Hartford Business Journal

www.HartfordBusiness.com April 18, 2016 • Hartford Business Journal 11 oversight of patient privacy toughens. The latest development: The federal Department of Health and Human Services (HHS) is launching new audits this year to make sure providers and others are compli- ant with privacy rules laid out within the 2003 federal Health Insurance Portability and Accountability Act (HIPAA). They will also be checking providers' breach-notification pro- tocols created by Congress in 2009, requiring entities subject to HIPAA to promptly notify affected individuals after a breach. The stakes are high for both patients and handlers of private data. Medical data breaches have affected more than half of Connecticut's adult population, including last year's Anthem breach, which was the largest of its kind to date — jeopardizing 1.7 million Connecticut residents' information. In response, Connecticut lawmakers man- dated that covered entities report breaches to the state Attorney General within 90 days and provide free credit monitoring to affected patients and individuals. That same year, four Connecticut institu- tions — Middlesex Hospital in Middletown, Cigna Home Delivery Pharmacy, Shelton's Advanced Radiology Consultant and Rocky Hill's Numotion — reported to federal regula- tors that they suffered data breaches affect- ing at least 500 individuals each. Numotion's breach was the largest, potentially affecting 2,722 people, according to HHS data. Not all breaches result in significant impacts on consumers, but they carry the potential for identify theft and other fraud. On the federal front, HHS expects to con- duct 200 audits this year, checking in on pri- vacy, security and breach-notification pro- cedures. There could be as many as several million HIPAA-covered entities in the country, which means the odds of being audited are low. Still, it's the largest audit of its kind to date, and entities caught with serious viola- tions face further investigations and potential fines. Though HIPAA-related fines are rare, serious violations can draw heavy penalties. Since 2009, the largest fines doled out by HHS ranged from $1 million to nearly $5 million (none of those have been in Connecticut). Most violations will be resolved with less- er measures, and HHS has said it hopes to provide technical assistance and guidance on how to better protect patient data. Aggressive enforcement The audits add one more enforcement layer for Connecti- cut organizations that deal with patient data (called "covered entities"), including IT contrac- tors and others who have access to pro- viders' and insurers' databases. The Connecticut Hospital Associa- tion (CHA) supports Congress' addition of business part- ners and vendors to the universe of covered entities, said Michele Sharp, CHA's vice president for communications. "Overall, this greatly improves privacy and security," Sharp said. "Audits and focused reviews are a natu- ral step in ensuring that all entities across the healthcare continuum remain vigilant in their adherence to HIPAA rules." Contractors have played a role in some Connecticut breaches. In 2012, an employee of Hartford Healthcare's contractor, EMC Corp., reported a stolen, unencrypted lap- top containing data on nearly 7,500 patients. Attorney General George Jepsen investigated the breach, and reached a $90,000 settlement with the companies late last year. Since taking office in early 2011, Jepsen has squeezed approximately $200,000 in data-breach settlements from four provid- ers, health plans and contractors, according to records provided by his office. "Protected health information is perhaps the most sensitive of personal information, and consumers are right to expect that it be safeguarded," Jepsen said. He described his approach to HIPAA enforcement as aggressive. "In that spirit, I am monitoring these [HHS] audits and keenly interested to learn the level of compliance," he said. Given the low chances of being audited and HHS' disinclination to levy fines, state oversight may actually present more of a lia- bility to providers, said Susan Huntington, an attorney with Day Pitney in Hartford. "I think it's important to make the point that just because [HHS] closes a file without enforcement or a fine or penalty … doesn't necessarily mean the state will take the same action," Huntington said. Another factor that makes Connecticut somewhat unique is a 2014 state Supreme Court decision that determined a patient affected by a data breach that leads to penal- ties under HIPAA, can still bring a negligence