IT WAS NATIONAL NEWS RECENTLY when Quest Diagnostics Incorporated disclosed a security breach involving the protected health information (PHI) of 34,000 individual customers.
This episode is a reminder to clinical labs and pathology groups of the need to guard protected health information. In fact, as part of its compliance with federal law, it was Quest Diagnostics that contacted the media to report this breach of PHI.
When a patient’s personal health information is made public, clinical laboratories have an extensive set of requirements to meet under the Health Insurance Portability and Accountability Act of 1993. HIPAA requires labs, called covered entities under the law, to disclose to the individuals involved that their personal health information (called PHI) was part of an unauthorized disclosure.
“In addition, covered entities and any business associates—meaning any other providers or vendors doing business with the covered entity—must also notify the secretary of the federal Department of Health and Human Services (HHS) if the personal data of more than 500 individuals is released,” stated attorney Elizabeth Sullivan, a member of the national law firm McDonald Hopkins. “If data on more than 500 individuals is involved, then covered entities and business associates need to disclose the details of this failure of security to the media.”
Sullivan did not comment on the incident involving the security breach at Quest Diagnostics. She simply spoke in general terms about what steps clinical labs and pathology groups need to follow when PHI is part of a breach, whether the data source was paper records, a stolen or misplaced laptop containing PHI, or a cyber attack on the lab’s computer system.
PHI has great value to hackers. Security experts say that, for hackers, PHI has higher value than any other kind of personal or financial information, including credit card information. In 2014, Reuters reported that PHI was worth about $10 per record—or about 10 or 20 times the value of the credit card number of a U.S. citizen! That makes cyber crime against pathology groups, clinical labs, and all healthcare providers, a potentially lucrative enterprise.
Step 1: analysis required
“If a clinical laboratory or pathology group suspects that patient data is compromised, then the provider should conduct a thorough review of what happened,” Sullivan said. “The first thing the lab should do is ensure that the cause of the incident is corrected as quickly as possible. After that, the laboratory must analyze the security incident to determine whether a breach has occurred and what level of notification is required.”
Sullivan next offered an important piece of advice: How the lab describes the incident at this stage of the discovery and investigation makes a difference. “It is important to understand why every incident should not be referred to as a ‘breach’ immediately,” she added. “A breach has a specific meaning under HIPAA. Further, not all breaches are reportable breaches.
“Although this is not a verbatim definition, a breach is an impermissible use or disclosure under the HIPAA privacy rule that compromises the security or privacy of PHI,” stated Sullivan. “It is possible for a security incident or even a breach to fall short of a reportable breach under HIPAA.”
Two examples illustrate this point. “As one example, a security incident could be the result of an unauthorized disclosure of PHI between employees of a covered entity,” explained Sullivan. “Or, a breach could be a loss of encrypted PHI that, despite it being lost, is encrypted and therefore no one can read or access the data. Before labeling an incident a ‘breach,’ the laboratory should perform an analysis.
“In the lab’s analysis of such an incident, it must take into account the elements of personal data that were disclosed, the manner in which such information was disclosed, and whether the information was protected by encryption,” she said. “Whether the incident involves names and addresses or more sensitive health information or Social Security numbers and financial information, it is considered PHI under HIPAA and warrants investigation.
“At this point in the analysis, it’s best to work with a data privacy expert if the provider doesn’t have a privacy officer,” she commented. “This may be a law firm or a cyber security firm or some combination of both.
“If PHI is disclosed, the covered entity or business associate—along with its data privacy experts—collect information on what was disclosed, to whom the information was disclosed, whether the PHI was secured, and any other relevant details to determine if the incident in fact qualifies as a reportable breach. The entity also will need to determine how many people were affected,” noted Sullivan.
Quest Diagnostics Reports 34,000 Records Were Hacked
IN AN ANNOUNCEMENT DEC. 12, Quest Diagnostics Incorporated said it was investigating an unauthorized third-party intrusion into an internet application on its network and that it had notified 34,000 individuals who were affected. The notifications were sent by mail and Quest Diagnostics established a toll-free phone number for patients who have questions about the incident.
On Nov. 26, an unauthorized third party accessed Quest Diagnostic’s MyQuest by Care360 internet application and obtained the protected health information (PHI) of about 34,000 customers of the lab company. The third party accessed data that included the name, date of birth, lab results, and in some cases, telephone numbers, Quest said. “The information did not include Social Security numbers, credit card information, insurance or other financial information,” the lab company added. Also, Quest said it had no indication that individuals’ information had been misused.
In addition, Quest is working with a cybersecurity firm to assist in its investigation and to analyze the company’s security systems.
In the days following this disclosure, at least one law firm trolled for patients that could be plaintiffs in a class action lawsuit against Quest. This development is a reminder to clinical labs and pathology groups about the legal risks following an unauthorized disclosure of PHI.
“These issues must be examined to determine if the incident would be considered a reportable breach under HIPAA,” Sullivan added.
Notification Within 60 Days
“If the covered entity or a business associate of the covered entity determines that the incident is in fact a breach and that the PHI was not appropriately protected, then the law requires that the covered entity or business associate notify the individuals whose PHI was disclosed that a breach has occurred,” she warned. “That notification must be made without unreasonable delay and in no event more than 60 days after discovery of the incident. While those 60 days might seem like a long time, the two months may be needed to give your lab the time to determine if it is a reportable breach.
“In addition to notifying affected individuals you must notify the Secretary of HHS, and if the breach affected 500 or more individuals you must also notify the media,” she added.
“Labs should have written HIPAA policies and procedures about what to do when there is an unauthorized disclosure of PHI,” Sullivan advised. “Once these are established, it’s important to follow such policies and procedures.
“If the lab determines that the incident was not a breach or reportable breach, then your lab must document the reasons for that determination,” she said. “And those records must be retained in the event of an audit.
Step 3: Send Notifications
“If your lab finds that there was a reportable breach, then you must notify the affected individuals within 60 days of the discovery of the breach,” Sullivan said. “If the breach involves more than 500 individuals, then you also must notify the Secretary of HHS and the media within that same 60-day period. For all breaches involving more than 500 individuals, HHS publishes the information on its web site.
Insider Breaches More Common Than External Hacks, Attacks
IT MAY SURPRISE many lab administrators and pathologists to learn that the leading cause of a breach of patients’ protected health information (PHI) comes from insiders, not from external attacks and hackers.
Protenus publishes The Breach Barometer report. For November 2016, it documented that 54.4% of healthcare data breaches were caused by insiders. Of these, 17 breaches were accidental breaches by healthcare employees and 14 were the result of malicious actions by employees with access to PHI. Hackers were responsible for nine of the breaches that month. Healthcare providers reported 40 of the month’s breaches, and health plans reported 11 breaches.
“Laboratories and pathology groups should be aware that HIPAA breaches can result in investigations or audits and ultimately in fines for covered entities or business associates,” she warned. “Under HIPAA, there is no private right of action to sue a covered entity or business associate for a HIPAA violation.
“But most states have privacy laws and if an individual is harmed through disclosure of personal information, then that individual or group of individuals may be able to seek recourse in the form of a lawsuit under other privacy laws,” she added.
“It is critical that covered entities and business associates evaluate the safeguards they have in place to protect PHI and to implement improvements as needed,” concluded Sullivan. “As more and more information is gathered, transmitted, and stored electronically, the importance of appropriate safeguards will only increase.”
Contact Elizabeth Sullivan at 216-348- 5401 or firstname.lastname@example.org.