Healthcare providers’ risk of data breach

Health Care Law | Farrow-Gillespie & Heaht LLPBy Scott Chase and Catherine Parsley

Healthcare providers receive, collect, and store vast quantities of sensitive personal health information (“PHI”) from their patients. However, only half of providers responding to a recent survey said that they are prepared to respond to cyber-attacks.  Attacks and other security breaches can have far-reaching effects for providers and their patients.

Electronic Medical Records

Healthcare providers have many vulnerabilities that are unique to their field. Most providers are adopting or have adopted electronic medical records (EMRs), but those programs are often clunky and can be inadequately secured.  The new EMR systems make sharing PHI easy.  Easy sharing is great for internal use but poses an increased risk of external leakage compared to old-fashioned paper records.  Many  providers’ network systems have been pieced together over time, leaving vulnerabilities and  inconsistencies.  At the same time, online attackers are getting increasingly complex and sophisticated.  Another problem created by piece-meal network systems is that many providers either cannot or do not know how to detect in real time if their network system is being compromised.

HIPAA Violation

These factors leave healthcare providers open to higher risk of attacks and data loss. Any data loss can constitute a breach of the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA).  If a provider loses PHI, or even puts PHI at risk of exposure to unauthorized individuals, the provider can be held to have breached HIPAA, even if no loss or theft actually occurs.  One hospital was recently fined over three million dollars after it did not comply with HIPAA-required protective measures.  It had several violations, including storing PHI on unencrypted devices, allowing such devices to be accessed by individuals who were not HIPAA-authorized, and failing to implement recommended risk management plans.

It is also important to note that the HIPAA, pursuant to its security rule, requires a risk assessment for PHI vulnerability whenever the following occurs

  • In response to environmental and operational changes, such as implementation of new technology or changed office operations
  • Any security breach or security incident that indicates vulnerability.

Fines have been levied on providers that have not performed such assessments, even if no HIPAA breach was found. While healthcare providers are not targeted as frequently as some other types of organizations, such as banking and financial institutions, the wealth of data that healthcare providers own makes them a highly-sought out target. The data can be used for various fraudulent purposes by the attacker, and any loss or possible loss can be a HIPAA violation.  In addition to having appropriate corporate policies in place, providers should also review the various types of insurance coverage available to reduce losses.

Farrow-Gillespie & Heath LLP can help healthcare providers deal with security threats. Our attorneys can work with clients to put policies in place before problems arise, or help clients deal with regulatory or operational issues after a breach occurs.  For more information on the available services, contact board-certified health care attorney Scott Chase.

Read More

About the Authors

Scott Chase | Farrow-Gillespie & Heath LLPScott Chase is a Dallas health law attorney, certified by the Board of Texas Legal Specialization.  Mr. Chase has been named for many years to the list of Texas Super Lawyers (a Thomson Reuters service), Best Lawyers in America (U.S. News & World Report), and Best Lawyers in Dallas (D Magazine).

More on Scott Chase

More on health law

Catherine Parsley | Intern | Farrow-Gillespie & Heath LLP

Catherine Parsley is currently (March 2017) an intern at Farrow-Gillespie & Heath, LLP.  Ms. Parsley is a law student at SMU Dedman School of Law in Dallas, Texas, where she is a staff editor of the SMU Law Review.  Catherine served as a judicial extern for Chief Justice Nathan L. Hecht, of the Supreme Court of Texas.  She holds a B.S. in communications studies, cum laude, from the University of Texas at Austin.

Copyright 2017 Farrow-Gillespie & Heath LLP