Revenue Cycle Management
COVID-19
Reimbursement
Diabetes Awareness Month
Risk Management
Patient Retention
Staffing
Medical Economics® 100th Anniversary
Coding and documentation
Business of Endocrinology
Telehealth
Physicians Financial News
Cybersecurity
Cardiovascular Clinical Consult
Locum Tenens, brought to you by LocumLife®
Weight Management
Business of Women's Health
Practice Efficiency
Finance and Wealth
EHRs
Remote Patient Monitoring
Sponsored Webinars
Medical Technology
Billing and collections
Acute Pain Management
Exclusive Content
Value-based Care
Business of Pediatrics
Concierge Medicine 2.0 by Castle Connolly Private Health Partners
Practice Growth
Concierge Medicine
Business of Cardiology
Implementing the Topcon Ocular Telehealth Platform
Malpractice
Influenza
Sexual Health
Chronic Conditions
Technology
Legal and Policy
Money
Opinion
Vaccines
Practice Management
Patient Relations
Careers

Senate to review HIPAA security of medical records in light of Anthem breach

February 13, 2015

Article

A monumental data breach at one of the nation’s largest insurance providers has spurred a bipartisan effort to reexamine the Health Insurance Portability and Accountability Act (HIPAA).

A monumental data breach at one of the nation’s largest insurance providers has spurred a bipartisan effort to reexamine the Health Insurance Portability and Accountability Act (HIPAA), possibly adding a costly and cumbersome requirement to encrypt health records (EHRs).

The Senate Health, Education, Labor and Pensions committee announced February 6 that it is planning a new bipartisan initiative to examine the security of all health information technology and the healthcare industry’s preparedness against cyber attacks.

“Patients, hospitals, insurers-all Americans who value the safety and privacy of their sensitive personal information-have a right to be alarmed by reports that their electronic records might be vulnerable to a cyber attack,” says committee chairman Lamar Alexander (R-Tenn.).

In depth:Remaining HIPPA compliant: how to protect patient records

The committee will examine EHRs, hospital records, network-connected medical devices and more in regard to the security of their health information technology.

The initiative comes in the wake of a security breach at Anthem-the nation’s second-largest insurer-that affects up to 80 million people. The breach is the largest HIPAA violation in history and involved the alleged theft of security credentials from a system administrator to access Anthem’s client database. While the company encrypts data it exports, the data was stolen at the company level and was unencrypted. But even if it had been encrypted, the systems administrator credentials that were stolen could have been used to access encrypted client data.

Data stolen during the break include names, dates of birth, member ID/Social Security numbers, addresses, phone numbers, email addresses and employment information. Anthem says no diagnosis, treatment, or financial data was accessed during the breach.

Encryption isn’t currently required under HIPAA, nor under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, although HITECH does offer incentives for encryption. Encrypting data is costly and does not guarantee that records cannot be penetrated by cyber attacks. Regardless, some industry watchdogs and health IT experts are calling on healthcare systems to take a more serious look at encryption as a preemptive measure against future cyber attacks.

The Office of Civil Rights (OCR) under the U.S. Department of Health and Human Services-which is investigating the Anthem breach-reports that roughly 60% of healthcare data breaches since 2009 could have been prevented through encryption. And a 2014 report by Forrester Research estimates that only 59% of healthcare organizations have implemented any type of data encryption.