September 12, 2011

Medical practices and other entities covered under the Health Insurance Protection and Portability Act of 1996 (HIPAA) are required to provide notification following a breach of unsecured protected health information. This was the import of the Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act.  The Interim Final Rule became effective on September 23, 2009.  During the 60-day public comment period on the Interim Final Rule, the Department of Health and Human Services (HHS) received approximately 120 comments. Although it developed a final rule and submitted the same to the Office of Management and Budget (OMB) for mandatory review on May 14, 2010, HHS on July 29, 2010 withdrew this rule from OMB review:

. . . to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months. Until such time as a new final rule is issued, the Interim Final Rule that became effective on September 23, 2009, remains in effect.

The September 23, 2009 Interim Final Rule on Breach Notification
It is this regulation that continues to govern providers and their business associates. We are still waiting for the appearance of a revised final rule under the HITECH Act.   It is thus important to remind ourselves of the interim rule’s requirements. The Interim Final Rule appears to be one of the less onerous regulations to come out of HHS (the worst-case civil monetary penalty notwithstanding).  An anesthesiology group that cannot prevent members or employees from keeping PHI on their laptops – a common source of security breaches – can at least arrange for encryption. The rule only treats a disclosure of PHI as a “breach,” necessitating notification, if it creates a significant risk of financial or personal harm to an individual. This “harm threshold” and the subjective nature on the determination of harm were at the center of the controversy over the Interim Final Rule.  Privacy advocates contended that the foxes were guarding the henhouse.  The upshot, as we know, was the withdrawal of HHS’ final rule, and the survival, at least for now, of the harm threshold.

Breaches Reported to or Uncovered by HHS
Despite the subjectivity of determining that disclosure has caused harm and thus warrants notification, HHS received 45 reports of such breaches occurring during the approximately three-month reporting period in calendar year 2009 (September 23, 2009, to December 31, 2009) and 207 reports in calendar year 2010, the first full calendar year for reporting, according to the HHS Office for Civil Rights’ (OCR) Annual Report to Congress on Breaches of Unsecured Protected Health Information For Calendar Years 2009 and 2010.  In order of incidents reported, the five most common causes of breaches were:

• theft (the majority of incidents took place in the provider’s or BA’s facilities);
• intentional unauthorized access to, use, or disclosure of protected health information;
• human error;
• loss of electronic media or paper records containing protected health information, and
• improper disposal.

The four discrete incidents of theft that reportedly affected the largest numbers of individuals involved the theft of network equipment (998,422 individuals affected), laptops stolen from a covered entity’s facility (359,000 individuals affected), a desktop computer stolen from an office shared by several covered providers (18,377 individuals affected), and the theft of a portable electronic device from an offsite location (15,500 individuals affected). Some of the other data breaches summarized in the OCR Report are instructive:

In one case, a “phishing” scam led a covered entity’s employee to share login information for an email inbox, potentially exposing the protected health information of 610 individuals. Another covered entity reported discovering that two employees, who had access to the protected health information of 1,076 individuals, had misused patient credit card information.
. . .
One covered entity reported that it had discovered that hard drives in more than twenty photocopiers it had previously leased, which had since been sold by a wholesaler, might contain the confidential information of up to 344,579 individuals. Other incidents involved: (1) one business associate that printed and mailed letters to 83,000 individuals whose insurance plan identification numbers were printed conspicuously on the outside of the mailing; (2) two covered entities’ misdirected mailings to more than 18,000 individuals; and (3) one covered entity’s uploading the records of 9,000 individuals to an unsecured website.
. . .
In one case, a covered entity contracted with a business associate to destroy back-up tapes containing protected health information that was no longer compatible with the hospital’s computer system. The business associate hired a third party to destroy the material but later informed the covered entity that several of the tapes were unaccounted for at the time of destruction and as a result, approximately 800,000 individuals were affected. Another case involved the loss of unencrypted back-up tapes containing the protected health information of more than 19,000 individuals. A separate study, this one conducted by the Office of the Inspector General and published in May, 2011, revealed that an audit had uncovered 151 vulnerabilities in health information technology systems at seven hospitals between October 2008 and March 2010. This left patient information exposed to anyone who might have gained unauthorized access to internal networks.  Charles Fiegl, reporting on the audit in the May 26, 2011 issue of American Medical News, wrote that:

The majority of vulnerabilities were technical problems related to wireless communications and other computer security issues. For instance, four hospitals used wired equivalent privacy encryption to secure data at access points. This encryption method uses a flawed algorithm that could allow a computer hacker to break into the wireless system, the report states. Three hospitals did not include firewalls to protect wireless and land networks from data breaches. An unauthorized user could have gained unlimited access to a hospital's entire network, the OIG said. Other problems included a lack of password protection for computers on portable carts and a failure to track computer equipment that might contain patient information.

The ways in which data – encrypted or unencrypted – can be diverted are almost limitless.  It should not be too hard for any anesthesia practice to imagine the moments of inattention or even bad luck that could result in a publication of hundreds of PHI items, especially when the data are shared with and stored on hospital systems.  Although the Interim Final Rule does not carry the threat of major sanctions, there are other laws, state and federal, that make it a good idea to exercise caution in this area. In 2003, California became the first state to enact a law requiring companies to notify individuals if personal data had been compromised, a law which it expanded rule in 2008 to include electronic health records and health insurance information not covered by encryption. The majority of states have enacted similar laws since then. In addition to the to be finalized Rule for Breach Notification for Unsecured Protected Health Information, a regulation on accounting for disclosures under the HIPAA Privacy Rule is in the works

Proposed Changes to HIPAA Privacy Rule
The HITECH Act also called upon HHS to strengthen the HIPAA provisions concerning mandatory accounting of disclosures.  The proposed rule would give individuals the right to receive a report on who has electronically accessed their protected health information.  Although covered entities are currently required by the HIPAA Security Rule to track access to electronic protected health information, they are not required to share this information with people. Affected individuals would obtain this information by requesting an access report, which would document the particular persons who electronically accessed and viewed their protected health information. The proposed rule requires an accounting of more detailed information for certain disclosures that are most likely to affect a person’s rights or interests. The comment period on the proposed rule closed on August 1, 2011.  A final rule is expected later this year.  We will of course continue to update you in future Alerts so that you may prepare to comply with yet another set of requirements.  As always, we will provide direct assistance to our clients in avoiding preventable disclosures or other violations – however inadvertent – of the law.

With best wishes,

Tony Mira
President and CEO