More than four out of ten US customer data breaches occur in the healthcare sector, according to a report by the ITRC (Identity Theft Resource Center) in 2013. The health sector has to report breaches to the HHS (Department of Health and Human Services) for all incidents above 500 records. This accounts for the honesty of the healthcare sector in revealing the number of patient records breached – around 84 percent revealed that information. It only goes to show that appropriate regulations will have a potent impact in the area of healthcare data protection. Compared to the medical sector, other industry sectors report only a much smaller percentage of breaches. It was found that breaches usually occurred due to external hacking (25.8%), data on the move (12.9%), insider theft (11.6%) and employee error/negligence (9.2%).
Speaking of protected health information (PHI), medical records are usually required by attorneys handling personal injury, Social Security Disability and Workers Compensation cases. A detailed medical record review will have to be performed to understand the actual facts of the case. The attorney would need records from the hospitals and doctors that treated the patient after the accident, as well as the medical records before injury. This will enable the attorney to identify whether the patient is eligible to receive the compensation, whether there has been malpractice, and so on. As regards data breaches, law firms with access to protected health information are likely to be classified as “business associates” under the new HIPAA rules and are therefore bound by new security, privacy and breach notification requirements when handling such information. The final rules modifying the HIPAA Privacy, Security and Breach Notification Rules were published in the Federal Register on January 25, 2013. Lawyers and law firms that are business associates of covered entities will have to comply with existing and pending regulatory requirements, or face fines and penalties.
Legal entities that are business associates are now directly liable for:
- Unauthorized use and disclosure of PHI
- Not providing notification of breach to the covered entity if unsecured PHI is compromised or accessed without authorization
- Not providing access to a copy of the PHI to the covered entity, the individual or the individual’s representative as specified in the business associate agreement
- Not disclosing PHI required by the Secretary of the CMS (Centers for Medicare & Medicaid Services ) to investigate/determine the business associate’s compliance with HIPAA rules
- Not providing an accounting of disclosures of the PHI
- Not complying with the requirements of the Security Rule
This means that law firms, lawyers and attorneys in the U.S. that are business associates of covered entities must become HIPAA ready by performing a risk analysis, designating a security official, establishing a risk management program, conducting employee training, and having written policies and procedures in place. Legal entities such as the above must have administrative, physical and technical safeguards ready to protect the confidentiality, integrity and accessibility of PHI.
