Bloomberg Law
April 25, 2019, 11:56 AM

ANALYSIS: What Your Staff Doesn’t Know About HIPAA Can Kill You

Betsy Mountenay
Betsy Mountenay
Legal Analyst
Christina Brady
Christina Brady

In a world where HIPAA threats range from high-tech ransomware attacks to stacks of records tossed in the wrong dumpster, HIPAA-covered organizations must understand that their workforces are the first line of defense against a breach—and their biggest HIPAA liability.

No matter how sophisticated an organization’s technology infrastructure is and regardless of how many well-drafted policies are in place, all it takes is one careless employee to cause a major breach. Leadership’s failure to create a culture of HIPAA awareness and compliance can make an eminently preventable breach of protected health information (PHI) an inevitability.

Bloomberg Law analyzed data breaches reported between 2016 and 2018 and resolved by March 2019 to identify the most urgent threats to HIPAA-covered data attributable to employee conduct and what health care organizations can do about them.

The bad news? Virtually any workforce member, from doctors and nurses to administrative staff to IT support staff, can be responsible for a breach. Worse, almost every type of HIPAA breach could stem from workforce negligence or bad action. The good news? The Department of Health and Human Services Office for Civil Rights (OCR) has listed the preventative steps taken by the organizations that reported the breaches, providing object lessons in risk minimization.

Who Saw What PHI and How?

Perhaps the most obvious way that workforce members can violate HIPAA is by inappropriately accessing PHI they are not authorized to see. Indeed, this was the fifth most common type of breach in 2016 and 2017. Hospitals, physician practices, and pharmacies were particularly likely to experience this kind of breach.

It’s clear from the OCR’s summaries of the breaches that several of the people involved had nefarious intent, such as using the PHI to commit identity theft or digging up dirt on an ex. But covered entities should keep in mind that inappropriate access is still a breach even if an employee had good intentions. Policies and training should make clear that seemingly kind things, like looking up PHI about an acquaintance out of concern or using medical records to find a colleague’s address to send a sympathy card, are still breaches that can lead to expensive mitigation, reputational damage, and, of course, employee sanctions. Covered entities may also consider implementing systems that restrict PHI access to only employees who need access it in order to provide care.

While snooping is a definite concern for covered entities, data breaches caused by employees are more likely to be the result of mistakes, carelessness, and ignorance. As would be expected, some of the problems workforce members cause lie squarely with the IT department. For instance, a system administrator’s incomplete installation of web management software exposed the data of 21,880 individuals in one case. Software misconfigurations by IT staff resulted in breaches to the PHI of 63,551 people in one instance and 6,932 in another. Since IT departments are the first line of defense against serious data breaches, it’s crucial that they take the organization’s HIPAA obligations seriously.

Because so many people in a covered entity’s staff need to access and use PHI, there are myriad breach types that can happen when one of those staff members logs on to a laptop or other mobile device. One fairly common type of breach—and one that has led to nine resolution agreements involving big payouts to OCR—is theft of a laptop or other mobile device from an employee’s car. Covered entities should have strict policies for when employees can remove portable devices containing PHI from their facilities.

Some employees cause a breach doing very ordinary administrative tasks, like mailing bills and letters and emailing patients. For instance, in both 2016 and 2017, mailing PHI to the wrong recipient was among the top five most common types of breaches, resulting in the exposure of at least 358,069 individual’s PHI. Employees involved in mailing paper-based PHI should have quality assurance best practices in place to reduce the risk of this type of breach.

Another commonly reported breach involves members of the workforce sending emails to large groups of individuals without hiding their email addresses through email groups or blind carbon copy. Because many email addresses reveal an individual’s identity, this seemingly innocuous practice is technically a HIPAA violation. Staff who interact with patients via email should be made aware of appropriate protocols for sending bulk emails.

Even ransomware attacks, which were the leading cause of breaches in both 2016 and 2017, often are the result of employee mistakes. The attacker often gains access to the computer in question by tricking workforce members into opening spoof emails. Phishing attacks that did not lead to a ransomware attack were the second-leading cause of breaches in 2017. Covered entities should ensure their workforce members are taught to identify suspicious emails and report them to the IT department without opening them. Regular phishing testing can remind employees to be cautious when opening email and identify employees who need additional training.

