Jason Pierre-Paul had it good. He was drafted by the New York Giants in the first round of the NFL draft and agreed to a 5 year $20.5 million deal. He lived up to his expectations and was a key player for the Giants until 2015. Pierre –Paul plays defensive end, which means he uses his hand to balance himself before every play starts. Not only that, but all players use their hands to tackle and shed blocks. That’s why when a firework blew up in Pierre-Paul’s hand on July 4th, 2015, his career was put in serious jeopardy. Given the lack of football news during the summer, sports news companies jumped on the story. In the competition for information, one well-known reporter named Adam Schefter tweeted a picture of Pierre-Paul’s medical chart.
Everyone in the medical field just cringed at the thought of having a patient’s information tweeted out because of the clear HIPAA violation. Fortunately for ESPN reporters aren’t regulated HIPAA, but that doesn’t mean that there were no repercussions. This month Pierre-Paul and ESPN settled a lawsuit, and that was good news for them.
When it comes to HIPAA, it’s not a matter of if, but when you’ll make a mistake. Healthcare providers handle too many electronic health records (EHRs) to be perfect, add hackers and human error to the mix and you have inevitable mistakes. The good news is you decide how big the ripples from you and your co-workers or employees will be.
ESPN got lucky, but not everyone is so fortunate. Take the recent Verity Health System breach as an example. The California healthcare provider operates six hospitals and employs 8,000 people, which leaves tons of room for error. Of course, an organization of that size runs several websites and relies on technology. But hackers didn’t have to sit back and observe Verity and find a vulnerability because they left one right out in the open. Verity stopped using one of its websites but never shut it down, leaving a doorway to their patient’s information out in the open. The results weren’t pretty, over 10,000 patients had their records exposed in a breach that took place in October 2015. Fortunately, social security numbers and full credit card numbers weren’t accessible, but that doesn’t mean Verity won’t be paying for their lapse. Full names, addresses, phone numbers, emails, date of births, and the last four digits of credit card numbers were accessed. Of course, Verity is paying a fortune for things like credit monitoring for affected patients, but they’ll also be losing money for years thanks to their damaged reputation.
As you might have guessed all this could’ve been avoided or had a smaller impact. Obviously, if Verity shut down their website there wouldn’t have been a hack, but they still could’ve lessened the number of patients affected by simply finding the site. The hack took place in 2015 and they just found it last month.
When it comes to healthcare and HIPAA, it’s only a matter of time until you or an employee makes a mistake like posting compromising information on social media or forgetting to shut down a site and leaving it up for years. Still sounds like it will never happen to you? In some cases, even something as simple as calling out a patient’s full name in a waiting room can be a HIPAA violation. People make mistakes, but that doesn’t mean they have to kill your business. If you know the ins and outs of cybersecurity and HIPAA not only will you be able to avoid most of the mistakes people make, but you’ll be able to spot the mistakes you do make before they turn into disasters.
This blog has been re-posted with permission from Craig Petronella