The latest round of health care privacy regulations, data breach laws and associated guidance from regulators has served as a wake-up call to many organizations, reminding them to take a harder look at their data protection practices. On inspection, many find that typical preventive measures, such as firewalls and access controls, are effective against external attacks but do not protect information from being exposed by poor decisions and employee errors.
Avoiding inadvertent information exposure is difficult and costly. When firewalls, access controls and other measures fail and a breach does occur, management will be much better positioned to deal with cleanup and mitigation if it's already familiar with the new notification laws.
Complying with government-regulated mitigation measures adds cost and time burdens to what is already an expensive undertaking. The process can take months, even for relatively small data breaches. To add insult to injury, a breach also may trigger penalties.
If these new regulations motivate you to understand where your processes put you at risk, you are on the right track. The challenge for a company's management team is to assume that the question is less about if, and more about when the company will suffer a breach.
Different data breach laws for different businesses
You need to review health care's two main sources of regulation, depending on the nature of your company's involvement in the industry. Your corporate attorney should be able to guide you to the applicable agency that oversees your specific business.
Entities -- such as hospitals, health programs, and clearinghouses and their business associates -- that are covered by the Health Information Portability and Accountability Act (HIPAA) are required to comply with its data breach notification laws, as well as those of the Department of Health & Human Services (HHS). All those laws were strengthened as a result of the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Organizations that are not covered by HIPAA, such as vendors of health records (for example, organizations that track pulse rate and blood pressure cuffs) are required to comply with Federal Trade Commission (FTC) guidelines, also stemming from the HITECH Act.
Human error, intentional or not, leads to data breaches
The root cause of inadvertent breaches is almost always human error. In some breaches, technology does go awry, but even these cases can be attributed to poor testing and quality assurance. Every organization depends on manual and automated processes to transfer health records. A technology misconfiguration, or an error as simple as shifting mailing addresses or fax numbers by one row in a spreadsheet, can cause records to be misdirected and result in large amounts of data going to the wrong people or organizations.
The latest changes in data breach laws and associated penalties from HHS and the FTC provide more reason than ever to understand the risk and the cost of inadvertent data compromise.
Another common source of breaches is poor data-destruction practices. There have been several high-profile data breaches resulting from organizations failing to shred or properly dispose of paper files containing personal health information. It may be that their employees were operating in flagrant disregard of company policy and state and federal health privacy laws, but it's more likely that these organizations failed in education and policy enforcement.
Systems and media mismanagement are common culprits also. Reuse; improper disposal; and resale of obsolete systems, disks and laptops can result in sensitive data ending up in the wrong hands. Here again, proper policy, education, auditing and enforcement can go a long way to preventing or at least detecting bad behavior before data breaches occur.
Cost of a data breach tied to culpability
When a breach does happen, the costs to investigate its cause and effects and notify victims can be daunting. Before reporting a data breach to authorities, organizations need to understand the kind of data that was exposed and who saw it, the risk of damage to victims, and the best way to handle the notification about the breach.
The new data breach laws require notification within 60 days. Even if this sounds easy, it isn't: The notification and remediation process can take a team of managers, technical staff and legal counsel months to complete. The forensic investigation depends on an organization's ability to track down how the data was breached and to what degree it was exposed. In addition, organizations may need the help of specialized attorneys to identify the applicable rules, as well as whom to notify and how.
HHS has established minimum and maximum data breach penalties that are based on the level of the culpability of the organization responsible for the compromise. Before the latest round of rules, HHS could not impose a penalty of more than $100 for each violation, or $25,000 for all identical violations of the same provision. Further, a covered entity could escape penalties by demonstrating that it did not know it violated the data breach laws.
The HITECH Act strengthened civil penalties by establishing a tiered system of fines, with a maximum fine of $1.5 million for all identical violations in a calendar year. The legislation also largely removed the escape loophole -- unless the organization corrects the violation within 30 days of discovering it.
The breach notification interim final rule establishes four tiers for the cost of a data breach:
1. If the person or organization did not know (and by reasonable diligence could not have known) that a provision had been violated, the violator would be assessed not less than $100 per violation, and not more than $25,000 in a calendar year.
2. If a person or organization knew a provision was violated, but the violation was due to reasonable cause and not willful neglect, the violator would be assessed not less than $1,000 per violation, and not more than $100,000 in a calendar year.
3. If the violation was due to willful neglect and corrected in a timely manner, the violator would be assessed $10,000 to $50,000 per violation, and not more than $1,500,000 in a calendar year.
4. If the violation was due to willful neglect and not corrected in a timely manner, the violator would be assessed $50,000 per violation, and not more than $1,500,000 in a calendar year.
It is clear that HHS is establishing strong deterrents to the careless handling of personal health information. Further, even in the event of a data breach, there is a clear benefit to those who are prepared to respond quickly and correct their violations.
Write data breach policy now, avoid problems later
The latest changes in data breach laws and the associated penalties from HHS and the FTC provide more reason than ever for an organization to understand the risk and the cost of inadvertent data compromise. The organization that has spent the time and money assessing its risks and placing stringent controls over its data not only will reduce the risk of an inadvertent loss of data, but also could avoid the higher penalties associated with willful neglect if a breach were to occur.
In addition, understanding these regulations can help structure a data breach policy that will save time during the notification process. Now is the best time to assess your company's practices and ensure that risks have been mitigated. That way, in the event of an inadvertent data breach, your response will be immediate, effective and satisfactory to government regulators.
Richard E. Mackey is vice president of SystemExperts Corp. and an authority on enterprise security architecture and compliance. Let us know what you think about this story; email firstname.lastname@example.org.