Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Why You Shouldn’t Take Calculated Risks with Security

Posted on May 9, 2018 I Written By

The following is a guest blog post by Erin Gilmer (@GilmerHealthLaw).

Calculated risks are often lauded in innovation.  However, with increasing security breaches in the tech industry, it is time to reassess the calculated risks companies take in healthcare.

Time and again, I have advised technology companies and medical practices to invest in security and yet I am often met with resistance, a culture of calculated risk prevails.  To these companies and practices, this risk may make sense to them in the short term. Resources are often limited and so they often believe that they needn’t spend the time and money in security.  However, the notion that a company or a practice can take this chance is ill advised.

As a recent study conducted by HIMSS (and reviewed by Ann Zieger here) warns, “significant security incidents are projected to continue to grow in number, complexity and impact.” Thus in taking the calculated risk not to invest in security, companies and practices are creating greater risk for in the long run, one that comes with severe consequences.

As we have seen outside of healthcare, even “simple” breaches of user names and passwords as happened to Under Armour’s MyFitnessPal app, become relatively important use cases as examples of the impact a security breach can have. While healthcare companies typically think of this in terms of HIPAA compliance and oversight by the Office for Civil Rights (OCR), the consequences reach far wider.  Beyond the fines or even jail time that the OCR can impose, what these current breaches show us is how easy it is for the public to lose trust in an entity.  For a technology company, this means losing valuation which could signal a death knell for a startup. For a practice, this may mean losing patients.  For any entity, it will likely result in substantial legal fees.

Why take the risk not to invest in security? A company may think they are saving time and money up front and the likelihood of a breach or security incident is low. But in the long run, the risk is too great – no company wants to end up with their name splashed across the headlines, spending more money on legal fees, scrambling to notify those whose information has been breached, and rebuilding lost trust.  The short term gain of saving resources is not worth this risk.

The best thing a company or practice can do to get started is to run a detailed risk assessment. This is already required under HIPAA but is not always made a priority.  As the HIMSS report also discussed, there is no one standard for risk assessment and often the OCR is flexible knowing entities may be different sizes and have different resource. While encryption standards and network security should remain a high priority with constant monitoring, there are a few standard aspects of risk assessment including:

  • Identifying information (in either physical or electronic format) that may be at risk including where it is and whether the entity created, received, and/or is storing it;
  • Categorizing the risk of each type of information in terms of high, medium, or low risk and the impact a breach would have on this information;
  • Identifying who has access to the information;
  • Developing backup systems in case information is lost, unavailable, or stolen; and
  • Assessing incidence response plans.

Additionally, it is important to ensure proper training of all staff members on HIPAA policies and procedures including roles and responsibilities, which should be detailed and kept up to date in the office.

This is merely a start and should not be the end of the security measures companies and practices take to ensure they do not become the next use case. When discussing a recent $3.5 million settlement, OCR Director Roger Severino recently emphasized that, “there is no substitute for an enterprise-wide risk analysis for a covered entity.” Further, he stressed that “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Though this may seem rudimentary, healthcare companies and medical practices are still not following simple steps to address security and are taking the calculated risk not to – which will likely be at their own peril.

About Erin Gilmer
Erin Gilmer is a health law and policy attorney and patient advocate. She writes about a range of issues on different forums including technology, disability, social justice, law, and social determinants of health. She can be found on twitter @GilmerHealthLaw or on her blog at www.healthasahumanright.wordpress.com.

Should Apps with Personal Health Information Be Subject to HIPAA?

Posted on April 10, 2018 I Written By

The following is a guest blog post by Erin Gilmer (@GilmerHealthLaw).

With news of Grindr’s sharing of user’s HIV status and location data, many wonder how such sensitive information could be so easily disclosed and the answer is quite simply a lack of strong privacy and security standards for apps.  The question then becomes whether apps that store personal health information should be subject to HIPAA? Should apps like Grindr have to comply with the Privacy and Security Rules as doctors, insurance companies, and other covered entities already do?

A lot of people already think this information is protected by HIPAA as they do not realize that HIPAA only applies to “covered entities” (health care providers, health plans, and health care clearininghouses) and “business associates” (companies that contract with covered entities).  Grindr is neither of these. Nor are most apps that address health issues – everything from apps with mental health tools to diet and exercise trackers. These apps can store all manner of information ranging simply from a name and birthdate to sensitive information including diagnoses and treatments.

Grindr is particularly striking because under HIPAA, there are extra protections for information including AIDS/HIV status, mental health diagnoses, genetics, and substance abuse history.  Normally, this information is highly protected and rightly so given the potential for discrimination. The privacy laws surrounding this information were hard fought by patients and advocates who often experienced discrimination themselves.

However, there is another reason this is particularly important in Grindr’s case and that’s the issue of public health.  Just a few days before it was revealed that the HIV status of users had been exposed, Grindr announced that it would push notifications through the app to remind users to get tested.  This was lauded as a positive move and added to the culture created on this app of openness. Already users disclose their HIV status, which is a benefit for public health and reducing the spread of the disease. However, if users think that this information will be shared without explicit consent, they may be less likely to disclose their status. Thus, not having privacy and security standards for apps with sensitive personal health information, means these companies can easily share this information and break the users’ trust, at the expense of public health.

Trust is one of the same reasons HIPAA itself exists.  When implemented correctly, the Privacy and Security Rules lend themselves to creating an environment of safety where individuals can disclose information that they may not want others to know.  This then allows for discussion of mental health issues, sexually transmitted diseases, substance use issues, and other difficult topics. The consequences of which both impact the treatment plan for the individual and greater population health.

It would be sensible to apply a framework like HIPAA to apps to ensure the privacy and security of user data, but certainly some would challenge the idea.  Some may make the excuse that is often already used in healthcare, that HIPAA stifles innovation undue burden on their industry and technology in general.  While untrue, this rhetoric holds sway with government entities who may oversee these companies.

To that end, there is a question of who would regulate such a framework? Would it fall to the Office for Civil Rights (OCR) where HIPAA regulation is already overseen? The OCR itself is overburdened, taking months to assess even the smallest of HIPAA complaints.  Would the FDA regulate compliance as they look to regulate more mobile apps that are tied to medical devices?  Would the FCC have a roll?  The question of who would regulate apps would be a fight in itself.

And finally, would this really increase privacy and security? HIPAA has been in effect for over two decades and yet still many covered entities fail to implement proper privacy and security protocols.  This does not necessarily mean there shouldn’t be attempts to address these serious issues, but some might question whether the HIPAA framework would be the best model.  Perhaps a new model, with new standards and consequences for noncompliance should be considered.

Regardless, it is time to start really addressing privacy and security of personal health information in apps. Last year, both Aetna and CVS Caremark violated patient privacy sending mail to patients where their HIV status could be seen through the envelope window. At present it seems these cases are under review with the OCR. But the OCR has been tough on these disclosures. In fact, in May 2017, St. Luke’s Roosevelt Hospital Center Inc. paid the OCR $387,200 in a settlement for a breach of privacy information including the HIV status of a patient. So the question is, if as a society, we recognize the serious nature of such disclosures, should we not look to prevent them in all settings – whether the information comes from a healthcare entity or an app?

With intense scrutiny of privacy and security in the media for all aspects of technology, increased regulation may be around the corner and the framework HIPAA creates may be worth applying to apps that contain personal health information.

About Erin Gilmer
Erin Gilmer is a health law and policy attorney and patient advocate. She writes about a range of issues on different forums including technology, disability, social justice, law, and social determinants of health. She can be found on twitter @GilmerHealthLaw or on her blog at www.healthasahumanright.wordpress.com.