The fact that people are the weakest link in compliance is a truism in the privacy and security world. But just how weak is this link, and how likely is it that workers would violate HIPAA? Pretty likely, it turns out, even if they (mistakenly) think they’ll probably get caught.
A new study found only 14% of more than 500 people surveyed wouldn’t improperly acquire or share patient information for money under five hypothetical scenarios.[1] “Our results suggest that there is a high probability that compromises can occur when employees are presented with monetary incentives, given the right context. These results have serious implications because many security breaches are from insiders,” wrote G. Lawrence Sanders, a professor in the School of Management at the State University of New York (SUNY) at Buffalo, and his co-authors.
In an interview with RPP, Sanders warned that the pandemic has escalated financial pressure on many workers, perhaps heightening their risk of falling prey to a hacker or unethical media outlet, and he stressed that a combination of strategies is essential to thwart HIPAA violators and help ensure patient privacy and security.
A “combination of enforcement, education and technology” is needed, Sanders said, to overcome what he and his co-authors called the “unexpected … magnitude of the number of individuals who would receive monetary incentives” to violate HIPAA.[2]
Sanders was joined on the paper by Joana Gaia, also with SUNY Buffalo, Xunyi Wang of Baylor University, and Chul Woo Yoo of Florida Atlantic University. Their research explored in-depth the concept that people will commit a crime if they perceive the “cost” of the crime to be less than any expected benefit, Sanders explained, and figuring out the cost is based on the probability of being caught and what the consequences might be.
Sanders and his team asked the survey respondents to consider whether they would violate HIPAA were they a nurse’s aide, a doctor or an insurance employee. Additionally, they were asked if they would accept payment from a media firm to use for a mother’s treatment or for medical transportation needed by a seriously ill friend.[3]
Before undertaking this research, a pilot study was launched involving 64 medical residents and 32 candidates in a masters of business program, “some of whom work in the health care industry as executives.” The authors decided not to pursue a fuller study of this group because only 6% (three in each group) “succumbed to incentives and violated the HIPAA laws.”
The study, supported by funding from the National Science Foundation, is based on the responses of 523 students with an average age of 21—described as the “next generation of employees”—enrolled in an undergraduate information technology class. Sixty-percent were males, 40% females. In terms of racial makeup, 45% were white, 45% Asian, 4% Black, 4% Hispanic and 3% other. Surveys were conducted in May 2018.
Their overall responses were as follows:
-
“In the nursing scenario, 45.9% (240/523) of the participants indicated that there is a price, ranging from US $1,000 to over US $10 million, that is acceptable for violating HIPAA laws.
-
“In the doctors’ scenario, 35.4% (185/523) of the participants indicated that there is a price, ranging from US $1,000 to over US $10 million, for violating HIPAA laws.
-
“In the insurance agent scenario, 45.1% (236/523) of the participants indicated that there is a price, ranging from US $1,000 to over US $10 million, for violating HIPAA laws.”
As the authors noted, “When a personal context is involved, the percentages substantially increase.”
-
“In the scenario where an experimental treatment for the subject’s mother is needed, which is not covered by insurance, 78.4% (410/523) of the participants would accept US $100,000 from a media outlet for the medical records of a politician.
-
“In the scenario where US $50,000 is needed to obtain medical records about a famous reality star to help a friend in need of emergency medical transportation, 64.6% (338/523) of the participants would accept the money.”
Few Cases of Individual Prosecutions
Interestingly, survey respondents overestimated the risk of getting caught violating HIPAA under these scenarios.
“Many of the subjects felt that the probability of getting caught for violating a HIPAA law was very high, greater than 93%. In the nursing scenario, 30% (157/523) of the participants thought the probability of getting caught was greater than 93%, and in the doctor scenario, 50% (261/523) of the participants thought the probability of getting caught was greater than 93%. In the insurance scenario, 39% (204/523) of the participants thought the probability of getting caught was greater than 93%. In the mother scenario, it was 37% (194/523), and in the best friend scenario, it was 38% (199/523),” the authors wrote.
Despite this, “many of them could still be incentivized to violate HIPAA laws.” Sanders and his colleagues reported that they “did postulate that there would be some individuals who could be incentivized to violate HIPAA laws, but we thought it would be a small number.”
Sanders and his team also wanted to measure whether respondents, when informed of several true cases of jail terms and fines that individuals actually experienced after violating HIPAA, would be less inclined to commit wrongdoing. They found no statistically significant impact on their behavior. Part of the problem, Sanders told RPP, is that they could find few cases when they researched enforcement efforts by the Department of Justice.
Given this, compliance officials need to be armed with technology to thwart and catch those violators who’ve made the calculated decision to become wrongdoers, Sanders told RPP. Furthermore, the situation probably won’t improve until there is more enforcement by the Office for Civil Rights and by the Department of Justice, he said.
The government rarely pursues individuals for violations, and for firms or institutions that do face fines or settlements, their fines or payments may seem like little more than a business expense. As Sanders noted, “institutions have a lot of money to hire lawyers.”
Get to Know Workers
RPP asked Sanders if he thought the findings would hold true for older workers and not just what the study calls the next generation of employees.
“It’s hard to say with [20-somethings] how similar they are to people in their 40s. That’s a little tricky, but I suspect people in their 40s might be a little more cautious” about violating HIPAA, said Sanders. However, he also said the survey respondents might have under-reported their susceptibility to accepting a payment.
Sanders told RPP he is continuing to conduct research in this area and is studying the psychological profile and motivations of hackers, including criminals as well as so-called “white hat” hackers who help companies with compliance by probing their vulnerabilities.
The survey measured responses in what would now be considered ordinary, pre-COVID-19 times. Now the pandemic has added another problem to compliance officers’ challenges.
“There’s a lot of people who are under severe economic stress right now,” Sanders said, and researchers are “actually finding increase in some of this dark web activity right now because people are home and they are hacking as a service.” This makes appropriate training and vigilance by compliance officials all the more important and timely, he added.