Breach Prevention: Time for Action2 Fines in Health Net Case Illustrate the High Cost of Breaches
Healthcare organizations need to stop procrastinating and develop comprehensive plans for preventing breaches, as well as for reporting them promptly when they occur. Otherwise, they could face hefty potential state and federal penalties, not to mention many other post-breach costs.
The Health Net case provides an important reminder that hospitals, clinics and insurers could face significant sanctions if they fail to comply with the HITECH Act breach notification rule, HIPAA and state regulations. And remember, the HITECH Act toughened the penalties for violating the HIPAA privacy and security rules and made it clear that business associates also must comply.
Never before have organizations faced so many layers of penalties and sanctions for not protecting information with strong controls.
Next year, look for more cash-strapped states to go after revenue by more aggressively enforcing state and federal rules regarding protecting health information.
Tardy Breach NotificationThe Connecticut Insurance Department announced this week that it has fined Health Net $375,000 for its handling of a 2009 health information breach.
The department cited "failures to safeguard the personal information of its members from misuse by third parties," pointing, in particular, to the untimely notification of 500,000 state residents regarding the loss of a disk drive last year.
Back in July, Health Net agreed to pay $250,000 in damages and offer stronger consumer protections to settle a HITECH Act civil lawsuit filed in federal court by Connecticut Attorney General Richard Blumenthal. That suit also centered on the insurer's failure to promptly notify those affected by the breach incident, but it focused on violation of federal, not state, law.
The federal lawsuit was the first of its kind filed in the wake of the HITECH Act, which enabled state attorneys general to bring civil action in federal court for violations of HIPAA security and privacy rules.
State Breach Action Coming?So why haven't more state attorneys general filed federal civil suits?
Well, for one thing, training of attorneys general on how to file the suits, as mandated and funded under HITECH, has yet to begin. A spokesman for the Department of Health and Human Services' Office for Civil Rights says that training will begin early in 2011. That's two years after passage of HITECH. And that's a shame.
"Once the AG training is completed, there will be more troops on the ground," says security expert Kate Borten, president of The Marblehead Group. "One enforcement problem to date has been the apparent lack of resources at the federal level.
"I believe that consumers will be more likely to report privacy and security issues to their local state government; they may be reluctant to report concerns to the federal government."
Protecting PrivacyAnd can we expect more states to ramp up enforcement of their laws that call for protecting information and reporting breaches? You bet.
"The recent elections show that voters want their elected officials to be more proactive in standing up for their rights and pursuing restitution from the organizations that mistreat their customers, which would include not appropriately protecting their information," says security specialist Rebecca Herold, owner of Rebecca Herold and Associates.
As if the threat of state and federal fines for violations isn't enough motivation for breach prevention, the HITECH Act calls for a new HIPAA compliance audit program. So far, federal officials are keeping quiet about the details of the audits, or the launch date. But it looks likely the program could kick in next year.
Time for Security ActionSo what's it all mean?
"Organizations can no longer undervalue their privacy and security programs," Borten says. "These programs must be recognized as essential business processes requiring ongoing attention and resources in order to reduce the number of breaches."
Herold sounds a similar theme. "Organizations need to act now to protect information and prevent breaches. There has never been a time when the advice that it is much less expensive to prevent a breach than to respond to and resolve a breach has been more true. Never before have organizations faced so many layers of penalties and sanctions for not protecting information with strong controls."
She adds: "It is risky, irresponsible and foolhardy to not appropriately safeguard information and to not be prepared with a breach response plan."