United States: Data Breaches Involving Health Care Records Continue To Rise, Attracting Increasing Government Scrutiny And The Concern Of General Counsels

Medical record custodians beware—rules promulgated by the federal Department of Health and Human Services ("HHS") are placing increased focus on, and imposing increased penalties for, data intrusions and thefts related to medical records. 

Rules imposed under the 2009 Health Information Technology for Economic and Civil Health Act ("HITECH Act") require entities qualifying as "covered entities" under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended, to report data breaches to HHS and to notify those individuals.  Failure to notify affected individuals may result in hefty fines, which can increase substantially as a result of delays. 

In addition, those healthcare entities that have experienced data breaches affecting 500 or more individuals must notify local media and are listed publicly on the Office of Civil Rights' website.  The list, which some in the healthcare industry have dubbed the "Wall of Shame," contains the name of the covered entity, its location, the number of individuals affected, the date of breach, the type of breach, and the location of the breached information.  

The past few years have brought massive reported breaches, such as the 4.9 million records lost by TRICARE Management Activity (a Department of Defense health care program) when backup tapes disappeared, 1.9 million records lost when hard drives disappeared from HealthNet, and 1.7 electronic medical records stolen from the New York City Health and Hospitals Corporation's North Bronx Healthcare Network.  

Data breaches are occurring with increasing frequency and take many forms—from 'old school' physical theft of hard drives and laptops to 'new' school criminals demanding ransom from records custodians.  Indeed, a recently released survey by FTI Consulting Inc. and Corporate Board Member states that data security was the most cited issue of concern for general counsel (55%). 

Records custodians in the healthcare industry – and in any industry, for that matter – should establish a plan to deal with potential intrusion or theft and should consider obtaining "cyber-theft" insurance or other coverage to protect against the steep aftereffects that inevitably follow a data breach.  Those who fail to adequately protect themselves risk facing governmental investigations, criminal and civil penalties, class action suits, and adverse media coverage.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.