If your medical practice has made any computer purchases within the past 12 years, you might currently be violating HIPAA and not even realize it.
Although technical in nature, physicians will be the ones held 100% liable – not IT staff – if the computer issue isn’t properly addressed. And with roughly 1 in 4 of the world’s PCs still using Windows XP, it’s likely that many healthcare facilities need to take corrective action immediately.
Why This Matters to Physicians & Office Staff
On April 8, 2014, Microsoft ended ongoing tech support for Windows XP, their popular 12-year old operating system. Security patches are no longer being written and there are no plans to monitor the system for ongoing weaknesses.
Using outdated software, like XP, will leave your practice more vulnerable to viruses, hackers, and identity thieves. Just think of the wealth of personal health information (PHI) housed on your computers:
• Patient names
• Social security numbers
• Payment methods including credit card numbers
If that data ends up in the wrong hands, it will have far-reaching, negative implications for your patients and your reputation. Not to mention, the massive fines that will drain your bank account.
Your Responsibility as a Covered Entity
As a covered entity, your medical practice has to follow certain regulations. The HIPAA Privacy Rule states covered entities fall into three specific groups:
1. Healthcare providers, regardless of the practice size
• Nursing homes
2. Health plans
3. Healthcare clearinghouses
If we jump to the Administrative Safeguards of the HIPAA Security Rule, covered entities – like healthcare providers – are required to have procedures in place for guarding against, detecting, and reporting malicious software. This is considered an “addressable” specification.
But what exactly does that mean?
According to the Department of Health and Human Services (HHS), covered entities may achieve compliance of addressable specifications by choosing one of the following:
• implement the addressable specifications;
• implement one or more alternative security measures to accomplish the same purpose;
• not implement either an addressable specification or an alternative.
So, just simply having a computer in your medical practice with Windows XP doesn’t count as a violation. It’s possible that you already have alternative safeguards in place – like malware software – to protect from hackers and outside threats.
If that’s the case, that’s great. But your work isn’t done there. You’d better make sure it’s all properly documented.
According to the HHS:
…any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).
If you plan to still use Windows XP, you must – at a minimum – perform a detailed risk analysis that outlines how these new security issues will be addressed. And as those risks evolve in the future, the assessment should be updated to reflect the new plan.
Most Recent Security Breach
Despite officially ending support, Microsoft released one final emergency service patch for XP last week. Issued on May 1, they explained a security breach in the software could allow hackers to:
1. remotely access unprotected computer systems worldwide
2. gain the same user rights as the current user.
Since Microsoft was no longer monitoring the software, hackers were able to find and exploit weaknesses in the system, and gain access to private files of individuals and businesses.
Even the United States Computer Emergency Readiness Team (US-CERT) issued a warning to Windows XP users. Its counterpart in the UK, UK-CERT, did the same, urging everyone to perform system upgrades.
Without ongoing product support, this is just a temporary fix. Medical practices using Windows XP, or with older computer systems, will become a growing target for identity theft and HIPAA violations. And the severe consequences that come along with them.
Consequences of Non-compliance
Practitioners who fail to comply with HIPAA regulations can be issued both civil and criminal penalties as noted below.
CIVIL PENALTY STRUCTURE
|Covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.||$100-$50,000|
|The HIPAA violation had a reasonable cause and was not due to willful neglect.||$1,000-$50,0000|
|The HIPAA violation was due to willful neglect but the violation was corrected within the required time period.||$10,000-$50,000|
|The HIPAA violation was due to willful neglect and was not corrected.||$50,000 or more|
*Up to $1.5M in fines may also be issued for identical violations in same calendar year.
CRIMINAL PENALTY STRUCTURE
If the civil fines aren’t enough of a deterrent, the possibility of jail time should be.
|Unknowingly or with reasonable cause||Up to 1 year in Jail|
|Under false pretenses||Up to 5 years in Jail|
|For personal gain or malicious reasons||Up to 10 years in Jail|
The Office of Civil Rights (OCR) has been cracking down on security breaches recently, and issuing substantial fines too. Two examples are listed here. Had these physicians and healthcare leaders been diligent in their compliance efforts, the violations could have been prevented.
Adult & Pediatric Dermatology, P.C. (APDerm) was fined $150,000 when a flash drive containing patient information was stolen. In addition, they must also execute a corrective action plan to prevent similar issues in the future.
Concentra Health Services and QCA Health Plan, came under fire when unencrypted laptops were stolen, containing PHI of hundreds of patients. As an example of the severity of the offenses, OCR swiftly fined the two companies a total of $2 million.
Upgrade to be Safe
Although these cases focus on the theft of actual physical devices, it’s not far-fetched to see how a computer with limited security features may result in the same outcome: compromising PHI.
Depending on the size of your practice, installing new software can be costly. But given the number of physicians replacing their EHRs, upgrading the operating system at the same time makes sense. It adds yet another layer of HIPAA protection for patients and practitioners alike.
How has your medical practice addressed this major security issue? Please comment below and let us know!