Posts

HIPAA Privacy Lock Security

Healthcare providers’ risk of data breach

Health Care Law | Farrow-Gillespie & Heaht LLPBy Scott Chase and Catherine Parsley

Healthcare providers receive, collect, and store vast quantities of sensitive personal health information (“PHI”) from their patients. However, only half of providers responding to a recent survey said that they are prepared to respond to cyber-attacks.  Attacks and other security breaches can have far-reaching effects for providers and their patients.

Electronic Medical Records

Healthcare providers have many vulnerabilities that are unique to their field. Most providers are adopting or have adopted electronic medical records (EMRs), but those programs are often clunky and can be inadequately secured.  The new EMR systems make sharing PHI easy.  Easy sharing is great for internal use but poses an increased risk of external leakage compared to old-fashioned paper records.  Many  providers’ network systems have been pieced together over time, leaving vulnerabilities and  inconsistencies.  At the same time, online attackers are getting increasingly complex and sophisticated.  Another problem created by piece-meal network systems is that many providers either cannot or do not know how to detect in real time if their network system is being compromised.

HIPAA Violation

These factors leave healthcare providers open to higher risk of attacks and data loss. Any data loss can constitute a breach of the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA).  If a provider loses PHI, or even puts PHI at risk of exposure to unauthorized individuals, the provider can be held to have breached HIPAA, even if no loss or theft actually occurs.  One hospital was recently fined over three million dollars after it did not comply with HIPAA-required protective measures.  It had several violations, including storing PHI on unencrypted devices, allowing such devices to be accessed by individuals who were not HIPAA-authorized, and failing to implement recommended risk management plans.

It is also important to note that the HIPAA, pursuant to its security rule, requires a risk assessment for PHI vulnerability whenever the following occurs

  • In response to environmental and operational changes, such as implementation of new technology or changed office operations
  • Any security breach or security incident that indicates vulnerability.

Fines have been levied on providers that have not performed such assessments, even if no HIPAA breach was found. While healthcare providers are not targeted as frequently as some other types of organizations, such as banking and financial institutions, the wealth of data that healthcare providers own makes them a highly-sought out target. The data can be used for various fraudulent purposes by the attacker, and any loss or possible loss can be a HIPAA violation.  In addition to having appropriate corporate policies in place, providers should also review the various types of insurance coverage available to reduce losses.

Farrow-Gillespie Heath Witter LLP can help healthcare providers deal with security threats. Our attorneys can work with clients to put policies in place before problems arise, or help clients deal with regulatory or operational issues after a breach occurs.  For more information on the available services, contact board-certified health care attorney Scott Chase.

Read More


About the Authors

Scott Chase | Farrow-Gillespie & Heath LLPScott Chase is a Dallas health law attorney, certified by the Board of Texas Legal Specialization.  Mr. Chase has been named for many years to the list of Texas Super Lawyers (a Thomson Reuters service), Best Lawyers in America (U.S. News & World Report), and Best Lawyers in Dallas (D Magazine).

More on health law


Catherine Parsley is currently (March 2017) an intern at Farrow-Gillespie Heath Witter, LLP.  Ms. Parsley is a law student at SMU Dedman School of Law in Dallas, Texas, where she is a staff editor of the SMU Law Review.  Catherine served as a judicial extern for Chief Justice Nathan L. Hecht, of the Supreme Court of Texas.  She holds a B.S. in communications studies, cum laude, from the University of Texas at Austin.

medical person typing

HIPAA and business associates

HIPAA-covered entities and their business associates are facing increased obligations to securely maintain and handle protected health information.A health care entity subject to HIPAA rules must ensure that its contracts with a business associate that may receive protected health information include statutorily required assurances that the business associate will appropriately safeguard the information. That is, in a vendor contract, staffing contract, or services contract in which data provided to a party includes protected health information of any person, the contract that governs that transaction or relationship must include language of HIPAA compliance.

For assistance in assessing security risks, updating policies, and training employees, please contact board-certified healthcare attorney Scott Chase.

Farrow-Gillespie Heath Witter LLP - Health Care Law

$150,000 Fine for HIPAA Violation

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS-OCR), has recently entered into another HIPAA settlement, emphasizing yet again the government’s focus on the HIPAA Security Rule.  The settlement highlights that health care entities cannot merely adopt HIPAA policies but that they must actually implement and follow those policies in practice on an ongoing basis.  In early December 2014, HHS-OCR confirmed that Anchorage Community Mental Health Services (ACMHS), a nonprofit organization providing behavioral health care services, had agreed to pay a $150,000 fine and adopt a corrective action plan to correct deficiencies in its HIPAA compliance program and to report to HHS-OCR on the state of its compliance for two years.  The settlement was based on a HHS-OCR investigation regarding ACMHS’s breach of unsecured electronic protected health information (ePHI).  The breach was the result of a malware that compromised the security of ACMHS’ information technology (IT) resources and affected 2,743 individuals.

During its investigation, OCR-HHS found that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these policies and procedures were not followed and/or updated.  Thus, ACMHS could have avoided the breach (and not be subject to the settlement agreement), if it had followed its own policies and procedures and regularly assessed and updated its IT resources with available patches. The settlement with ACMHS is just one of several recent settlements arising from an HHS-OCR investigation, either because an organization self-reported a breach of ePHI or because HHS-OCR investigated an organization’s HIPAA compliance program after receiving a complaint or as part of its annual audit protocol.  No matter how the investigation begins, HHS-OCR will expect an organization to have fully implemented and updated its HIPAA compliance program and/or policies and procedures.  Compliance with the HIPAA Security Rule requires organizations (among other things) to assess risks to ePHI on a regular basis, including whenever new software, e.g., a patient portal, is implemented.  Organizations cannot simply adopt HIPAA policies and procedures, conduct training and then ignore HIPAA.  All organizations subject to HIPAA, both “covered entities” and “business associates” (regardless of size), must devote ongoing resources to protect personal health information from security threats.

Most of the activities that HHS-OCR found lacking in ACMHS are ones that can be efficiently developed, implemented or sustained with timely planning by health care providers.  Please let me know if you, or any of your clients, would like to discuss any of these activities with me.