Protecting Your Anesthesia Practice from a Patient Privacy Breach


February 20, 2012


The interim final HITECH breach notification regulations went into effect in September 2009, requiring medical practices and other HIPAA-covered entities to report breaches of unsecured protected health information to patients, to HHS and in some cases to the media.  HHS is running a pilot spot-testing program through the end of 2012 in which it will target some150 organizations for security compliance audits.  Changes to some of the breach notification requirements are likely when HHS publishes the final regulations, which it is expected to do by the end of March.


Have you heard about the federal privacy and security compliance audit pilot program?  The Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of the 2009 stimulus package, requires the Department of Health and Human Services (HHS) to conduct periodic audits to ensure covered entities and business associates are complying with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules and Breach Notification standards.  To implement this mandate, the HHS Office of Civil Rights (OCR) is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance. The pilot phase began in November 2011 and will conclude by December 2012.

The HITECH Act enhances HIPAA’s privacy and security provisions by requiring “covered entities” such as physicians and their business associates to provide for notification in the case of breaches of unsecured protected health information (PHI).  The breach notification provisions are currently implemented under “interim final regulations” adopted in August 2009.  A final version of the regulations is expected as soon as next month.  Meanwhile, the interim version is in force and it is incumbent upon anesthesiologists as well as other providers to comply with its requirements.  To help explain these requirements and to make the acronyms used less opaque, we begin with a timeline:

•   1996 HIPAA is enacted
•   2003 Deadline for compliance with Privacy Rule
•   2005 Deadline for compliance with Security Rule
•   2009 (February 17) HITECH Act is enacted as part of American Recovery and Reinvestment Act (ARRA)
•   2009 (April 27) OCR issues Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, etc. and RFI
•   2009 (August 24)  OCR issues Interim final HITECH breach notification regulations
•   2012 Spot-testing for compliance through pilot audit program, begun in November 2011, continues through December 2012
•   2012 (March?) OCR scheduled to issue final HITECH breach notification regulations.


How big is the problem?  Under the HITECH Act, covered entities must report to HHS any privacy or security breach affecting 500 or more individuals (and summarize breaches affecting smaller numbers of individuals on an annual basis).   OCR must post breaches involving the PHI of 500-plus persons on its Web site.  As of November 4, 2011, OCR was reporting a total of 364 breaches affecting 18,190,451 individuals that had occurred since the September 2009 effective date of the interim Breach Notification Rule.  The breaches have taken place at such well-known institutions as Tricare, Massachusetts Eye & Ear Infirmary, TennCare, Georgetown University Hospital and UCLA as well within private medical practices.  OCR also has acknowledged that from inception of public disclosure in September 2009 through mid-May 2011, there have been 31,000 breaches affecting fewer than 500 individuals per breach, which only have to be reported to HHS annually.

Three-fourths of the breaches reported to OCR involved electronic devices and media; one in four involved hard copy media such as paper records and x-ray films.  Of the electronic breaches, approximately three out of five involved mobile or portable devices or media, representing more than 92 percent of reported theft or loss in electronic breaches.  Breaches result from unintentional losses, for example when a laptop containing patient information is forgotten on a subway, from human error, and from intentional unauthorized access to or disclosure of PHI as well as from theft of data and/or hardware.  About 20 percent are attributable to business associates of the covered entity.

It is not surprising that patients are worried about privacy violations.  Medical identity theft, the fastest growing form of identity theft, can cause inconvenience, a lowered credit rating and improper use of insurance benefits.  The  National Partnership for Women & Families has published a 76-page report, “Making IT Meaningful: How Consumers Value and Trust Health IT," in which six out of 10 patients surveyed (59%) whose physicians used an EHR and two in three (66%) of those whose physicians used paper records said it was likely that "widespread adoption of EHR systems will lead to more personal information being lost or stolen.” In addition, more than half of all respondents said the privacy of personal medical records and health information is not currently well-protected by federal and state laws and organizational practices.  More than 90 percent of patients trusted their doctor to maintain confidentiality, however, so, as the report concluded:  “this unease may point to inexperience with the capabilities of electronic systems and dissatisfaction with the legal and policy framework in place to protect health information."

Major Provisions of the Interim Breach Notification Rule

We summarize here the “legal framework” to protect PHI established by the interim final regulations because anesthesia practices should be in compliance already and because the principles underlying the anticipated final rule are likely to remain fundamentally unchanged.

