Breach Response

Breach Penalties: Comparing U.S., U.K. Analyzing the Two Nation's Healthcare Strategies

The United Kingdom and the United States are both cracking down on healthcare organizations that have experienced information breaches. But they're taking very different approaches.

See Also: Tackling Cloud Infrastructure Security: Merits of the New Model

In the U.K., the emphasis is on publicizing frequent financial penalties, often for relatively small breach incidents. In the U.S., the focus has been on announcing less frequent "resolution agreements" that spell out a corrective action plan for preventing future breaches and include sizable financial settlements as well(see: A Close Look at U.S., U.K. Penalties).

So far this year, the United Kingdom has issued 11 fines totaling £1.4 million (or about $ 2.2 million U.S. dollars) related to healthcare breaches, including social services cases that involved breaches of mental health information. These cited violations of the U.K. Data Protection Act.

By comparison, U.S. authorities have announced three resolution agreements so far this year that included a total of $3.3 million worth of settlements - as well as corrective action plans, according to the Office for Civil Rights, a unit of the U.S. Department of Health and Human Services. These cited violations of HIPAA.

Since 2008, the office has announced nine resolution agreements with a total of $8.8 million in penalties. But OCR officials have indicated they plan to continue to ramp up HIPAA enforcement efforts and announce resolution agreements as they complete lengthy breach investigations.

The jury is out on which nation's approach will be more successful in reducing the number of breaches over the long haul.

U.K. Strategy

With the U.K. issuing sizeable financial penalties against healthcare providers for relatively small infractions, the Brits are showing vigor in enforcement, says Deborah Peel, M.D., founder of Patient Privacy Rights, an advocacy group.

"It looks like the U.K. is taking smaller breaches more seriously," Peel says. "You haven't seen anything like that in the U.S."

And Peel contends that the financial penalties issued as part of resolution agreements in the U.S. don't reflect the magnitude of the breaches.

For instance, a settlement with Blue Cross Blue Shield Tennessee earlier this year related to the theft of 57 unencrypted disk drives containing data on 1 million patients resulted in $1.5 million penalty. "That's only $1.50 per patient," Peel notes. "That's not commensurate with the scale of the breach and the revenue of the company."

Financial penalties should sting more based on the size of the offender and number of patients affected, she contends.

"Covered entities learn from the travails of others.....[such as ] 'if I had only encrypted the laptop,'" McAndrew says. Potential penalties for privacy violations tied to breaches "get the attention of CEOs and CIOs so that they are more willing to put resources into prevention," she says.

Cultural Differences

The different approaches in the U.K. and U.S. may be rooted in the nation's cultures.

"The EU and U.K. have deeper roots than this country in terms of privacy and security legislation," says Kate Borten, president of information security consulting firm The Marblehead Group.

"In the U.K. there are still issues all the time with breaches, snoops, lost laptops - many of the same things that are happening here in the U.S." she says. But she points out that the U.K. has a watchdog agency, the Information Commissioner Office, "with a strong voice that is lacking in the U.S."

The U.K.'s healthcare system is government-run - and the government keeps a close eye on the participants, she adds.

Plus, the U.K.'s Information Commissioner Office loses patience quickly for repeat offenders and is quicker to slap data breach offenders with fines.

In the U.K., the ICO has the capability under the nation's Data Protection Act to issue information breach fines up to half a million pounds, says Simon Rice, the ICO's principal policy adviser for technology. However, "meeting that criterion is actually quite strict," he says.

"One of the criteria is the organization knew or ought to have known about the sort of threat and the risk," but instead chose not to take steps to protect sensitive information, he says.

And because the U.K.'s health systems is government-run and one of the country's largest employers, "obviously they're going to be at the top of the list, purely because of their size and the fact that they do report everything," he says.

U.S. Strategy

In the U.S., on the other hand, officials can take two years or more to complete a breach investigation and negotiate a resolution agreement that may include a substantial financial settlement.

For example, U.S. officials just announced in June a settlement tied to an investigation triggered by an October 2009 breach involving the Alaska Department of Health and Social Services.

But some observers point out that the U.S. is ramping up enforcement of the HIPAA privacy and security rules and imposing harsher penalties.

"There's more commitment to enforcing the law to a degree not seen before," says Deven McGraw, director of the health privacy project at the Center for Democracy and Technology. "You don't see these large cases on a weekly basis, but the tide is turning," she says. HHS "erred too long with slaps on the wrist, and that's changing," as the Alaska case shows, she says.

Increasing Penalties

The HITECH Act in 2009 upped the ante for possible fines for violations of the HIPAA privacy and security rules, with penalties that can reach an annual maximum of $1.5 million for each "willful neglect" violation that isn't corrected.

And U.S. regulators' intolerance for repeat offenders appears to be rising. The Alaska Department of Health and Human Services was hit with a $1.7 million penalty, in part, because the agency asserted to federal officials that it had conducted HIPAA-related activities that hadn't actually been completed, says security consultant Rebecca Herold of Rebecca Herold & Associates. That case hints of "willful neglect," she says.

While HIPAA has been on the books for years, enforcement efforts are only now getting some teeth, McGraw says.

With passage of the HITECH Act and its changes to HIPAA fines, "Congress upped the policy�when you find willful neglect, you must pursue investigations," McGraw says.

Others predict that the number of U.S. cases with resolution agreements - or civil fines - will soon grow.

Adam Greene, a partner at the law firm Davis, Wright Tremaine who formerly worked at OCR, expects many more breach investigations will be wrapped up in the coming months, resulting in high-profile settlements. The larger monetary settlements in recent cases, combined with pending final versions of HIPAA modifications "lay the groundwork for a new enforcement posture," Greene predicts.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network