June 30, 2014
Keeping patient information confidential has become a major challenge since we all began storing so much of it in electronic form. Computers, tablets and smart phones containing unsecured electronic Protected Health Information (ePHI) go missing and are reported in the press on at least a weekly basis.
Keeping patient information confidential has become a major challenge since we all began storing so much of it in electronic form. Computers, tablets and smart phones containing unsecured electronic Protected Health Information (ePHI) go missing and are reported in the press on at least a weekly basis.
Last week a Long Island radiology practice informed 97,000 patients of a discovery that "an employee radiologist accessed and acquired protected health information from [the] billing system without authorization." (Newsday, June 24, 2014.) Other breaches in the past month include:
- A thumb drive with patient X-ray information was stolen from an employee’s locker during a burglary at a medical group office recently acquired by St. Joseph Health System in Santa Rosa, California, requiring notification of 34,000 patients.
- Health risk assessment results were mailed to the wrong patients, resulting in a potential compromise of the PHI of 3,675 patients covered by Highmark.
- A Penn State Milton S. Hershey Medical Center employee was found to be working on his home computer with the PHI of more than 1800 patients. Although the employee was authorized to access the PHI, his home computer was outside the secured Penn State Hershey system and thus the information could have been compromised.
The Secretary of HHS recently released the statutorily-required Annual Report to Congress on Breaches of Unsecured Protected Health Information covering Calendar Years 2011 and 2012. The report states that cumulatively, from the time that the Office of Civil Rights (OCR) began collecting reports of breaches pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, i.e., September 23, 2009, to December 31, 2012, OCR received 710 reports of major breaches involving at least 500 individuals that affected a total of approximately 22.5 million individuals. Tens of thousands of smaller breaches involving 499 or fewer individuals were also reported within the 39-month period.
The most common cause of a breach was theft. Other causes tracked by OCR were loss of the PHI, unauthorized access or disclosure, improper disposal, hacking, IT incidents and “other/unknown.” The majority of the compromised PHI was stored on laptops (27%), followed by paper (23%), network servers (13%), desktop computers (12%) and portable electronic devices (9%).
As of May 20, 2014, when the report was released, OCR had entered into agreements totaling more than $8 million in settlements.
Observers expect enforcement efforts to increase significantly. At a recent American Bar Association conference, Jerome B. Meites, a chief regional civil rights counsel at the Department of Health and Human Services told attendees he expects the past 12 months of enforcement to pale in comparison to the next 12 months. According to Mr. Meites, OCR wants to send a strong message to the industry through high-impact cases. Jason C. Gavejian, Esq., writing in the National Law Review on June 17 (Prepare For Increased HIPAA Fines - Health Insurance Portability and Accountability Act), also noted that Meites had said that OCR plans to begin conducting new rounds of HIPAA audits later this year on candidates previously identified, and that “Mr. Meites also made two extremely pertinent comments concerning HIPAA compliance. Specifically, he said that portable media devices have caused an enormous number of the complaints that the OCR deals with and that an entity’s failure to perform a comprehensive risk assessment, as required by HIPAA, has factored into most of the data breach cases which resulted in financial settlements.”
To protect themselves against avoidable breaches of patient privacy, anesthesiology and pain medicine practices might consider implementing the steps below, which were part of OCR’s $1.5 million settlement agreement with the Massachusetts Eye and Ear Infirmary following the theft of an unencrypted personal laptop containing the ePHI of patients and research subjects:
- Developing, retaining, and revising its HIPAA Privacy and Security policies and procedures as necessary;
- Conducting and documenting a risk analysis that complies with the HIPAA Security Rule;
- Developing a risk management plan, as required by the HIPAA Security Rule, to address the risks identified by the risk analysis;
- Identifying a security official who is responsible for the development and implementation of the policies and procedures and the HIPAA Security Rule, and
- Training workforce members on the requirements of the HIPAA Rules.
Also worth noting are the lessons learned from the numerous breaches reported to OCR, which OCR itself suggests point out “the areas to which covered entities should pay particular attention in their compliance efforts to help avoid some of the more common types of breaches:”
- Risk Analysis and Risk Management. Ensure the organization’s security risk analysis and risk management plan are thorough, having identified and addressed the potential risks and vulnerabilities to all ePHI in the environment, regardless of location or media. This includes, for example, ePHI on computer hard drives, digital copiers and other equipment with hard drives, USB drives, laptop computers, mobile phones, and other portable devices, and ePHI transmitted across networks.
- Security Evaluation. Conduct a security evaluation when there are operational changes, such as facility or office moves or renovations, that could affect the security of PHI, and ensure that appropriate physical and technical safeguards remain in place during the changes to protect the information when stored or when in transit from one location to another. In addition, conduct appropriate technical evaluations where there are technical upgrades for software, hardware, and websites or other changes to information systems to ensure PHI will not be at risk when the changes are implemented.
- Security and Control of Portable Electronic Devices. Ensure PHI that is stored and transported on portable electronic devices is properly safeguarded, including through encryption where appropriate. Have clear policies and procedures that govern the receipt and removal of portable electronic devices and media containing PHI from a facility, as well as that provide how such devices and the information on them should be secured when off-site.
- Proper Disposal. Implement clear policies and procedures for the proper disposal of PHI in all forms. For electronic devices and equipment that store PHI, ensure the device or equipment is purged or wiped thoroughly before it is recycled, discarded, or transferred to a third party, such as a leasing agent.
- Physical Access Controls. Ensure physical safeguards are in place to limit access to facilities and workstations that maintain PHI.
- Training. Ensure employees are trained on the organization’s privacy and security policies and procedures, including the appropriate uses and disclosures of PHI, and the safeguards that should be implemented to protect the information from improper uses and disclosures; and ensure employees are aware of the sanctions and other consequences for failure to follow the organization’s policies and procedures.
Finally, MGMA members will be interested in that organization’s 36-page HIPAA Security Risk Analysis Toolkit.
ABC, as a covered entity, takes very seriously the responsibility for securing the PHI entrusted to us. We hope that this Alert will help all our readers to do likewise.
With best wishes,
Tony Mira
President and CEO