HealthcareITNews.com reports that Affinity Health Plan, a New York-based managed care provider, faces a Health and Human Services (HHS) fine of more than $1.2 million connected to a breach of patient information that happened in 2010. Here’s a look at what happened in the Affinity case and how IT professionals and freelancers working with healthcare industry clients can avoid liability for similar violations.
HIPAA, HITECH, and Contractors’ Responsibility
First, some definitions:
- HIPAA: The Health Insurance Portability and Accountability Act of 1996 includes specific privacy rules that healthcare providers and their contractors are required to follow. Essentially, these rules state that anyone with access to protected health information must take explicit measures to prevent improper access of that information (aka data breaches). Entities that violate HIPAA’s privacy rules (e.g., by enabling a hack or data breach) are subject to fines and possibly other penalties.
- HITECH: The Health Information Technology for Economic and Clinical Health Act is part of an initiative to make health records more readily available to American consumers. It requires HIPAA-covered entities (healthcare providers and their contractors) to report data breaches as they occur and updates storage standards for protected information. It also requires healthcare providers to implement electronic patient data records by 2015.
For healthcare providers and the IT professionals who work with them, HIPAA and HITECH combine to heighten data security standards and the fines associated with failing to meet those standards.
The wording of these laws is such that IT professionals who work even on a contract basis for HIPAA-covered entities must also comply to the standards outlined by HIPAA and HITECH and are subject to those acts’ fines and penalties. (Read more about the importance of verifying contractors' insurance in the article "Check Independent Contractors' Insurance Credentials.")
IT Contractor Liability Exposure through HIPAA and HITECH
In the case of Affinity, the data breach happened like this: a photocopier once leased by Affinity was bought by a CBS news station. The CBS team found that more than 344,000 patient records remained on the photocopier and were accessible – a violation of data protection standards outlined by HIPAA.
When the story broke in 2010, Affinity notified the necessary parties about the data breach, but the case has just now wound its way through the courts. The result is the $1.2 million fine Affinity now owes HHS.
So how are IT contractors involved? If Affinity worked with an IT contractor who could be held responsible for the failure to delete patient information (including, for example, an IT training professional, an IT project manager, or another IT consultant who oversaw the use of the photocopier or transfer of data), it could sue that contractor for professional negligence. (Read about two tech companies that shut down rather than share customer information.)
And because HIPAA case law is still relatively new and courts are still determining how to interpret and penalize HIPAA violations, it’s hard to predict a likely outcome of such a lawsuit.
IT contractors, consultants, and owners of small technology companies that serve healthcare clients can protect themselves from the potential costs of a HIPAA or HITECH lawsuit by investing in Errors & Omissions Insurance, which covers the costs of lawsuits alleging professional negligence. In some cases, third-party Cyber Liability Insurance may also make sense, as it can cover the costs associated with a data breach for a tech firm’s clients.
Writtten by Brenna Lemieux - check her out at Google+ or Twitter
