United States: Avoiding A Health Care Data Breach

Information Security Remains Primary Concern for General Counsel

Are you ready for a health care data breach? Not only the privacy issues that result and the often-enormous burden that is imposed, but the reputational harm that you and your public relations staff must explain to your customers and Board?

In a recent survey, data security was the most cited issue of concern for General Counsel.1 From the loss or theft of hard drives and laptops to criminals holding data for ransom, data breaches are occurring with increasing frequency. Amid recent regulations and increased enforcement activity, the number of individuals affected by health care data breaches nearly doubled from 2010 to 2011.2 As a result, the stakes have never been higher for hospital and health systems—including in-house counsel— to take proactive measures to prevent a data security issue.

Enacted in 2009 as part of the American Recovery and Reinvestment Act, the Health Information Technology for Economic and Clinical Health Act – or HITECH Act – contained incentives to promote the use of health information technology as means to improve quality of care and reduce costs. The HITECH Act also significantly expanded the reach of HIPAA and raised the bar for health data security with increased penalties, mandatory audits, and new security breach notification requirements. Prior to HITECH, covered entities had no duty to self-report HIPAA breaches. Now, self-reporting is public and potentially embarrassing. HITECH requires covered entities to report breaches of unsecured PHI to patients, HHS, and in the case of data breaches affecting

500 or more individuals, the media. Data breaches affecting 500 or more individuals are also listed on the HHS Office of Civil Rights' website, which some in the healthcare industry have dubbed the "Wall of Shame."

At the same time, HHS-OCR has significantly increased its enforcement activities. The largest penalty listed on the HHS-OCR website prior to 2009 is $100,000. Since 2009, seven entities have been fined $1,000,000 or more for HIPAA violations. In addition to the increased penalties, the agency has also announced that between November 2011 and December 2012, it plans to conduct 115 audits of covered entities to assess privacy and security compliance. The cost of data breaches extends well beyond monetary penalties. Hospitals and health plans can easily spend millions of dollars investigating the causes of a data breach, notifying the individuals affected, providing services such as credit monitoring to mitigate the risk of harm to those individuals, and last but not but not least, attempting to mitigate the immense reputational harm so often associated with data breaches.

General Counsel and IT experts in the health care industry must establish a plan to deal with potential intrusion or theft. Among the steps to be considered are:

• If feasible, encrypt PHI;
• Evaluate current privacy and security protection systems, and assess methods of breach detection;
• Draft and implement a data breach notification policy for unsecured PHI;
• Revise Business Associate Agreements to require prompt notification of data breaches;
• Familiarize the company with the data breach requirements and notification forms available on the HHS website for notice to the Secretary;
• Train employees, officers and agents of the Covered Entity in protection of PHI and data breach requirements; and
• Consider, and price, "cyber-theft" insurance or other coverage to protect against the steep after effects that inevitably follow a data breach.

Those who fail to adequately protect themselves risk facing governmental investigations, civil and criminal penalties, class action suits, shareholder derivative suits, and adverse media coverage. The downside is steep, but may be protected against if proper preventive and compliance measures are taken.

Originally published in The Advisory Board Company, "General Counsel Agenda: A Quarterly Legal Perspective on Today's Top-Of-Mind Issues," October 24th, 2012.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.