A recent investigation by ProPublica.org shows not only that the medical community regularly abuses patient privacy, but that the responsible parties are seldom punished.
Since October 2009, more than 1,140 significant breaches of patient data have been reported by providers, organizations and their third-party associates. The information involved more than 41 million people, and pilfered in many ways, from stolen laptops, hacked servers and even paper records left unattended.
“Yet, over that time span,” ProPublica reported, “the Office of Civil Rights has fined health-care organizations just 22 times.”
Last year alone, the California Department of Public Health, which also levies fines against hospitals for compromising patient privacy, imposed 22 penalties; as of last month, it had imposed eight such penalties so far this year.
The Office of Civil Rights is authorized to audit health-care organizations to ensure they are protecting patient records, and to impose fines as high as $1.5 million per violation. Why is it so reluctant to protect people by exercising its authority?
The office, which has fewer than 200 employees and a budget of just $39 million, may use fine money for enforcement. Data security experts told ProPublica that the office lacks the resources to fulfill its oversight responsibilities, which each year also include reviewing more than 2,500 Medicare provider applications for civil rights compliance, more than 4,000 discrimination complaints and more than 15,000 claims of violations of the Health Insurance Portability and Accountability Act (HIPAA).
Anyone who has been in a doctor’s office or other medical setting since the late 1990s is familiar with the forms they’re given about their HIPAA rights. HIPAA mandates standards for the use and dissemination of health-care information, and directs how organizations must protect electronic medical records.
More than a decade after the passage of HIPAA, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) required organizations to publicly report breaches involving at least 500 patients, and boosted the amount the feds could fine them for violating patient privacy and record security. It also directed the Health and Human Services Department (HHS) to conduct audits, and extended the rules to third parties affiliated with health-care organizations.
But in 2013, the inspector general faulted HHS for not performing audits mandated by the act after a pilot audit program in 2011 and 2012 showed that 102 of the 115 organizations reviewed had problems with security or weren’t following rules to safeguard patient privacy. Only now, according to ProPublica, are follow-up audits getting started.
The Office of Civil Rights reviews every data breach, no matter how large or small; years might pass before they’re resolved. Unnervingly, the number of large data breaches is growing, including the one recently discovered by health insurer Anthem that exposed the medical information of about 80 million people. Last year, according to ProPublica, 278 large breaches were reported; between 2010 and 2012, there were fewer than 200 per year.
At a privacy and security forum in December 2012, Leon Rodriguez, then-director of the U.S. Department of Health and Human Services’ Office of Civil Rights, said, “We’ve now moved into an area of more assertive enforcement.”
You shudder to think what would happen the office weren’t so assertive…
Protecting privacy isn’t just about securing data. Last month, one of the nurses who contracted ebola last year at the Dallas hospital that treated victims sued the facility’s parent company not only for treatment shortcomings, but, she claimed, because the hospital violated her federal privacy rights when it videotaped her without permission. After a dying patient was depicted on a TV show, legislation was proposed last month in New York to make it a felony to film people getting medical treatment without prior consent.
The feds declined to be interviewed by ProPublica, but in a statement repeated that it “aggressively” identifies and investigates “high-impact cases that send strong enforcement messages about important compliance issues.”
In May, it hammered New York-Presbyterian Hospital and Columbia University with fines of $4.8 million for failing to secure the electronic health records of 6,800 people. One doctor, for example, had tried to remove his personal computer server from a shared network, which sent very detailed patient records flying onto Web search engines. The data flood was discovered when somebody found a deceased partner’s personal health information online.
It took five year for the feds to impose an $800,000 fine against Parkview Health System after 71 cardboard boxes of medical records of as many as 8,000 patients were left unattended in the driveway of a physician’s home. Remarkably, the incident wasn’t reported by the facility as a large data breach, but by the physician.
Some organizations told ProPublica that they didn’t know the status of their cases. One was the state of Utah, which reported in 2012 that hackers had gotten data on Medicaid and children’s health insurance claims, and that the Social Security numbers of 280,000 people were captured.
In the meantime, to its credit, Utah’s Department of Technology Services has increased security and funding, now monitors its network 24 hours a day and conducts an outside security assessment every two years.
Industry experts contacted by ProPublica said that the Office of Civil Rights is trying to catch more flies with honey than poison them with vinegar. They said the feds are working with organizations to improve their security and punishing only the worst lapses. Providers often voluntarily agree to make necessary changes if they’re not fined, the feds said.
How often have product manufacturers agreed to adhere to voluntary standards, only to fall short if no one’s making sure they do? How often have pharmaceutical companies merely paid fines as the cost of doing business for the dangerous false advertising of their drugs?
Some security experts told ProPublica that the government must flex its fining muscles to address the wave of patient data breaches. One such expert compared the situation to environmental pollution.
“If the cost of polluting is zero, companies will pollute,” he said. “How would a rational company not do that? If your CEO said we’re going to spend four times as much money not to pollute, he would be fired. What you need is to make security rational.”