The news about data breaches continued on Tuesday when insurer Premera Blue Cross disclosed that cyberhackers had accessed medical and financial records of as many as 11 million people. It’s been just weeks since the Anthem hack occurred, which involved records of 80 million people.
The Office for Civil Rights (OCR), a small agency within the Department of Health and Human Services is responsible for investigating breaches such as these, which can lead to authorities fining organizations for not protecting patient data well enough.
Jocelyn Samuels, the office’s director, spoke on Monday (before the Premera news) to health privacy and security experts gathered in Washington, D.C., for the National HIPAA Summit. Following her talk, she spoke to ProPublica about where things stand with health privacy currently.
Samuels suggested that following HIPAA’s establishment in 1996, things are continuing to progress, and even with breaches such as these taking place, privacy is not lost.
I think that you are talking about some of the most intimate facts about any individual, whether it is their health condition or their diagnosis or their treatment choices, and that it is really critical to ensure that they feel confident that that information will be protected from public disclosure. That’s the underlying premise of patient involvement in health care decision-making, that they can entrust their providers with this really intimate information knowing that it won’t be misused or inappropriately disclosed. Although there are new threats and cybercriminals get smarter every day, we have to do our best to keep up and ensure that there are adequate protections in place so that we can gain the benefits that technology and delivery system reform are promising.
When asked if the OCR is doing enough when it comes to fining and the frequency in which the office actually takes action, Samuels said:
You know, each case depends on its facts and I do think that we have been committed to using settlement agreements and monetary recoveries in situations where we think that the conduct has been egregious or where we want to create a deterrent or where we feel that the monetary settlement will help to reinforce the message that we’re serious about HIPAA compliance. That said, we are very serious about HIPAA compliance even in situations where we don’t seek monetary settlements or civil money penalties. And I think if you look at our corrective action plans [agreements in which providers promise to make changes following a complaint], you will see that those are uniformly robust efforts to ensure that covered entities and business associates undertake the infrastructure and structural reforms that are necessary to ensure compliance going forward. And at the end of the day, ensuring that they have the policies and procedures in place to protect information in the future is a significant component of the kind of remedial relief that we seek.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
The Premera hack resembles Anthem, except it involves more than just patient information like names, Social Security numbers, etc. This time real medical information has been accessed, taking privacy concerns even further. The FBI is involved, but the recent breach has renewed the calls for encryption of health records.
No doubt the OCR is actively trying to protect the privacy of Americans, but keeping up with hackers is undoubtedly a challenging task. Samuels remains confident, though.
