If a hospital is investigated or sued over a health data breach, the curtain is pulled back and everything that normally happens behind the scenes is on view. Meeting minutes, internal emails and texts, personnel records and corporate policies will be scrutinized to understand whether the organization’s management acted with care or was negligent. Managers, including executive management, will be questioned under oath.
Two proposed class action lawsuits were filed this week in a California federal court alleging negligence and a variety of other claims against UC San Diego Health in the wake of a phishing incident that affected nearly 496,000 individuals. The lawsuits, filed by two different patients, claim that UC San Diego failed to take adequate cybersecurity measures, allowing attackers access to individuals’ sensitive data for at least four months before detection – and that UC San Diego then failed to provide timely breach notification to individuals affected. UC San Diego issued a public statement on July 21, and updated it on September 9, 2021.
Health Information Privacy Goes Beyond HIPAA
Although HIPAA does not provide patients a private right to sue, these two lawsuits are just the latest in a string of cases being filed against hospitals arguing negligence, breach of contract, or violation of state privacy laws when a health data breach occurs. Although HIPAA is not the reason for the lawsuit, HIPAA rules will be used as standards for how things should be done.
In a lawsuit or a state audit senior management, including the CEO, will be required to answer questions under oath. If the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) investigates potential HIPAA violations, federal investigators will ask the CEO the same questions.
Among many possible questions, expect at least these:
- Do you know whether your organization has completed a HIPAA Risk Analysis?
- When did you last receive HIPAA training yourself?
- What happens at your organization if a breach of protected health information occurs?
- Are staff encouraged to report potential breaches, or cyber security concerns?
- When did the staff last receive their HIPAA training?
These are the easy questions. There will be many more.
We Have Lawyers Working on That
Time and time again we’ve seen medium to large healthcare organizations that are hamstrung by rigid historical protocols and dysfunction. Most hospital CEOs will confidently say they have a top flight HIPAA privacy and security team – without knowing whether that is true.
Senior management is responsible for the organization’s legal compliance. They appoint compliance officials and boards create compliance committees but too often senior management does not effectively oversee health information privacy compliance. And boards are reluctant to allocate money to enable compliance personnel to get the training and resources they need. When a high visibility data breach happens, senior management and boards may be shocked into action. But by then it’s too late.
The HIPAA Privacy Rule has been in effect since 2003, but far too many covered entities continue to fail to protect patient privacy. They are not as cavalier in providing the same patient with medical care.
CEO and Senior Management are Responsible
You Can Delegate the Duties, Not the Responsibility
UC San Diego Health senior management, the CEO and California Board of Regents, are responsible for this breach. They can delegate authority to implement privacy and security compliance protocols but they cannot delegate or disregard their oversight responsibilities.
Routinely CEOs and boards are caught off guard and frustrated by health information data breaches. But that does not need to happen. After two decades of data breaches, we know where and how most large breaches happen: phishing through email; cyber attacks on out-of-date or unpatched software; careless password management and access controls. All fixable.
Institutional Failures Exposed
Analysis of large organization data breaches invariably exposes institutional failures that proper oversight would have identified and prevented. This is the key lesson of this data breach and it is a lesson that has been repeated time and again. It is time for all healthcare CEOs and boards to learn it. Rampant medical identity theft threatens each patient’s safety and financial well-being.
Health care providers typically do not consider health information privacy as important as topics relating to quality of care and financial stability. But patients expect privacy, and delivering on that expectation is fundamental to quality health care.
A strong health information privacy program is easy to maintain when senior management takes it to heart, uses HIPAA rules as a guidebook and makes sure the entire staff is trained.
Leaders Need to Care about HIPAA to Instill a Culture of Compliance
The cliche “Fake it till you make it” does not work when it comes to corporate HIPAA compliance. Senior management needs to set the tone for a culture of compliance. They should ask for HIPAA training, stay up-to-date on HIPAA and other privacy issues, be familiar with their own HIPAA policies and supportive of compliance staff performing the day to day work. Failure to do so can be costly.