lawsuit under state law. "[HHS] may impose a fine or corrective action plan that's modest compared to what the follow-on legal action might be," said James Bowers, senior counsel at Day Pit- ney. "It's not necessarily a sigh of relief when [HHS] is done with you." Compliance enforcement Two of Greater Hartford's largest health systems, Hartford Healthcare and UConn Health, have grappled with past data breach- es, but they say they've beefed up their proce- dures and protocols to protect patient data. Besides its EMC-related breach in 2012, Hartford Healthcare also reported a 2011 breach affecting as many as 93,500 people. The breach occurred after a Hartford Hospital employee saved private health infor- mation on an unsecured hard drive to work from home, and then lost the drive. That data included names, addresses, birthdates, social security numbers and other information. The hospital offered free identity pro- tection to those affected and disabled employees' abilities to save sensitive data on a device through computer USB ports. It also installed programs meant to prevent malicious software and implemented encryp- tion controls. After the EMC incident, the health system beefed up its employee training around when it is legally required to sign a formal business-asso- ciate agreement, meant to ensure a contractor will take measures to safeguard health data. No such agreement was in place at the time of the EMC breach, according to settlement records. David Haig, vice president of compliance, audit and privacy at Hartford Healthcare, said the health system has more than 20 employees working regularly on compliance or IT security, adding that enhanced training for all employees has helped keep privacy issues top of mind since the breaches. Staff who don't complete privacy training aren't eligible for raises. "We're really aimed to get that into their consciousness," Haig said. "There's definitely a need for continuous vigilance." Cynthia Snyder, Hartford Healthcare's system director of privacy compliance, said all mobile devices and thumb drives used by employees are now encrypted. If encrypted devices are lost or stolen, HIPAA doesn't require a breach notification because of how difficult it is to crack the encryption. UConn's Experience In 2013, a UConn Health employee autho- rized to access patient data was caught perusing medical files of patients for which she had no responsibility — a violation that impacted as many as 1,382 patients. Iris Mauriello, UConn Health's compliance integrity and privacy officer, said that experi- ence has led to beefed up efforts to monitor rub- bernecking of certain records by medical staff. "We look at all the access associated with those visits," she said. Among other tactics, UConn Health also compares record access patterns among employees in similar positions, in an effort to catch discrepancies. Mauriello said HIPAA is "probably one of the most massive programs the whole institu- tion has to grapple with." UConn Health also encrypts its laptops and has a "bring your own device" security program in which phones and other devices owned by employees are given capabilities to remotely wipe out patient data, should a phone be lost or stolen, said Thomas Murphy, UConn's chief information security officer. If that security software is removed from a phone, the patient data is erased. n No. of reported data breaches in CT impacting 500+ patients Total patients Year Breaches affected 2010 6 76,839 2011 4 100,214 2012 5 30,473 2013 1 1,382 2014 2 1,385 2015 4 5,115 S O U R C E : U . S . D E P A R T M E N T O F H E A L T H A N D H U M A N S E R V I C E S Recent CT Data Breaches These were the largest HIPAA breaches reported by Connecticut-based providers and businesses to federal regulators from 2013-2015. Name of covered entity Individuals affected Breach submission date Type of breach Middlesex Hospital 946 12/04/2015 Hacking/IT incident Cigna Home Delivery Pharmacy 592 11/23/2015 Unauthorized access/disclosure Advanced Radiology Consultants LLC 855 07/24/2015 Unauthorized access/disclosure United Seating and Mobility LLC d/b/a Numotion 2,722 06/10/2015 Theft Cigna 527 04/09/2014 Loss St. Francis Hospital and Medical Center 858 01/16/2014 Theft UConn Health 1,382 03/08/2013 Unauthorized access/disclosure S O U R C E : U . S . D E P A R T M E N T O F H E A L T H A N D H U M A N S E R V I C E S from page 1 After breaches, lessons learned UConn Health's Iris Mauriello and Thomas Murphy discuss ways the care provider safe- guards patient data. P H O T O | C O N T R I B U T E D

• Cover