to the company, no credit card or banking information was compromised, nor is there evidence that medical information such as claims, test results, or diagnostic codes were obtained.⁵
• In March, a data breach at Premera Blue Cross affecting 11 million people was revealed. According to the company, hackers accessed applicant and member names, birth dates, e-mail and home addresses, telephone and Social Security numbers, member ID numbers, bank information, and claims information, including clinical information.⁶
• On May 20, 2015, CareFirst BlueCross BlueShield announced that “the company has been the target of a sophisticated cyberattack.” The company stated that that the attackers could have potentially acquired member-created user names that are used to access CareFirst’s website, as well as members’ names, birth dates, e-mail addresses, and subscriber identification numbers.⁷

Although these are examples of health care providers, the risk is not limited to these unless companies are prepared. What steps need to be taken? First, do not think that HIPAA compliance is something that should be put on the back burner. If you are in health care, chances are that you have some connection to PHI, which means that you should revisit your standard operating procedures to determine whether they need to be changed. Second, since HITECH requires covered entities and their business partners to report to HHS any data breaches that affect 500 or more people, it may be a good idea to speak with vendors and business partners regarding ensuring security protocols for clients. Lastly, it is always a good idea to consult with a specialist who would be able to give you a neutral perspective on recommendations you may need to take. Preparation these days is essential and requires the industry to be more vigilant than ever. SPT

References

• Office for Civil Rights. Breach portal: notice to the Secretary of HHS breach of unsecured protected health information. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
• Office for Civil Rights. Summary of the HIPAA Privacy Rule. Published May 2003. www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf.
• National Institutes of Health. What health information is protected by the privacy rule? http://privacyruleandresearch.nih.gov/pr_07.asp.
• Health Resources and Services Administration: Rural Health. Health information technology. www.hrsa.gov/ruralhealth/resources/healthit/.
• Anthem Inc. How to access and sign up for identity theft repair and credit monitoring services. Anthem Inc website. Published May 8, 2015. www.anthemfacts.com.
• Premera Blue Cross. Premera has been the target of a sophisticated cyberattack. Premera Blue Cross website. www.premeraupdate.com.
• CareFirst. CareFirst BlueCross BlueShield has been the target of a cyberattack. CareFirst website. www.carefirstanswers.com.

About the Author

Ron Lanton III, Esq, is president of True North Political Solutions, LLC. He has over 20 combined years of government affairs and legal experience. This includes activities on the municipal, state, and federal levels of government. Most recently, he worked for a pharmaceutical wholesaler where he created and oversaw the company’s government affairs department, served as their exclusive lobbyist, and advocated for the company’s various health care customers. Prior to that, Ron worked at a government affairs consulting firm in Arlington, Virginia, where he focused on health care, energy, commerce, and transportation issues. He has also clerked for a federal magistrate, was appointed as a municipal commissioner on environmental issues, and has served as consultant to Wall Street firms on financial issues. He has been a featured industry speaker on issues such as pharmaceutical safety and health care cost containment. Ron earned his juris doctor from The Ohio State University Moritz College of Law and a bachelor of arts from Miami University of Ohio. He is also a “40 Under 40” award recipient. He is admitted to practice law in New York, Illinois, and the District of Columbia.