Medical record custodians beware—rules promulgated by
the federal Department of Health and Human Services
("HHS") are placing increased focus on, and imposing
increased penalties for, data intrusions and thefts related to
medical records.
Rules imposed under the 2009 Health Information Technology for
Economic and Civil Health Act ("HITECH Act") require
entities qualifying as "covered entities" under the
Health Insurance Portability and Accountability Act of 1996
("HIPAA"), as amended, to report data breaches to HHS and
to notify those individuals. Failure to notify affected
individuals may result in hefty fines, which can increase
substantially as a result of delays.
In addition, those healthcare entities that have experienced data
breaches affecting 500 or more individuals must notify local media
and are listed publicly on the Office of Civil Rights'
website. The list, which some in the healthcare industry
have dubbed the "Wall of Shame," contains the name of the
covered entity, its location, the number of individuals affected,
the date of breach, the type of breach, and the location of the
breached information.
The past few years have brought massive reported breaches, such as
the 4.9 million records lost by TRICARE Management Activity (a
Department of Defense health care program) when backup tapes
disappeared, 1.9 million records lost when hard drives disappeared
from HealthNet, and 1.7 electronic medical records stolen from the
New York City Health and Hospitals Corporation's North Bronx
Healthcare Network.
Data breaches are occurring with increasing frequency and take
many forms—from 'old school' physical theft of
hard drives and laptops to 'new' school criminals demanding
ransom from records custodians. Indeed, a recently released
survey by FTI Consulting Inc. and Corporate Board Member states
that data security was the most cited issue of concern for general
counsel (55%).
Records custodians in the healthcare industry – and in
any industry, for that matter – should establish a plan
to deal with potential intrusion or theft and should consider
obtaining "cyber-theft" insurance or other coverage to
protect against the steep aftereffects that inevitably follow a
data breach. Those who fail to adequately protect themselves
risk facing governmental investigations, criminal and civil
penalties, class action suits, and adverse media coverage.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.