Compliance Perspectives: Complying with HIPAA Isn’t Enough to Manage Data Breach Liability Risks

Memo to lab managers and compliance officers: It may be time to rethink your data breach response strategy. This directive is the result not of any substantive changes to the HIPAA rules but rather to how they are likely to be enforced from now on. The punchline: Messing up your HIPAA breach response and reporting may get you into trouble with not just the federal Office of Civil Rights (OCR) but also the Attorneys General (AGs) of every state of patients harmed by the breach. Here’s a look at this new compliance hazard and the nine safeguards you need to manage it.

New Data Breach Case Signals New Approach to Breach Enforcement

The concern over state enforcement comes from a groundbreaking new case involving a medical software provider named Medical Informatics Engineering (MIE). The company licenses a web-based electronic health record application called WebChart and its subsidiary, NoMoreClipboard (NMC), provides patient portal and personal health record services to healthcare providers allowing patients to access and manage their health information. The troubles began when MIE installed two generic accounts, one having a shared password of “tester” and the other having a shared password of “testing.” Neither included a unique user identification name. These accounts were flagged as “high risk” by a formal penetration test conducted in January 2015. But MIE decided not to eliminate them because it didn’t want to deny a client request for the capacity to login without using unique usernames and passwords.

Later that year, hackers used the generic accounts to launch an SQL (structured query language) injection attack and insert malware on MIE’s system, compromising the electronic protected health information (ePHI) of approximately 3.5 million individuals.

First the Feds, then the States Go After MIE

The OCR cited MIE for HIPAA violations resulting in a $100,000 settlement. Although it’s not unusual for states to file separate privacy law charges on behalf of state residents harmed by the breach, there had never been a multistate HIPAA data breach lawsuit before. So, it was pretty eye-opening when AGs from no fewer 16 different states (including Arizona, Arkansas, Connecticut, Florida, Indiana, Iowa, Kansas, Kentucky, Louisiana, Michigan, Minnesota, Nebraska, North Carolina, Tennessee, West Virginia and Wisconsin) banded together to go after MIE in Indiana federal court.

In addition to wielding their statutory authority to enforce the federal HIPAA laws, the AGs brought claims under their own respective state data breach and personal information protection statutes contending, among other things, that that hackers had exploited MIE’s poor password protection policies and that MIE failed to follow its own security management protocols. Result: MIE was accused of 38 separate counts of state law violations stemming from the same breach. Outnumbered and out-resourced, MIE agreed to pay $900,000 to settle all the charges. It also agreed to implement an onerous corrective action plan.

Potential Impact on Your Lab

As if HIPAA and data security breaches weren’t already damaging enough, the potential for multistate enforcement stemming from a single breach ups the ante exponentially. Labs are especially vulnerable given:

• Their reliance on web-based applications for ePHI management that hackers love to target; and
• The fact that they manage ePHI of residents from multiple states.

The concern, of course, is that if a data breach occurs at your lab, you could be subject to the same 1-2 punch of the OCR followed by state AGs administered to MIE. The greater the size of your ePHI management network and the more states it spans, the greater your liability risks.

9 Things to Do to Protect Your Lab

The key to managing liability risks is to dedicate proper resources and energy to ePHI protections and data response mechanisms and ensure that any and all of your lab business associates that handle that information do likewise. That means ensuring you understand and comply with not only the HIPAA Security Rule but also state privacy, deceptive trade practices and other laws regulating the collection, maintenance and safeguarding of consumers’ ePHI.

Exactly what do you need to do to stay out of trouble with the state AGs? Perhaps the best way to answer that question is to implement at least the 10 measures MIE had to agree to under the consent judgment:

1. Implement and maintain an information security program that includes a security incident and event monitoring solution enabling quick detection and response to cyber-attacks;
2. Deploy data loss prevention technology to prevent unauthorized exfiltration of data;
3. Implement controls to prevent SQL injection attacks;
4. Maintain and regularly review activity logs;
5. Ensure password policies require the use of strong, complex passwords and multi-factor authentication as well as single sign-on for all systems that store or are used to access ePHI;
6. Implement additional controls covering the creation of accounts that have access to ePHI;
7. Refrain from using generic accounts that can be accessed via the internet;
8. Ensure that no generic accounts are allowed to have administrative privileges; and
9. Provide appropriate training to all employees regarding your lab’s information security policies and procedures at least annually.