Protected Health Information (PHI) is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations, and payment for healthcare services. This might not seem that important, but in plain language, PHI includes your most personal health information: your medical records, your medical images, your medical bills, and much more.
HIPAA-covered entities include health plans, clearinghouses, certain healthcare providers, and any business associates that help covered entities carry out their activities and functions. According to the American Hospital Association, there are currently 6,146 hospitals in the United States. Add in all the doctors’ offices, insurance companies, and other related business, and that number grows exponentially.
This TechCrunch article describes a recent investigation, which found that billions of medical images have been (and continue to be) exposed publicly. X-rays, CT/PET scans, MRIs, ultrasounds, and other types of medical images, which are often labeled with patient names, dates of birth, social security numbers, and other sensitive information, have been mishandled with alarming frequency, despite extensive privacy and security laws. But as TechCrunch states, there is often a simple underlying cause: lack of basic password protection on Picture Archiving and Communication System (PACS) servers. Healthcare providers use PACS to share and archive medical images. Covered entities are connecting PICS servers directly to the internet, without the most fundamental layer of security. Failure to protect PHI constitutes a breach, which is defined as the compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or loss of control, where persons other than authorized users, or for an other than authorized purpose, have access or potential access to PHI.
Section 13402(e)(4) of the HITECH Act requires the Department of Health and Human Services (HHS) to post a list of breaches of unsecured PHI affecting 500 or more individuals. The HHS Office of Civil Rights (OCR) provides this information to the public on its website. As of January 13, 2020, there were 582 cases listed. In addition, OCR provides some pretty incredible data on the number of complaints they investigate each year along with the general outcomes (investigated and corrective action obtained, investigated with no finding of violation, resolved after intake and review, and other). As of December 31, 2019, OCR has received over 225,378 HIPAA complaints and has initiated over 993 compliance reviews. Notably, their data indicates that most of the investigations result in corrective actions.
OCR bases civil fines on the severity of the violation according to a four-tier categorization system (note that criminal cases within the Department of Justice’s jurisdiction). The maximum fine per violation category per year is $1.5 million. These fines, coupled with the administrative burden of being subject to an OCR investigation, should be adequate motivation for covered entities to remain compliant with HIPAA.