CNA Logo

The home healthcare environment is highly dependent on various forms of information technology (IT), ranging from computerized record-keeping and billing systems to alarm and telemonitoring devices designed to detect falls and changes in condition. In addition, home care providers often transmit patient health information and personal data electronically to a broad network of service providers. While IT systems vastly boost efficiency, they also create certain risks, including vulnerability to the large and growing problem of data breaches.

According to Redspin’s “Breach Report 2013: Protected Health Information (PHI),” 804 large breaches of PHI, affecting over 29.2 million patient records, have been reported to the U.S. Secretary of Health and Human Services (HHS) since the Health Information Technology for Economic and Clinical Health (HITECH) Act became effective in 2009.* In 2013, over 7 million health records were breached, more than double the previous year’s total.

This issue of Home Care Briefing examines the scope and nature of data breach hazards, and offers risk control strategies designed to protect client privacy and limit cyber liability exposure.

Data Breach Causes and Consequences

Breaches fall into five general categories, listed in declining order of frequency:

  • Theft of paper records or electronic media, including computers and such portable devices as USB flash drives, personal digital assistants and smart phones.
  • Loss of paper or electronic records, including laptops and storage media containing sensitive information.
  • Unauthorized access to PHI, including external hacking, “malware” infiltration and illicit employee-related exposures.
  • Human and technical lapses, including erroneous mailings, misdirected emails and network server glitches.
  • Improper disposal of paper records, generally involving errors on the part of a billing service, document shredding service or other vendor.

Potential consequences of a data breach include sizeable monetary penalties, negative publicity, interruption of daily activities and loss of public trust, as well as patient harm and consequent liability if medical data are lost or compromised. Be aware that financial losses resulting from data breaches are not necessarily covered by professional, property or general liability insurance policies. In view of the risks, home care providers should evaluate their overall cyber exposure, review existing data privacy policies and information security measures, and obtain appropriate insurance coverage.

Preventive Strategies

While home care organizations differ in terms of specific vulnerabilities, the following suggestions constitute a useful starting point for efforts to assess and enhance cyber security measures:

  • Perform a cyber risk assessment/PHI inventory. The first step in strengthening data security is to determine what information is most sensitive and where it is located. Useful resources to improve PHI management include the Department of Homeland Security’s Cyber Security Evaluation Tool and Carnegie Mellon University’s OCTAVE Allegro Information Security Risk Assessment.
  • Examine agreements with business associates regarding data sharing and security. The process should include everyone – such as billing firms, telemonitoring services, residential facilities and acute care providers – who may have access to confidential information. All contracts should expressly address PHI confidentiality issues in accordance with federal and state regulatory guidelines, and should be reviewed and approved by legal counsel and IT specialists.
  • Share only the “minimum necessary” data with vendors, as required by the HIPAA Privacy Rule.
  • Educate home care staff regarding the scope of federal and state privacy and notification requirements, in order to encourage agency-wide compliance. Basic HIPAA requirements should be integrated into employee orientation and training, with the emphasis on failure to properly maintain PHI.
  • Implement a user monitoring system and effective access controls. The HIPAA Security Rule requires that IT systems used to facilitate home-based care log user access to PHI. In addition, accounts should have suitably complex, regularly reset passwords and should lock automatically after a set number of unsuccessful log-ins. Finally, wireless access to client data via hand-held devices, pads and smart phones should be carefully controlled and monitored.
  • Make information security an ongoing concern. To reduce the possibility of theft or sabotage, periodically re-evaluate how PHI is stored, accessed and protected.
  • Adopt encryption technology, which renders protected information unreadable and unusable in the event of a security breach. Undecipherable information is not subject to HITECH reporting requirements.
  • Institute a post-breach response plan. In addition to complying with state and federal notification requirements, the plan should provide affected individuals with credit and medical identity monitoring services. For ethical and reputational reasons, it is generally advisable to inform all affected parties of a data breach, even if such notification is not required by law.
  • Obtain cyber liability insurance to address data- and privacy-related coverage gaps. Such products generally cover third-party liability (e.g. fines, indemnity payments and associated legal expenses), as well as notification costs, system restoration expenses and related business interruption losses. To learn more, contact your Lockton Affinity Account Manager

As the threat of data breaches grows, so does the importance of an effective information security program and cyber liability insurance coverage. The guidelines listed here can help home care providers reduce exposure and ensure that sensitive client information remains safe, accessible and under control.

*HITECH regulations require healthcare providers and other HIPAA-covered entities to promptly notify affected individuals of a breach of unsecured PPI, as well as to report breaches affecting more than 500 individuals to the HHS Secretary and the local media. Breaches affecting fewer than 500 individuals must be reported to the HHS Secretary. The HITECH Breach Notification Interim Final Rule can be accessed at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html.
The information, examples and suggestions presented in this material have been developed from sources believed to be reliable, but they should not be construed as legal or other professional advice. CNA accepts no responsibility for the accuracy or completeness of this material and recommends the consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situations. Please note that Internet hyperlinks cited herein are active as of the date of publication, but may be subject to change or discontinuation. This material is for illustrative purposes and is not intended to constitute a contract. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice. Use of the term “partnership” and/or “partner” should not be construed to represent a legally binding partnership. CNA is a registered trademark of CNA Financial Corporation. Copyright ©2015 CNA. All rights reserved.