Electronic medical information is increasingly central to improving the quality of patient care and controlling costs. The electronic health record (EHR) brings together medical examination observations, medication records, prescription information, laboratory results, and even x-ray and CT images, into a device as agile and portable as a tablet PC. The EHR can vastly improve the coordination of medical care by allowing doctors involved in the patient’s treatment to review each other’s notes and gather similar information from other healthcare locations. However, along with the clinical benefits exists the possibility that unauthorized people might access an individual's EHR by “snooping,” or through just plain loss of medical data left unprotected by safekeeping or encryption. Hospitals and physicians are taking steps to mitigate the security risks associated with electronic medical information and EHRs as part of federally-mandated electronic information governance programs and to protect their business and clinical reputations. The federal government has adopted the following three-step approach to health information security in recognition of the fact that, while electronic medical information can centralize patient data and reduce duplication of effort in creating and searching for information necessary to patient care, security vulnerabilities can reduce patient confidence in electronic medical information systems:
As a means of enforcing the mandates, OCR announced in November 2011 the start of an on-site audit “spot” program to assess privacy and security compliance of health care providers, health plans and “Business Associates” (entities that regularly access identifiable patient information in the course of providing such services to providers and plans as medical record quality assurance, consulting, accounting and legal representation). The audits, which will continue through 2012, will include site visits; interviews with covered entities executive leadership; examination of physical features and operations and assessment of the consistency of process to policy; and observation of compliance with regulatory requirements.
Simple Security Breaches Are Multiplying
A recent survey conducted by a developer of software that uses algorithms to screen for patterns potentially indicating unauthorized access to electronic medical records noted that over 70 percent of the hospitals in its survey pool had experienced a breach of security within the past twelve months. A 2011 HHS Report to Congress, issued pursuant to the HITECH Act, was perhaps more dire – information of more than 30,000 patients was compromised in the twelve-month period of the study. Contrary to the belief of many patients, these breaches were not CSI-type hacking operations. Most of the intrusions were the result of “snooping” by medical staff and physicians. Close behind were such relatively mundane, but serious, occurrences such as loss of laptops on which patient information was not encrypted as required by HIPAA. For example, St. Francis Health Systems of Tulsa experienced the loss of information on 84,000 patients, Mid-State Medical Center in Connecticut experienced the loss of 93,500 patients’ information stored on hard drives, and Brigham and Women’s Hospital lost data on 600 patients that was stored on a portable external backup drive a physician took on vacation. These incidents and others publicized in mainstream and new media outlets can have a severely deleterious effect on patient confidence in the medical institution, and thereby lead to the loss of patient base. They also can lead to monetary penalty proceedings by OCR and large fines. State governments may, as a result of the HITECH Act, pursue such HIPAA violations if the federal government does not; and OCR is currently offering HIPAA violation training to staffs of state attorneys general. While many security incidents are not of a technical nature, the remedies that may be required as a result can be complex, costly, and professionally embarrassing.
Healthcare Provider Tip: Leverage the Law to Find the Way Forward
The HIPAA Security Risk analysis – a requirement for healthcare providers to receive federal HITECH incentive payments – can provide the baseline analysis to highlight security deficiencies before a breach of patient information happens. The elements of the risk analysis include:
The HIPAA Risk Analysis touches on numerous areas of the hospital, the physician’s office, and the laboratory; and as a result, it requires the skills of people from several disciplines, including: records and information technology, legal (to interpret and advise on the hundreds of pages of security requirements), and technical consultants (to provide software and applications that can assist in security breach prevention).
Some computer programs use algorithms to screen for possible improper disclosures of medical information in electronic communications such as email, and in enterprise content management and collaboration platforms like SharePoint. Others assist hospital staffs, thinned by budget cuts due to reductions in federal and state funding, to keep track of and protect patient information. Ideally, such systems will do more than simply identify the information that is currently at risk. Hospitals would benefit greatly from employing a system that also ensures PHI is encrypted in storage as well as transmission. Encryption can prevent people outside the organization from accessing the PHI; and in the event of a breach of appropriately encrypted health information, the HITECH requirements that compel health organizations to report certain breaches to HHS and the media will not apply. Losses of this most sensitive personal information will continue as medical information technology advances. Most of these losses, as studies and government reports have shown, occur through human error and negligence in the form of failure to abide by simple rules to protect the information and the devices on which it resides. Hospitals, doctors, and other caregivers must, in the face of increasing government scrutiny, step up their vigilance through ongoing risk analysis, or be exposed to fines and adverse publicity - which they cannot afford in the current environment. Fernando M. Pinguelo, a Partner at Norris McLaughlin & Marcus, P.A. and co-Chair of its Response to Electronic Discovery & Information Group, is a trial lawyer who devotes his practice to complex business lawsuits with an emphasis on how technology impacts them. Fernando founded and contributes to the ABA Journal award-winning blog, eLessons Learned – Where Law, Technology, & Human Error Collide (www.eLLblog.com). To learn more about Fernando, visit www.NJLocalLaw.com or email him at info@NJLocalLaw.com.In his thirty years of experience as a litigator, trial lawyer and counselor Kenneth N. Rashbaum, Principal of Rashbaum Associates, LLC, in New York, has been the trusted advisor to healthcare providers, health plans and multinational corporations on information governance and its compliance with federal, state, and international law. He has served as partner and Co-Chair of the E-Discovery Practice Group of Sedgwick, Detert, Moran & Arnold, LLP, Pnd Director of Consulting of Fios, Inc., where he founded and supervised the Health Care and Cross-Border divisions. To learn more about Ken, visit http://rashbaumassociates.com/attorney-bios/kenneth-n-rashbaum/ or email him at firstname.lastname@example.orgEric Darbeis the vice president of marketing for HiSoftware, a provider of content-aware compliance and security solutions. In his role, Eric works with HiSoftware’s customers as well as industry leaders to ensure that HiSoftware’s solutions are meeting the business challenges which HIPAA and other regulatory mandates place on industries like Healthcare. To learn more about HiSoftware, visit: http://hisoftware.com/industries/healthcare.aspx. © 2011 Fernando M. Pinguelo, Rashbaum Associates, LLC; and HiSoftware Inc.
To view additional stories from Bloomberg Law® request a demo now