Definition of breach.  The HITECH Act defines a breach as an unauthorized acquisition, access, use or disclosure of unsecured PHI that compromises the security or privacy of such information. Unsecured PHI is any patient health information that is not secured through a technology or methodology specified by HHS (in its Guidance, above) that renders the PHI unusable, unreadable or indecipherable to unauthorized individuals, e.g., encryption.   Paper copies of PHI must be shredded or destroyed; electronic copies must be cleared, purged or destroyed so that the PHI cannot be retrieved.

Notification.  The HITECH Act requires HIPAA-covered entities, including physicians, to provide notification to affected individuals, to the Secretary of HHS and in some cases to the media within 60 days of discovering a breach of unsecured PHI – and the interim regulations soften this requirement by leaving it to the covered entity to determine whether the potential harm is sufficient to warrant notification.  (There is no obligation to notify anyone of the loss of properly encrypted or destroyed information.)

The notification must be made by first-class mail or by e-mail if the affected individuals have authorized communications by e-mail.  It must contain:

  • a brief description of what happened;
  • when the breach occurred or started;
  • when the breach was discovered;
  • the type of information compromised (patient names, Social Security numbers, birth dates);
  • steps individuals should take to protect themselves; and
  • actions that the facility is taking to help those affected by the breach.

If ten or more individuals are adversely affected, a notification must be posted on the main page of the facility's website or in a major print or broadcast media outlet. The notification must include a toll-free phone number that patients may call to find out whether their protected health information was compromised. If 500 or more persons are affected, the practice or other covered entity must notify HHS, and if the 500-plus individuals who are affected are residents of a particular state or region, the breach must be announced to prominent media outlets.

If a Business Associate discovers the breach, that BA must notify the covered entity “without unreasonable delay and in no case later than 60 calendar days after the discovery of the breach.”  Prior to the HITECH Act, the BA had no statutory reporting obligations. The BA agreement should define the time frame, content and method of this HITECH breach notification.

Penalties.  The HIPAA Privacy and Security rules require covered entities to protect patient privacy.  The interim Breach Notification regulations put teeth in the law in the form of tough enforcement penalties ranging from a $100 fine for a single unintentional violation to as much as $50,000 for failure to correct violations. (A separate regulation increased the potential penalty for willful HIPAA violations to a maximum $1.5 million.)

State and federal attorneys general could bring action on behalf of patients whose PHI is released.  In 2010, a former employee at a major Los Angeles hospital was sentenced to four months in prison for accessing medical records of his supervisors, colleagues and celebrity patients a total of 323 times.

Breach mitigation.  The interim final regulations require covered entities to have a plan in place to reduce the risk of breach and to correct the problem should one occur.  Following are the elements of a breach prevention/mitigation plan:

  1. Perform a risk assessment.  Is electronic information properly encrypted?  Are equipment and records maintained in secure areas?
  2. Prepare, document, and retain policies and procedures for safeguarding protected health information based on risk assessment outcomes
  3. Train all clinical staff and administrative staff whose work involves handling PHI on HIPAA and HITECH Act privacy, security, and breach notification requirements.
    • It is also critical to be familiar with state law on protecting personal health information and notifying victims of disclosures.  More than 40 states have such laws.  If state law has shorter timeframes or is otherwise more rigorous than the federal regulations, it preempts the HITECH rules.
  4. Establish the responsibility of key players for handling every potential type of breach.

The damage that an unauthorized disclosure of confidential patient information could cause goes well beyond potential HITECH Act enforcement, of course.  The anesthesiology practice’s ethical obligations to its patients and its reputation may be implicated.  Professionalism as well as the potential economic risk to the practice makes it prudent to adopt and follow a breach prevention plan. In March 2011, the Ponemon Institute, a privacy and information management research firm, announced results of the sixth annual “U.S. Cost of a Data Breach Study.” According to this study, breach incidents cost U.S. companies $214 per compromised customer record based on 2010 survey data.  Multiply $214 by 100 or 1000 patients, and the expense of prevention seems reasonable.

ABC is mindful of its obligations to maintain excellent data security and to protect the confidentiality of the patient data entrusted to us.  As the Business Associate of our client practices, ABC will provide the requisite notification of any breach of which we are aware, but we certainly hope that such notification will never become necessary. 

We will be on the lookout for the final Breach Notification regulations and will update our readers at the first opportunity.

With best wishes,

Tony Mira
President and CEO