Do no harm: HIPAA's role in preventing ID theft

With the deadline for ensuring privacy under the Health Insurance Portability and Accountability Act (HIPAA) recently passed, most health care providers and plan companies are preparing to implement the final rule for security. While many of these organizations are focused on the lack of budgetary and staff resources necessary to fulfill another unfunded federal mandate, most have lost sight of why this level of protection is necessary.

As organizations (known in the legal jargon as "covered entities") begin their risk assessments and risk management planning, it's important to remember one of the key principles of the regulations, and that is patient protection. The standard clearly states that the organization must ensure the confidentiality, integrity and availability of protected health information (PHI) and safeguard it from threats, hazards and unauthorized disclosure, but the act neglects to underscore why it's important to do so.

PHI is composed of the patient's most personal information, which includes most health records and data files that typically include name, address, Social Security number and a combination of the following:

  • Insurance information

  • Payment information

  • Past and present medical conditions

  • Past and present treatments

  • A variety of other individually identifiable health or personal information

Although not expressly stated in the privacy or security rules, HIPAA establishes that PHI is primarily the patient's personal property and not a corporate asset of the regulated organizations. Corporations are therefore required by law to take precautions to protect the privacy of patient information whenever it's used, from back-office transactions to personal patient interactions.

Where's the harm?

Previously, industry experts have focused on harm at the individual level -- in other words, the PHI of a single patient being compromised and made public to the specific detriment of that person.

For example, in 1998, an Atlanta truck driver lost his job after his employer learned from his insurance company that he had sought treatment for a drinking problem. In another example, an employee was automatically enrolled in a mandatory depression program by her employer, Motorola Inc., after her prescription drugs management company reported that she was taking antidepressants. These cases tend to generate sympathy from the general public, but it's frequently an uphill battle for a victim of such exposure to prove substantial harm in the courts and trace the source of that exposure directly back to the health care organization.

Harm to the individual can range from simple embarrassment to financial hardship. The primary source of harm to the individual actually exists at the aggregate level, in databases that contain the files of hundreds or thousands of patients. These databases are commonly held by hospitals, midsize and large health plans, billing organizations, data warehouses, records storage facilities and even some application service providers.

Although some industry experts tend to disagree, these covered entities are appealing targets for identity theft, the fastest-growing crime in the U.S. today. While not as obvious or attractive a target as financial services or e-commerce companies, these covered entities represent a significant opportunity for enterprising thieves, by virtue of the data that they process and store.

For example, if a large biller's database were hacked and the PHI stolen, criminals could have access to insurance information, credit card information and the Rosetta stone for identity thieves, Social Security numbers. If such a case were to come to court, a plaintiff's attorney could easily prove to a judge and jury that substantial harm was inflicted upon the individuals whose identities were stolen, and the organization's security controls at the time of the breach would definitely be called into question.

Others find covered entities equally attractive, but for different reasons. Unlike identity theft, where financial gain is the motive, the fact that HIPAA privacy and security standards are seen as a challenge to some hackers makes the health care industry a target. These are the "altruistic" independent hackers and hacker groups, such as Deceptive Duo, S4t4n1c_S0uls and The Bugz, who feel it's their sacred duty to exploit and publicly expose weaknesses in the infrastructure of various industries, or deficiencies in federal security mandates.

This was precisely the nature of the hack at the University of Washington Medical Center in Seattle in December 2000 (see story). A hacker going by the name "Kane" allegedly gained access to the medical center's network through the affiliated university network and was able to steal 4,000 patient records containing PHI, including patients' dates of birth, Social Security numbers, height and weight and recent medical procedures. Kane turned these records over to online journalist Kevin Poulsen, because he wanted to perform a public service by exposing the security risks at the medical center. Kane denied intent to sell or otherwise misuse any of the data that he had captured.

In their zeal to "improve security" by exposing corporate weakness, these hackers disregard any damage that may be done to an individual whose personal information is made public. Once information is posted to a Web site, there is virtually no way to retrieve it; it then becomes open season on the patients and their data. Understanding the potential threat of attack may assist some covered entities in refining their risk assessments and risk management plans.

Implementation: some rules of thumb

When selecting controls for HIPAA security requirements, organizations need to understand that the most expensive controls aren't always the best for the job, and the most affordable control measures aren't always the weakest. Often, a series of layered security controls, working together synergistically, may provide maximum protection without breaking the organization's budget.

In securing the data center, for example, rather than implementing a single biometric control (retinal scan, palm-print reader, etc.), the organization may realize more benefit from implementing a key-card scheme that logs ingress and egress, supplemented with security cameras at the data center doors. These two less costly measures complement each other, and the organization isn't relying on a single point of failure as a security control.

In addition, whether selecting individual control measures, writing policies or reviewing standard operating procedures, the members of a company's HIPAA implementation team should step back and imagine that their own PHI resides within the environment. It's a simple exercise, but it often puts cost/benefit issues into perspective. Treating the PHI as if it were their own may also ease the temptation to cut corners for the sake of the IT budget and ensure that the organization selects control measures that will provide the most suitable protection to their systems, services and data.

Marne Gordan is director of regulatory affairs at TruSecure Corp. in Herndon, Va., and an expert on security regulatory and compliance issues, including HIPAA and the Gramm-Leach-Bliley Act. She can be reached at

Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon