Workforce Risk and the Evolution of the Breach of Protected Health Information (PHI)

Posted by Gerry Blass

The word  “HIPAA” sounds very much like the “Hippocratic” oath.

From Wikipedia – “The Hippocratic Oath is an oath historically taken by physicians. It is one of the most widely known of Greek medical texts. In its original form, it requires a new physician to swear, by a number of healing gods, to uphold specific ethical standards, including privacy of confidential health information. Of historic and traditional value, the oath is considered a rite of passage for practitioners of medicine in many countries, although nowadays various modernized versions are often used.”

It is almost like the government tried to match the sound and then define the words “Health Information Portability and Accountability Act.” But we know that is not how it happened.

So lets look at the evolution of HIPAA and the breach of PHI. The HIPAA law was signed in 1996 during the Clinton Administration. While its primary concern was for Administrative Simplification, meaning standards for electronic exchange of health information, it also required Accountability by including the Information Privacy and Security Rules.

Those of us who worked in healthcare IT, such as in a hospital, had access to the systems that contained PHI. We were able to access information about VIPs such as celebrities, fellow employees, neighbors, etc. Back in the early 90s this kind of unauthorized access was not a concern. In fact back then, PHI was not a term. And, there was no motivation to sell identifiable health information.

And then it all changed when Arthur Ashe’s health status was sold to the Enquirer. And then Bill Clinton’s. And then it caught on. There was money to be made by selling confidential health information.

The evolution has included selling medical charts of accident victims to lawyers, chiropractors, etc. The evolution then spread into electronic information, and it was still the workforce that represented the highest risk for a breach. Why? Because the workforce had authorized access and could easily do unauthorized things. Workforce training, therefore, was key to reduce risk and enforce sanctions for violations.

Over the past 25 years, the ever-increasing amount and locations of electronic PHI resulted in an ever-increasing amount of electronic breaches, both accidental and intentional.

Who would have thought back in 1990 that someone in China or Russia or anywhere would be able to steal health information in a hospital in Anytown USA and even hold it for ransom.

Well, that is how breaches have evolved and that is what we are dealing with now. And what does the future hold? With all of the new endeavors in health care, more and more PHI is being exchanged and that creates more and more vulnerabilities. The odds are high for ongoing breaches.

So does that mean that the internal workforce is no longer the biggest risk for a breach? The answer is NO. Why? Because it is the workforce that can still click on a link accidentally and download malware that opens the door to a hacker from anywhere in the world.

So back to the drawing board… more workforce training and more sanctions for violations. The evolution of the breach has brought us to the same conclusion. The workforce is still a major risk for a breach of PHI.

Question– “Is the Future of Information Privacy and Security brighter than it used to be?” (yes we took advantage of a Yogi-ism).

Answer – The ongoing evolution of technology, vulnerabilities, controls, and breaches will tell.

Gerry Blass is the President & CEO of ComplyAssistant. Gerry has over 35 years of experience in healthcare IT and compliance. ComplyAssistant provides healthcare cybersecurity services and healthcare compliance software, also called ComplyAssistant. The software is a compliance management cloud portal that provides guidance, organization and collaboration alerts and notifications for more effective management and documentation of healthcare compliance activities.

Breaches, HIPAA-HITECH, HITECH, OMNIBUS, Ransomware, Workforce risk