Medical Mergers Bring HIPAA Breaches

Hospitals and medical groups are in a frenzy of mergers and acquisitions, but many are not protecting themselves from the increased risk of HIPAA breaches that results. The latest example comes from Northwestern Medical Group, a highly respected healthcare organization based in Chicago. On December 19th, Northwestern announced that an employee laptop with nearly 3,000 medical records was stolen from a vehicle, as reported by the Chicago Tribune. HIPAA also requires Northwestern to post a conspicuous notice of the breach on its website.

Unfortunately, theft is no excuse when it comes to protecting patient information, so the loss of the laptop is a major HIPAA violation. As with all breaches of 500 or more patient records, Northwestern must inform all affected patients by letter, provide notice to the media, and report the breach to HHS.

The organization will almost certainly face a large fine from the federal government for failing to protect patient information. Northwestern may also face lawsuits, and most organizations that suffer major breaches provide free credit monitoring to affected patients, which is an additional expense.

Finally, there is the intangible cost of the damage to Northwestern’s reputation. HIPAA violations disprove the old adage that there is no such thing as bad publicity.

Mergers play into this story because the employee actually worked for Northwestern Lake Forest Hospital, which Northwestern acquired in 2010. Northwestern has stated that the laptop was password-protected but unencrypted. Thus, the organization was in violation of the HIPAA Security Rule provision that Protected Health Information (PHI) should be protected by encryption.

Password protection does not satisfy the requirement, because password protection is easy to circumvent and the data can still be read. However, if the PHI had been encrypted, the theft of the laptop would not have constituted a breach, and Northwestern would have been spared the embarrassment and considerable expense of this incident. The government reports that 60 percent of all HIPAA breaches could have been prevented by encryption.

Northwestern states that it has “a robust privacy and security program, including encryption of laptop computers.” However, it is evident that this same compliance program was not properly implemented at Lake Forest Hospital. If it had been, the employee would never have loaded unencrypted PHI onto an easily stolen laptop. The employee should have been trained on the grave risk posed by failing to adequately protect patient data.

In my work with providers who are engaged in mergers, compliance is often an afterthought, if it is ever considered at all. These providers do not seem to appreciate that every institution has its own compliance strengths and weaknesses. While the core institution may have a robust HIPAA compliance program, the acquired organization may well have a much weaker program. Yet, these weaker programs are often left in place, even though it exposes the entire organization to risk.

The problem is often worse when hospitals acquire ambulatory practices, because the latter have typically lagged behind hospitals in implementing robust compliance programs. These practices are ticking time bombs for a major HIPAA violation, and it is the hospital or medical group that will suffer the financial and media repercussions.

Another element of this story deserves comment. The theft occurred on October 21st, 2014. However, Northwestern did not publicize the breach until December 19th. HIPAA requires providers to inform affected patients and HHS of a breach within 60 days. But in its notice, Northwestern states that it only “began” sending letters to affected patients on December 19th. It states that all patients should receive notice by January 9th, 2015. However, any notification to patients delivered later than December 21st constitutes another HIPAA violation, which may result in even heavier fines on the organization.

Apart from the law, it is hard to imagine why Northwestern waited so long to inform patients. Northwestern reports that the laptop “may have contained patients’ names, addresses, dates of birth, health insurance information, billing codes, date of services, physician’s name, medical record numbers, diagnosis, treatment information, and, in some limited instances, Social Security numbers.” This data provides a bonanza for identity theft. Surely, the affected patients should not have had to wait 60 days or more to learn that this information had been exposed.

Healthcare mergers make sense for a variety of reasons, including improved efficiency, better interoperability, stronger finances, and even improved patient care. But HIPAA compliance and digital security must not be neglected in the process. Northwestern recently concluded an even larger merger with Cadence Health. Let us hope that Northwestern is taking aggressive action to ensure that robust compliance programs are in place across every part of the organization.

2015 | By Brian Johnson - 4medapproved.com