It’s hard to keep track of even the biggest health data breaches, given how frequently they seem to be happening.
Just Tuesday, health insurer Premera Blue Cross disclosed that hackers broke into its system and may have accessed the financial and medical records of some 11 million people. Premera’s announcement comes weeks after another health insurer, Anthem Inc., announced that it too had been hacked—and that the records of nearly 80 million people were exposed.
The task of investigating medical data breaches falls to the Office for Civil Rights, a small agency within the Department of Health and Human Services.
Last month, ProPublica and NPR reported how, as the number of breaches has increased, the office infrequently uses its authority to fine organizations and health providers that fail to safeguard patient records.
The office’s director, Jocelyn Samuels, spoke Monday to health privacy and security experts gathered in Washington, D.C., for the National HIPAA Summit, named for the Health Insurance Portability and Accountability Act.
After her talk, Samuels sat down with ProPublica to talk about the current state of health privacy. The conversation has been edited for length and clarity. Highlights are below; a fuller version is available on ProPublica’s website.
To start off with, the Anthem breach is still at the top of mind for so many people. Does this change the landscape in terms of health data breaches?
We won’t know until after we have investigated what the causes of the Anthem breach are or were, or whether there are concerns about HIPAA compliance. But I think that it illustrates both the increasing risks that exist in the cybersecurity space and the need for covered entities [health providers and others subject to HIPAA’s requirements] to continue to update and evaluate their risk analyses to ensure that their risk management plans adequately anticipate all of the kinds of threats they may face.
Since HIPAA was passed in 1996, how would you say the state of play has changed with respect to patient privacy and the security of records?
The ability to access electronic health records is something that we obviously have clarified and expanded over time since HIPAA was enacted. And I anticipate that we will continue to evaluate the application of HIPAA standards to emerging issues, whether they are posed by new technology or new forms of risk that aren’t being adequately addressed. From a macro perspective, we are seeing an explosion of new approaches to delivering health care, to treating patients, to sharing information. And that changes on an exceptionally rapid basis, and so ensuring that we are providing adequate guidance about how HIPAA applies and what the standards are in these new environments is something that’s a high priority.
Some people have suggested that the notion of patient privacy is sort of outmoded and that you really don’t have privacy anymore. Do you accept that?
No. I think that you are talking about some of the most intimate facts about any individual, whether it is their health condition or their diagnosis or their treatment choices, and that it is really critical to ensure that they feel confident that that information will be protected from public disclosure. That’s the underlying premise of patient involvement in health care decision-making, that they can entrust their providers with this really intimate information knowing that it won’t be misused or inappropriately disclosed. Although there are new threats and cybercriminals get smarter every day, we have to do our best to keep up and ensure that there are adequate protections in place so that we can gain the benefits that technology and delivery system reform are promising.
Your office has the ability to issue fines in ways that a lot of federal agencies can’t and in denominations that a lot of federal agencies can’t. You’ve noted that you used them about two dozen times. Is that enough?
You know, each case depends on its facts and I do think that we have been committed to using settlement agreements and monetary recoveries in situations where we think that the conduct has been egregious or where we want to create a deterrent or where we feel that the monetary settlement will help to reinforce the message that we’re serious about HIPAA compliance. That said, we are very serious about HIPAA compliance even in situations where we don’t seek monetary settlements or civil money penalties. And I think if you look at our corrective action plans [agreements in which providers promise to make changes following a complaint], you will see that those are uniformly robust efforts to ensure that covered entities and business associates undertake the infrastructure and structural reforms that are necessary to ensure compliance going forward.