Don’t Let HIPAA Ignorance Be Bliss

In 31 percent of cases analyzed, one of the steps taken to address the breach was workforce training. The message is clear: Breach prevention begins with a workforce that understands its HIPAA requirements. HIPAA requires covered entities to tailor their cybersecurity programs to the specific risks identified in a targeted risk assessment. Training is no exception, and with so many ways to violate HIPAA, it’s imperative that educational efforts encompass a broad range of issues and are designed to fit the specific PHI needs of the particular organization and even the particular workforce member.

In designing and implementing education programs, covered entities should also be careful not to overlook employees who do not directly interact with patients and their records. For example, system administrators, web developers, and IT project management staff should understand HIPAA requirements in order to ensure they are attuned to the necessary system and software safeguards and are regularly considering risks to PHI. Similarly, facility management staff should understand HIPAA in order to, for example, set up workstations so that computers displaying PHI don’t face unauthorized parties and to make sure record storage spaces are designed for optimum security. And janitorial staff need to understand the specific policies for disposal of paper records and retired equipment.

Giving staff an overview of relevant HIPAA rules and requirements is always a good idea, but many of the cases analyzed also included specialized training on very specific applications of HIPAA requirements as one of the preventive steps taken after the breach. For instance, when a mail merge failure occurred, a covered entity retrained staff on using Excel to sort data. Training on the use and storage of portable electronic devices is common in response to thefts outside of covered entity’s facilities. (Of course, organizations should learn from others’ mistakes and provide these trainings before such breaches can occur.)

In 60 percent of analyzed cases where workforce training was among the preventive steps taken, corollary action included an update or addition to the company’s policies and procedures. This a good reminder that covered entities should always offer training on HIPAA policy updates to make sure everyone understands their new responsibilities.

Loose Lips Sink Companies—Give Your Sanctions Policy Teeth

The HIPAA Privacy Rule (at 45 C.F.R. § 164.530(e)(1)) and Security Rule (at 45 C.F.R. § 164.308(a)(1)(ii)(C)) require covered entities to have in place sanctions policies for workforce members who fail to comply with relevant HIPAA requirements. The OCR clearly takes this requirement seriously—in six resolution agreements, it has specifically identified failure to have or appropriately follow a sanctions policy as the covered conduct. These resolution agreements range in payment amount from $125,000 (for a small practice) to more than $2,000,000 (for a large hospital chain and a national pharmacy) and have stemmed from reports of improper disposal, snooping, and employees giving PHI to the press.

On the other hand, the OCR did not impose penalties or enter into resolution agreements in 93 reported breaches—16 percent of reported breaches overall—where the organization did impose sanctions against workforce members in 2016 and 2017. And in 22 of these breaches, the workforce member was terminated for the wrongful conduct.

The number of individuals affected by the breach does not seem to play a role whether sanctions are imposed. The number ranges from 500 to 697,800. Most are below 6,000. The same pattern is true for terminations (range from 528 to 15,000, with most below 3,000). This suggests that the standard for whether to impose sanctions shouldn’t focus on how much damage was done and expense the organization must go to in order to respond to the breach. Instead, the determination should hinge on the egregiousness of the improper conduct.

So just what sorts of conduct should lead to sanctions? First and foremost, an organization is obliged to refer to its sanctions policy and follow it consistently. But based on the OCR data, sanctions have been imposed most frequently in cases involving inappropriate access by employees. More than half of cases involving termination stemmed from such inappropriate access. Sanctions were imposed in 27 percent of analyzed breaches involving inappropriate access by current employees. Sanctions also have been imposed frequently, but not as consistently, in cases involving mailing PHI to the wrong recipient, email attachments resulting in improper disclosure, theft of portable devices and files by unknown parties, and data leaked on a public website.

Organizations should include a range of different sanctions within their policies, from verbal warning, additional training, or a notation in the personnel file for minor or accidental infractions, to termination and reporting to law enforcement and licensing boards for malicious and egregious violations. To mitigate the risks of repeated lapses by the same workforce members, the policy should provide for stronger sanctions for repeat offenses—whether or not they are the same type of offense each time.

Having—and consistently following—a sanctions policy isn’t just a good idea from a compliance perspective, it also helps ensure that the workforce understands the seriousness of a HIPAA breach and has an additional incentive to avoid careless mistakes. A covered entity should have its workforce review the policy and sign off on it at least annually to promote ongoing compliance.