September 09, 2011, 9:40 AM — Healthcare organizations that are performing risk assessments as a way to craft patient-privacy policies might want to consider a new potential attack vector: federal regulators.
Later this year, the Department of Health and Human Services is expected to start auditing up to 150 health providers at random through December 2012 in an effort to find medical entities that fail to comply with HIPAA and HITECH regulations about how personal data must be handled securely.
While the audits don't represent attacks on the personally identifiable information (PII) the regulations are supposed to protect, they do expose non-compliant providers to the potential for heavy fines and reputation-damaging publicity.
More on healthcare technology: High-tech healthcare technology gone wild
For instance, earlier this year Massachusetts General Hospital paid $1 million to settle a patient-privacy complaint with HHS due an employee leaving patient records in a subway car.
That's a big switch from the way healthcare privacy regulations have been handled since 2003, says Abner Weintraub, president of HIPAA Group, a compliance consultancy to healthcare organizations. Until this year, HHS had received about 50,000 complaints but levied no fines, preferring to take remedial actions instead, he says.
Levying fines now has an upside for HHS, says Kelly Hagan, a healthcare attorney with law firm Schwabe, Williamson & Wyatt in Portland, Ore. - the agency gets a cut of whatever fines are levied. That, combined with the pro-active auditing, marks a sea change for what healthcare CIOs and CISOs face when dealing with HIPAA. "Suddenly HIPAA has teeth and is willing to bite," Hagan says.
Despite this, instances of healthcare data breaches continue to flourish. Last year, HHS received 207 reports of breaches involving more than 500 individuals, according to a report to Congress last week. And there are growing incentives for criminals to focus on health record theft, Weintraub says. Patient data can be sold to criminals interested in perpetrating identity theft, he says, but more lucrative are schemes to commit medical identity theft.
That's when stolen patient data is used to obtain medical care for someone else, which not only bilks insurers but also taints the medical record of the individual whose identity is stolen by inserting records of treatments and tests the victim never received.