Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

HIPAA Breach Concerns are Becoming More Serious Each Year

(March 19, 2012): In recent years, the importance and the necessity of safeguarding Protected Health Information (PHI) (the main goal of HIPAA compliance) has been widely publicized by the Centers for Medicare & Medicaid Services’ (CMS’) Office for Civil Rights (OCR).  The potential adverse effects of HIPAA compliance failures and / or breaches in PHI are not merely limited to invasions of patient privacy and / or identity fraud.  In recent years, improperly disclosed of patient identifying information and associated medical records have been used by wrongdoers to defraud both public health benefits programs (such as Medicare and Medicaid) and private payors. Unfortunately, the full extent of potential HIPAA breach concerns posed by a provider’s non-compliance are only now coming to light.

I.  HIPAA Breach Concerns Now Include the Possibility of PHI Leaks Being Used as a Weapon:      

Diabetes in the United States has been labeled an “epidemic”. An estimated 26 million Americans are thought to have the disease while another 57 million are in a “pre-diabetic” stage. The Centers for Disease Control has stated that more than a third of all American adults have or are close to having this condition. Luckily, the disease can usually be controlled through doses of medication, such as synthetic insulin.

In many cases, a patient may have an insulin pump installed subcutaneously, which can monitor the patient’s blood sugar levels and supply additional insulin as needed. However, too much insulin can be deadly, causing hypoglycemia, unconsciousness and eventually death.

But here’s where it gets really scary: researchers at a well-known computer and internet anti-virus company recently hacked into an insulin pump remotely, and were able to direct the device to deliver a likely fatal dose of insulin to a “dummy” pancreas. From 300 feet away, the company’s hacker was reportedly able to wirelessly overcome the device’s minimal security features and forced the pump to emit a lethal dosage.[1]  Breaches in HIPAA compliance are now, for the first time, potentially deadly.  Health care providers must take all reasonable measures to reduce the chances of a breach.

While there have been no reports of any actual or malicious hacking of insulin pumps, the anti-virus company and others, including researchers at the Massachusetts Institute of Technology (MIT), are trying to caution device manufacturers that such a threat is real. Even the Department of Homeland Security is realizing the gravity of the problem, working with device manufacturers to ensure the security of medical devices.  HIPAA compliance is here to stay — and the potential adverse impact of a breach is now potentially more serious than ever before.

Suppose a provider or supplier might not be able to stop a hacker from gaining access to a patient’s medical device, this possibility only further reinforces the fact that patient privacy and security, as set out in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), really matters.  And HIPAA compliance is only growing in importance as new technologies are developed and skills associated with these technologies are refined and expanded.

To be clear, we recognize that this company’s reported demonstration of a PHI security breach is an extreme example. Nevertheless, HIPAA compliance is becoming more important both socially and legally. Patients rely on their providers to secure and protect their private health information not only from those that would use such information for improper purposes, but from the general public altogether, under the theory that private health information is just that: private.

II.  What is on the Horizon for Health Care Providers in HIPAA Compliance?

Regardless of your personal views about the necessity of privacy protection, HIPAA compliance will likely be a permanent fixture of the health care industry and is now a legal requirement that must be taken seriously. While HIPAA took a number of years to develop, the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA), represents a significant broadening of privacy protections and greatly enhances the power of the Federal government to enforce these privacy laws. While HITECH’s implementing regulations have not yet been released (although we anticipate their release in mid-to-late 2012), HITECH substantially amends HIPAA’s protections. Not only does HITECH allow for harmed individuals to receive a portion of any penalties and fees the Federal government recovers as a result of a HIPAA violation (which we believe will substantially increase the number of HIPAA complaints filed), the amended law also calls for the implementation of HIPAA compliance auditing.

HIPAA audits, conducted by nationally-recognized private auditing firms contracted with the Federal government, were started in the middle of last year, and the audit protocols based on the initial results are currently being reviewed and revised. Once this is done, the scope of these audits will likely increase, expanding to every covered entity, regardless of size. Moreover, while the focus of these HIPAA compliance audits is on the implementation of electronic security measures, expect these auditors to be trained in identifying all possible types of HIPAA violations, covering both the Security and Privacy Rules. Keep in mind that while the Security Rule is “scalable” depending on the size and complexity of your organization, the Privacy Rule does not have that flexibility.

III.  What Should Providers be Doing to Minimize the Risk of a Breach?

Now, more than ever, it is essential that health care providers review their privacy practices and operations to better ensure that the organization’s actions fully comply with the applicable privacy rules and regulations.  While we recognize that achieving perfect compliance will be difficult for some organizations, the government expects all providers, regardless of size, to adhere to the privacy rules.

In addition to your current efforts, we strongly recommend that providers immediately assess their policies and practices related to electronic data protection.  As records of care and treatment transition to an all-electronic format, the associated dangers of HIPAA breach concerns are likely to increase.  Health care providers and their staff should understand and appreciate the risks patients face in treatment and other health care operations. Without sophisticated security protections, the risk of breach to patient data is extremely high, and one that can cost your practice greatly. Update your HIPAA compliance policies and practices now, before an audit or even worse – a serious breach – occurs.  Should you feel overwhelmed, engage a qualified firm to both train your staff and conduct an internal review of your privacy practices.

Robert Liles Healthcare AttorneyLiles Parker is a full service law firm with experience in regulatory health compliance. We provide practitioners with effective compliance plan implementation and compliance training. In addition, our attorneys are skilled at conducting internal reviews and mock audits of health information privacy policies and practices.  For a free consultation, please call Robert W. Liles today at 1 (800) 475-1906.


[1] See Mass Device, Hacker demonstrates insulin pump attack from 300 ft. away, http://www.massdevice.com/news/hacker-demonstrates-insulin-pump-attack-300-ft-away-massdevicecom-call (Mar. 1, 2012).

  • Advertisement

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.