The surprising consequences of health plan data breaches

With all the commotion surrounding health reform, it’s easy for senior leaders at group health plans to lose focus on data security. They may get lulled into complacency by two fallacies about data breaches: that only big retailers are experiencing costly security breaches – and teenage hackers or international cyber-teams are always to blame.

The Department of Health and Human Services has a web page dubbed the “Wall of Shame” that includes the names of hundreds of large and small healthcare organizations – including group health plans – that have been victimized by data breaches affecting millions of Americans. Only about 6% of those breaches are due to hacking or IT incidents; the other 94% are the result of dumb mistakes and mischief by employees, yours and your many business associates. As a covered entity under the HIPAA rules, a group plan is responsible for any data breaches caused by BAs, like those who handle eligibility, enrollment, claims management and IT services for the plan.

The penalties for HIPAA violations and data breaches have gotten much stiffer in recent years. In addition to legal and regulatory penalties, a GHP can rack up millions in costs when you include class action lawsuits and the cost of forensics, mitigation/remediation, and media notification. A single HIPAA violation involving willful neglect used to carry a maximum penalty of $25,000; now it’s a jaw-dropping $1.5 million. And a typical data breach involves multiple HIPAA violations.

See also: Is your client's wellness plan fully HIPPA compliant?

The most common miscues leading to a security breach are pretty obvious: losing a laptop containing unencrypted Protected Health Information (PHI), using an insecure wi-fi connection, and so on. All breaches must be reported to HHS and to the affected individuals, and any breach involving more than 500 patient records is made public on the Wall of Shame and (if in one jurisdiction) must be reported to the media. Here are some recent ones involving group health plans:

  • Group Health Plan of Hurley (Minnesota) Medical Center – Unauthorized disclosure of 2,289 patient records via e-mail.
  • Trinity Health Corporation Welfare Benefit Plan – Breach involving 1,073 records by business associate Mercer Health & Benefits, which lost a server backup tape sent via FedEx.

Federal regulators are also on the lookout for what they call “small-scale snooping.” That’s where an employee gains unauthorized access to the medical records of a friend, relative or even a celebrity. Not surprisingly, most of the celebrity snoops are in major metro areas, while “friends and family” snooping is more common in smaller communities.
In recent years, healthcare employees have either been suspended or fired for snooping into the files of A-list celebrities like George Clooney, Tom Cruise and Kim Kardashian. Most snooping incidents go unreported, with many organizations quietly firing the employee and compensating the victim. But all it takes is one high-profile lawsuit to cause big problems.

Here are some ways that a GHP can reduce its exposure to HIPAA violations and data breaches:

Conduct a full-fledged risk analysis – This is a no-brainer because the HIPAA Security Rule requires you to conduct a bona fide security risk analysis to identify all current threats, vulnerabilities, safeguards and controls associated with assets that receive, create, maintain or transmit PHI.  Virtually all the organizations involved in breach settlement agreements with HHS failed to conduct a risk analysis before getting into trouble.

Make policies crystal-clear – It’s critical to document policies and procedures that cover all applicable regulations – and specifically prohibit activities like snooping. All GHP employees and BAs need to know exactly what’s required and what’s prohibited – and it’s wise to have tiered sanctions based on the circumstances of a violation (e.g., whether the access/disclosure was malicious or unintentional, first-time or repeat offense, and so on).

Don’t make training a sleepy routine – You can’t rely solely on a general-purpose 30-minute online HIPAA training video to educate your workforce. Employees need to know how the HIPAA regulations relate specifically to their job responsibilities – and how to report complaints and suspected or confirmed violations. Keep training logs so you can impose sanctions on employees who try to skip this vital instruction.

Keep a close eye on BA relationships – Make sure that all your BAs have signed up-to-date BA agreements incorporating the requirements of the Omnibus Final Rule.  Assign risk ratings to your BAs based on the data they access, the services they provide and the likelihood and impact of a breach.

You can calculate the cost of a data breach with help from an impartial organization: the American National Standards Institute (ANSI). This group offers a free publication called “The Financial Impact of Breached Protected Health Information” (available online at This document provides an excellent overview of the data breach landscape and includes tools for calculating the cost of a breach specifically for your organization.

HIPAA violations and data breaches come in all varieties, from the theft of a laptop to an employee snooping into a colleague’s medical records. By taking the actions outlined here, you can help ensure that your group health plan doesn’t add its name to the Wall of Shame.

Mary A. Chaput, MBA, HCISPP, CIPP/US, CIPM is CFO and chief compliance officer at Clearwater Compliance, a HIPAA/HITECH advisory firm in Brentwood, Tenn.

For reprint and licensing requests for this article, click here.