The United States enacted the Health Insurance Portability and Accountability Act (“HIPAA”) in 1996, in part to give healthcare patients better assurances that their personal medical histories and information would not be publicized or utilized for improper purposes. Subsequent revisions and rules and regulations that were adopted to enforce HIPAA’s privacy provisions have become a legal minefield for healthcare facilities, particularly as electronic medical records have become the standard in virtually every U.S. medical practice. Those records are a prime target for cyber thieves; and healthcare providers that fall prey to cyber thieves often discover that they are in violation of HIPAA as a result of their failure to protect patient information against hackers.
HIPAA violations can lead to significant fines against the organization that is deemed responsible for failing to protect patient information and privacy. Before 2015, the top 15 healthcare organizations that were fined for violating HIPAA paid between $1 million and $5 million apiece in settlements. In 2016, Illinois-based Advocate Health paid more than $5.5 million in settlement of a data breach in which Advocate lost millions of patient records. These fines are in addition to other costs and liabilities that the affected healthcare organizations needed to absorb in order to recover their data and systems, and to give their patients assurances that their information would be better protected in the future.
An analysis of a cyberattack on Boston-based Partners Healthcare in late 2014 reveals how a cyberattack on a healthcare organization can lead to a HIPAA violation. Partners Healthcare realized that a number of its user’s electronic accounts had been compromised as a result of an email phishing attack, in which users responded to an email that they believed to be legitimate and to have originated from the healthcare organization itself. Partners did not know exactly what information the hackers had been able to access, but believed that the information included patient names and addresses, as well as medical treatments and in some cases, social security numbers.
HIPAA’s notification rules require healthcare organizations that have been targets of a cyberattack to issue written notifications to affected parties within sixty days of the discovery of the attack. Partners Health identified the attack in November 2014, but did not send notices of the attack to patients until late April 2016. Although Partners Health initiated a full investigation into the cyberattack and took affirmative steps to limit its damage, the organization’s delay in issuing the requisite written notices placed it in violation of HIPAA’s rules and exposed it to a potential fine of $1.5 million.
This situation demonstrates how HIPAA’s exacting rules and regulations can trip up even the most diligent healthcare organization that makes every attempt to remain in compliance with those rules. At a time when regulators are stepping up their HIPAA enforcement efforts, every healthcare organization needs to enhance its corresponding efforts to improve cybersecurity in healthcare.
Those efforts include, for example, training personnel to recognize common cyberattack methodologies such as phishing attacks, utilizing two-factor authentication for logins to healthcare organizations electronic networks, and adopting enhanced protections for supply chains and medical devices to eliminate the weak links in vendor and equipment supplies. Staying abreast of changes in HIPAA’s rules and regulation, and procuring healthcare cybersecurity insurance are also critical elements in protecting a healthcare organization.
Healthcare cybersecurity insurers can work with their healthcare clients to ensure compliance with HIPAA by providing the proper notices to affected parties within the time limits dictated by HIPAA. Insurance can also provide critical coverage for direct costs, liabilities to third parties, and HIPAA fines that a healthcare organization will inevitably face when it suffers a cyberattack. No healthcare organization can afford to be without cybersecurity insurance in view of the growth of the healthcare market and the corresponding expansion of HIPAA’s privacy strictures.