By Andrea I. Schwab, JD, CPA
Hospitals, medical groups, and individual physicians collectively suffered 333 data breaches in 2014, making up 43% of all data breaches, the highest percentage of any industry.(1) According to recent studies, the health care sector is four times more likely to be affected by malicious online attacks than any other industry.(2)
Why? Identity theft. Medical records, containing sensitive patient information such as names, birth dates, social security numbers, income, insurance information, employment details, and home addresses, are worth more to hackers than credit cards--about 10 to 20 times more.(3)
Additionally, while credit card fraud is often quickly detected and stolen credit cards easily canceled, it can sometimes take years to detect health care related cyber crime. For example, patients may not discover that their personal health information (PHI) has been compromised until debt collectors contact them with unpaid medical bills for care that they did not receive. Some patients have even found themselves in need of medical care only to learn their health benefits have been exhausted by cyber criminals. More significantly, are the potential clinical consequences—such as a misdiagnosis or mistreatment—to patients whose medical identity/information has been corrupted.
Are physicians liable for data stolen in a cyber crime?
The potential liability for physicians as a result of cyber crime is unclear, as this area of the law is evolving with little precedent.
At a minimum, physicians are at risk of fines and penalties for violating federal and state privacy laws, such as the HIPAA Privacy Rule(4) and the Texas Medical Records Privacy Act.(5) Failure to comply with HIPAA can result in civil and criminal penalties, and the penalties vary widely, based on the violation and resulting harm. Data breaches or patient complaints may also trigger potential HIPAA audits, which can also occur randomly.
Pursuant to those regulations, physicians are responsible for:
- implementing and following privacy and security policies and procedures;
- conducting security risk assessments;
- implementing reasonable security measures (administrative, physical, and technical safeguards);
- training staff; and
- notifying individuals when a breach occurs. A physician is ultimately responsible to notify his or her patients of a breach, even if a business associate, such as an electronic health record (EHR) provider or health information exchange (HIE), is responsible for the breach.
For more information on cyber liability coverage and cyber risk management resources, please contact John Southrey at TMLT at firstname.lastname@example.org.
Andrea Schwab may be contacted at email@example.com.
(1 )Identity Theft Resource Center, ITRC 2013 Breach List Tops 600 in 2013. Available at www.idtheftcenter.org/ITRC-Surveys-Studies/2013-data-breaches.html. Accessed October 15, 2015.
Identity Theft Resource Center, The Year of the Data Breach – a Recap of 2014, and Review of 10 Years of Breaches. Available at: http://www.idtheftcenter.org/Data-Breaches/the-year-of-the-data-breach-recap-2014-and-ten-years-of-data.html. Accessed October 15, 2015.
(2) “2015 Industry Drill-Down Report-Health Care,” Raytheon Company, p 6. Available for download at http://www.websense.com/content/2015-healthcare-industry-drilldown.aspx?cmpid=pr. Accessed October 13, 2015.
(3) Humer, C; Finkle, J. “Your Medical Record is Worth More to Hackers Than Your Credit Card”, Reuters, Sep. 24, 2014. Available at: http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924. Accessed October 13, 2015.
(4) The U.S. Department of Health & Human Services. The Privacy Rule. Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/. Accessed October 13, 2015.
(5) Texas Health and Safety Code. Title 2. Health. Subtitle 1. Medical Records. Chapter 181. Medical Records Privacy. Subchapter A. General Provisions. Available at: http://www.statutes.legis.state.tx.us/Docs/HS/htm/HS.181.htm. Accessed October 13. 2015.
This article is purely informational and not intended to be legal advice and should not be construed as such.