September 10, 2012

Many “Covered Entities” within the meaning of the privacy and security provisions of the Health Insurance and Portability Act of 1996 (HIPAA) are managing more and more of their patient information electronically.  Indeed, not moving to electronic health records (EHRs) may cost physicians a percentage of their Medicare remittances—or at least the loss of a potential bonus of up to $44,000—under the EHR Incentive Program, as discussed in our last several Alerts.

Collecting, analyzing, reporting and storing electronic patient information present perhaps even greater HIPAA challenges than does the use of paper records, however.  Data entered on a computer can be copied more easily, more cheaply, more prolifically and even passively.  Once unsecured data are moved from the computer on which they are created to other media, manually or wirelessly, controlling the information becomes nearly impossible.  

The key word in the preceding sentence is “unsecured.”  The recently finalized HIPAA regulations on Breach Notification impose responsibilities for securing “protected health information” (PHI) and consequences for privacy breaches where PHI has not been secured.   Penalties for HIPAA violations have been increased, making it all the more important for CEs to follow procedures to maintain the confidentiality of PHI.

If we needed a reminder that electronic PHI is just as much subject to the HIPAA rules as paper patient records, and that it can be very difficult to police online PHI activity, a case settled last spring should put everyone on notice.  An investigation of a six-physician practice, Phoenix Cardiac Surgery, by the Department of Health and Human Services Office of Civil Rights (OCR) concluded with an agreement under which the doctors agreed to pay $100,000 and to take corrective actions to implement policies and procedures to safeguard the protected health information of its patients.

The incident giving rise to OCR’s investigation was a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.  On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).  According to the HHS press release, Phoenix Cardiac Surgery’s HIPAA violations consisted of the following:

• The group failed to implement adequate policies and procedures to appropriately safeguard patient information.  In particular,
  • Over nearly two years,  employees of the practice posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar; and
  • For more than four years, the practice daily transmitted ePHI from an Internet-based email account to workforce members’ personal Internet-based email accounts.
• In addition, Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• It failed to identify a security official and conduct a risk analysis; and
• It failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic PHI.

The lessons to be learned from the Phoenix Cardiac Surgery case were summarized pragmatically on Manage My Practice, a website offering “Information and Resources for the Medical Practice Manager,” on April 18, 2012:

1. You won’t escape the notice of the HHS just because you are a small practice. Every practice, hospital, facility, healthcare entity and anyone that has access to Protected Health Information (PHI) must be compliant with the HIPAA Privacy and Security Rules.
2. Patients are paying attention and want their information protected! Patients will not hesitate to report a practice if they feel their privacy is being breached. Let your patients know that you take their privacy seriously and what you are doing in your entity to protect their privacy.
3. Physicians are not exempt from responsibility. Most physicians do not want to use the hospital or practice network email—they want to use their personal Gmail, Yahoo, Hotmail or AOL account for office business. This is a bad habit. Emails to and from the physicians announcing meetings and reminding them of tasks are fine, but it is easy to forget and use personal email to hand off patients, discuss appointments and ask for refill approvals. Non-secured email services are NOT the right way to send any patient information.
4. Understand your technology. This is why the risk assessment is so important—you must identify any process or technology you are currently using that has the potential for PHI to be accessed inappropriately. Understand and mitigate your risk!

Information technology has become indispensable to the management of patient care and of medical practice administration.  It has also created new ways in which the confidentiality of patient information can be compromised.  We pride ourselves on being compulsive about HIPAA privacy and security requirements.  In that spirit, we will continue to bring you information on compliance, enforcement and related matters in future Alerts.

With best wishes,

Tony Mira
President and CEO