By Elizabeth Snell

September 02, 2015 - The health data security world is constantly changing, as technology evolves and healthcare organizations work to maintain HIPAA compliance and keep pace with potential threat factors. The past few months have further proven that fact, and shown that covered entities need to ensure that they remain current on all federal, state, and local regulations, and also be aware of how unauthorized parties might try to access sensitive data.

Without an idea of current events in the health data security space, it can be more difficult for covered entities and their business associates to not only work toward compliance, but also learn from data security incidents. HealthITSecurity.com is reviewing some of the top stories over the summer, and why healthcare organizations should pay attention.

Lessons on HIPAA compliance, post health data breaches

One of the top issues over the last few months was about maintaining HIPAA compliance, and what the potential consequences could be should a violation occur. For example, Medical Informatics Engineering made headlines when it reported that it had been the victim of a “sophisticated cyber attack,” and that many of its healthcare provider clients could have been affected.

Potentially exposed information included patient names, mailing addresses, email addresses, and dates of birth. Some patients may have also had Social Security numbers, lab results, dictated reports, and medical conditions exposed.

Another health data breach that made headlines over the summer was when Blue Shield of California announced that a software update led to potential PHI exposure for some patients. Following a computer code update, three users, who logged into their own accounts at the exact same time as another user, were able to view member information associated with the other individual’s account.

“The Website’s faulty code was identified and corrected and the Website was returned to service on May 19,” read a Blue Cross statement. “Our investigation revealed that this was the result of human error on the part of Blue Shield staff members, and the matter was not reported to law enforcement authorities for further investigation.”

One of the larger data breaches though took place at the Office of Personnel Management (OPM), which was also reportedly from a large-scale cyber attack. Even though the incident did not take place at a healthcare organization, there are still several important lessons for covered entities to take away from the situation, according to Institute for Critical Infrastructure Technology (ICIT) Co-founder and Senior Fellow Parham Eftekhari.

"One of the things we identified in the report before the breach was identified was that governance was really missing and is something that healthcare organizations can and should be implementing," Eftekhari told HealthITSecurity.com. "These are not new concepts. Governance is a basic idea that unfortunately a lot of organizations still don't get down."

Understanding HIPAA regulations to avoid violations

There were also a few examples this summer of what could happen should a HIPAA violation take place. For example, Brighton, Massachusetts-based St. Elizabeth’s Medical Center (SEMC) agreed to the HIPAA settlement of $218,400, following allegations from 2012.

SEMC employees had allegedly used an internet-based document sharing application to store documents containing ePHI of nearly 500 individuals. The Office for Civil Rights (OCR) explained that this was done without having analyzed the risks associated with such a practice.

“OCR’s investigation determined that SEMC failed to timely identify and respond to the known security incident, mitigate the harmful effects of the security incident, and document the security incident and its outcome,” OCR said in a statement. “Separately, on August 25, 2014, SEMC submitted notification to HHS OCR regarding a breach of unsecured ePHI stored on a former SEMC workforce member’s personal laptop and USB flash drive, affecting 595 individuals.”

An Ohio radiologist was also accused of accessing a colleague’s medical record earlier this summer, and had her medical license put on probation. The individual needed to sign a consent agreement, which required her to comply with a reprimand and probationary punishment, according to DOTmed. Moreover, the agreement states that the radiologist “intentionally accessed the electronic medical records of a physician colleague (and) further admits that she was not a treating physician, nor was she asked to consult, or provide diagnostic service.”

While not connected to these two incidents, HHS also released an overview on HIPAA regulations to remind covered entities of the basics of the HIPAA Privacy Rule, Security Rule, and the data breach notification process.

“[HIPAA covered entities] play a vital role in protecting the privacy and security of patient information,” HHS stated. “This fact sheet gives a basic overview of the rules, the information protected by the rules, and who must comply with the rules.”

The growing importance of data de-identification

An increasingly important issue for covered entities to be made aware of is data de-identification. This is especially true as health data research capabilities expand, and more healthcare organizations begin to consider their security options in terms of health data sharing.

HealthITSecurity.com interviewed Ben Rotz, Director of the Office of Medical Transparency at Eli Lily, and Co-lead of the Clinical Data Transparency Initiative at TransCelerate Biopharma Inc. earlier this summer. Rotz discussed data de-identification and the anonymization of clinical data. According to him, standards rather than technology are the key to how health data sharing and data de-identification will continue to evolve and impact healthcare and pharma.

"As we have a set of rules that are followed, as we start to see standards in place for how the data are collected, then we're going to start to see more and more technologies emerge that allow for a standard way to anonymize the data," Rotz said. "As more and more of that tends to happen, people can concentrate on the why and the what of what they're doing, instead of the how do they make it happen from a technology perspective."