It’s hard to keep track of even the biggest health data breaches, given how frequently they seem to be happening. Just last Tuesday, health insurer Premera Blue Cross disclosed that hackers broke into its system and may have accessed the financial and medical records of some 11 million people. The intrusion began last May but wasn’t discovered until January and wasn’t shared publicly until last week.
Among the information that may have been taken about the insurers’ members and applicants: names, dates of birth, email addresses, street addresses, telephone numbers, Social Security numbers, member identification numbers, bank account information, and claims information, which may include sensitive medical details.
Premera’s announcement comes weeks after another health insurer, Anthem Inc., announced that it too had been hacked—and that the records of nearly 80 million people were exposed.
The task of investigating medical data breaches falls to the Office for Civil Rights, a small agency within the Department of Health and Human Services. Its staff of about 200 investigates thousands of complaints every year, large and small. Last month, ProPublica reported how, as the number of breaches has increased, the office infrequently uses its authority to fine organizations and health providers that fail to safeguard patient records.
The office’s director, Jocelyn Samuels, spoke last Monday to health privacy and security experts gathered in Washington, D.C., for the National HIPAA Summit, named for the Health Insurance Portability and Accountability Act. This 1996 federal law protects the privacy and security of patient records. Her speech preceded Premera’s public disclosure.
After her talk, Samuels sat down with ProPublica to talk about the current state of health privacy. The conversation has been edited for length and clarity.
To start off with, the Anthem breach is still at the top of mind for so many people. Does this change the landscape in terms of health data breaches?
We won’t know until after we have investigated what the causes of the Anthem breach are or were, or whether there are concerns about HIPAA compliance. But I think that it illustrates both the increasing risks that exist in the cybersecurity space and the need for covered entities [health providers and others subject to HIPAA’s requirements] to continue to update and evaluate their risk analyses to ensure that their risk management plans adequately anticipate all of the kinds of threats they may face.
I received a breach letter from Anthem [informing me that my data was accessed] and I heard from a lot of people who did. One of the things that they say is, "I don’t even know what to make of this. What of mine was taken? Will it be used against me?" How do you advise them what to do?
We will be evaluating the kinds of information that was compromised and the source of the breach and the harm that accrued to the different individuals. Those are all questions that I think will inform the work that we do in this space and we will have further answers as we learn more.
Since HIPAA was passed in 1996, how would you say the state of play has changed with respect to patient privacy and the security of records?
The ability to access electronic health records is something that we obviously have clarified and expanded over time since HIPAA was enacted. And I anticipate that we will continue to evaluate the application of HIPAA standards to emerging issues, whether they are posed by new technology or new forms of risk that aren’t being adequately addressed. From a macro perspective, we are seeing an explosion of new approaches to delivering health care, to treating patients, to sharing information. And that changes on an exceptionally rapid basis, and so ensuring that we are providing adequate guidance about how HIPAA applies and what the standards are in these new environments is something that’s a high priority.
Some people have suggested that the notion of patient privacy is sort of outmoded and that you really don’t have privacy anymore. Do you accept that?
No. I think that you are talking about some of the most intimate facts about any individual, whether it is their health condition or their diagnosis or their treatment choices, and that it is really critical to ensure that they feel confident that that information will be protected from public disclosure. That’s the underlying premise of patient involvement in health care decision-making, that they can entrust their providers with this really intimate information knowing that it won’t be misused or inappropriately disclosed. Although there are new threats and cybercriminals get smarter every day, we have to do our best to keep up and ensure that there are adequate protections in place so that we can gain the benefits that technology and delivery system reform are promising.
Let’s talk numbers. OCR staff is small and yet you receive a ton of complaints every year, thousands, tens of thousands. Can you get to them?
Do we have resource constraints? Absolutely. Do we have an increasing caseload? Yes. We have to learn to be as effective and efficient with our resources as we possibly can because those are two factors that cut in opposite directions and create a situation that we have to address. So, some of the ways that we’ve done it are we’ve created centralized systems to respond to telephone calls, to process complaints as they come in, and these have produced significant efficiencies. We are freeing up our regional [office] resources to engage in substantive investigations when those are necessary.
Your office has the ability to issue fines in ways that a lot of federal agencies can’t and in denominations that a lot of federal agencies can’t. You’ve noted that you used them about two dozen times. Is that enough?
You know, each case depends on its facts and I do think that we have been committed to using settlement agreements and monetary recoveries in situations where we think that the conduct has been egregious or where we want to create a deterrent or where we feel that the monetary settlement will help to reinforce the message that we’re serious about HIPAA compliance. That said, we are very serious about HIPAA compliance even in situations where we don’t seek monetary settlements or civil money penalties. And I think if you look at our corrective action plans [agreements in which providers promise to make changes following a complaint], you will see that those are uniformly robust efforts to ensure that covered entities and business associates undertake the infrastructure and structural reforms that are necessary to ensure compliance going forward. And at the end of the day, ensuring that they have the policies and procedures in place to protect information in the future is a significant component of the kind of remedial relief that we seek.
It seems that the Office for Civil Rights receives far more reports of smaller breaches than larger ones, and these don’t get the same amount of attention, at least publicly. Are these less important?
As I mentioned, every case depends on its facts. That’s why we do monitor the small breach reports that come in. To the extent we identify situations that warrant further investigation, we engage in that investigation. And in fact we’ve entered into two settlement agreements that were based on small breach reports that resulted in monetary relief. I think it is critical in our efforts to efficiently allocate our resources to identify where we can have the greatest impact in promoting compliance going forward and to the extent in the small breaches that we see types of conduct or egregiousness of mindset of the covered entity or examples of pervasive problems that we think the industry needs to be aware of. Those are the kinds of things that will lead us to undertake investigations of small breaches even though we don’t trigger them automatically.