As discussed in my post "New Texas Privacy Law Increases Privacy Protections and Physician Cyber Liability Risks", House Bill 300 (HB 300) strengthens protection of patients' electronic health information in Texas beyond HIPAA and becomes effective on September 1, 2012. In a series of weekly blogs I am writing to illustrate how these stronger patient protections increase physicians' cyber liability. Consider this case history:
An unencrypted USB drive used to store PHI could not be found in the office. It contained data on 1,105 patients including names, diagnosis codes and Social Security numbers. The physician subsequently notified all affected individuals and local media, added technical safeguards of encryption for all PHI stored on mobile devices, added physical safeguards by keeping new portable devices locked in a secure combination safe in doctor’s private office when not in use and added administrative safeguards including annual privacy training of staff.
For breaches affecting >500 individuals HIPAA requires physicians to notify not only the affected individuals, but also local media outlets and the Department of Health and Human Services (HHS) who then posts breach information on their website. However, if the PHI was encrypted, then it is not considered to be a violation and no notification is required. The privacy violation in this case would have been avoided by either encrypting the thumb drive (a technology-based prevention strategy) or by not downloading PHI to a mobile device (an employee training-based prevention strategy).
HB 300 privacy protections are enforced through penalties, disciplinary actions and audits that are intended to deter breaches. Several factors are considered when determining the consequences of a breach including the seriousness of violation, compliance history, harm done to individuals and efforts made to correct violations. Civil penalties may be assessed for each violation up to:
- $5,000 if committed negligently
- $25,000 if committed knowingly or intentionally
- $250,000 if committed intentionally and PHI is used for financial gain
- $1.5 million if a “pattern of practice” found
Physicians should also consider purchasing cyber liability insurance (or increasing current liability limits) and consulting with their Regional Extension Center, such as the North Texas Regional Extension Center (NTREC), about assistance with security risk analysis and management.