When It Comes to HIPAA Security, Trust No One
A Huntsville, Ala., laboratory learned the hard way that it must take whatever steps necessary to ensure its business associates are complying with the Health Insurance Portability and Accountability Act (HIPAA) requirements, including conducting periodic audits. Diatherix Labs reported a HIPAA breach of more than 7,000 patient records after it discovered a contractor, Diamond Computing […]
A Huntsville, Ala., laboratory learned the hard way that it must take whatever steps necessary to ensure its business associates are complying with the Health Insurance Portability and Accountability Act (HIPAA) requirements, including conducting periodic audits. Diatherix Labs reported a HIPAA breach of more than 7,000 patient records after it discovered a contractor, Diamond Computing Co., allowed access to one of its servers through Google. The server contained patient billing documents, health insurance forms, patient names, and addressees. Many of the documents also included patient Social Security numbers, dates of birth, diagnoses codes, and diagnostics tests ordered. There was, however, no exposure of credit card or banking information and test results. The information was exposed for nearly three years starting Sept. 24, 2011, until Diamond terminated access to the server on July 10 at Diatherix’s request. Diatherix Bears the Cost and Bad Press In a notice posted on its Web site, Diatherix says that it conducted an investigation after discovering the breach, but it does not go into any detail of how it actually learned of the exposed server. It does note that it hired an outside data security firm to aid in the investigation. The lab commented that its investigation revealed that the server was first accessed on Oct. 16, 2011, but no protected health information (PHI) was viewed. The first time documents containing PHI were viewed was on March 7, 2014, says the lab. Diatherix notified 7,016 patients on Aug. 7 that the breach had occurred and offered to pay for a one-year protection plan to help prevent identity theft through Experian, a national credit reporting agency. It also set up toll-free lines where it says concerned patients can find out if their information was affected and to get more information about the Experian plan. Diatherix had to notify the U.S. Department of Health and Human Services about the breach. It also notified the appropriate state agencies. The lab’s name was on the letters and public notices about the security lapse, not Diamond’s. Every story in the public media researched for this article lead with Diatherix’s name. Diatherix also had to contact Google and other search engines that may have had access to the server and ask them to remove any PHI they might have. Other steps Diatherix took besides those already mentioned included confirming that Diamond had destroyed or secured all of the PHI from its patients stored on the exposed server. Finally, it initiated a security review of other similar vendors to confirm their security procedures. Diatherix says in its notice, “Our organization takes information security and patient privacy very seriously. We deeply regret this situation and any inconvenience this may cause our patients.” Steps to Take to Reduce Your Risk If your laboratory hasn’t already done so, it should compile a list of any vendors who have access to your patient’s PHI with the intention of conducting audits and confirming their security measures. Don’t take their word for it, ask for a copy of their written plan and the results of audits or security assessments they have conducted. If your internal security officer does not have the expertise to review their plan and develop and conduct audits of those vendors, make sure he or she gets the training needed or plan on hiring an outside security firm to help. Make sure there are provisions in your contracts and agreements that allow you the right to audit vendors and other associates. Also, try to include language that would hold them financially accountable for a security breach that they actually cause or allow to happen. Plan ahead by making sure your privacy and security officers have a plan to address breaches, including the steps necessary to conduct an appropriate and thorough investigation. Budget funding for potential breaches and their associated costs. Takeaway: In the case of a security breach, the entity that owns the PHI is going to bear the cost and reputational harm associated with it. It would be prudent to plan ahead for such an incident, including budgeting for it and ensuring your security officer is well trained.