So the first round of the HIPAA compliance audit program is underway. Howard Anderson, writing in HealthcareInfoSecurity.com, has a great post on what’s going on:
- 20 organizations will be hosting auditors from KPMG in the next few weeks, followed by another 130 organizations in the second phase of the audits later this year.
- The focus this year is on covered entities, not on their business associates.
- OCR is not just going after the big fish. OCR is auditing “eight health plans, two claims clearinghouses plus 10 provider organizations, including three hospitals, three physicians’ offices, and a laboratory, a dental office, a nursing/custodial facility and a pharmacy.”
- Adam Greene, the blogger who broke this news first on his blog has some interesting details about the organizations. It seems as if 6 of the 20 organizations chosen for the first audit are Level 4 entities, meaning “Small providers and community pharmacies with less than $50 million in revenue and/or assets.” This translates to 30% of the initial list.
- Notifications were sent to organizations on the 1st of December. Auditors are going out for field visits expected to last between 3-10 business days.

Having been in charge of Sarbanes Oxley audits at my last place of work, I know first hand what a flurry external audits can cause in any organization. I can only empathize with the first few organizations chosen. However, I also find OCR’s approach to the audit process to be quite wise – the post at HealthcareInfoSecurity quotes Leon Rodriguez, OCR head honcho as saying “Our first objective is not to go out there and start banging [organizations] with penalties; it’s really to take a good look at them, find out where their opportunities for improvement are and help them improve… Having said that, I think we know that there are cases where we’re going to find some significant vulnerabilities and weaknesses. And in those cases, we may be pursuing significant corrective action. And in some of those cases, we may be actually pursuing civil monetary penalties. But that’s really not the primary goal of the audit program.”

Which probably is some solace for the organizations that are currently being audited. Hopefully at the end of this exercise, OCR will have a good idea of where the major weaknesses are, where it wants organizations to be at, and help them get there.

You’ve no doubt heard it. The healthcare industry has the dubious distinction of having had the three of the top six IT related security breaches this year. This article in the Healthcare Finance News quotes figures published by the Ponemon Institute, a research organization. According to the article, there’s been a 32 percent increase in frequency of data breaches, in other words, the frequency has increased by almost a third.And it has cost the industry $6.5 billion.

But a similar story in the NY Times shows us how woefully inadequate our existing data protection laws are (This story also quotes the numbers from the same Ponemon Institute study). An employee from a Massachussetts eHealth Collaborative lost a laptop containing 13,687 records. Each of those records contained some combination of a patient’s name, SSN, birthdate and other identifying information. Now, by law, healthcare organizations are required to report breaches involving 500 or more patients and the Department of Health and Human Services.

However, says NYT, Micky Tripathi, the non-profit’s president and CEO, soon figured out “just how many ways there were to count to 500. The law requires disclosure only in cases that “pose a significant risk of financial, reputational or other harm to the individual affected. His team spent hours poring over a backup of the stolen laptop files. Of the nearly 14,000 patient records on the stolen laptop, most records did not warrant disclosure. In 2,777 cases, for instance, a record listed only a patient’s name.”

The NYT story also points out another strange loophole that came to the aid of the non-profit – the entities responsible for protecting patient health are the providers, not contractors such as Mass. eHealth.

“In the eyes of the law, Mr. Tripathi’s nonprofit is a contractor that acts on behalf of health providers. The legal burden of protecting patient data actually falls on his clients: the physicians and hospitals who entrusted his nonprofit with their files.”The laws create a perverse outcome,” he says. “It was our fault, but from a federal perspective, it wasn’t our breach.”"

So of the 14,000 or so patients affected, Micky Tripathi’s non-profit only needed to notify 998 people. Of these, only one organization had patients more than 500 in number, requiring a mugshot report on the HHS wall of shame, and an offer of free credit monitoring from Mass eHealth.

In the end, the cost of credit monitoring services to Mass eHealth was a mere $6000 though the article says the non-profit ended up spending close to $300,000 in the aftermath. I wonder if this includes the cost of the necessary sleuthing involved and so on. If this is the case, the numbers are incidental expenses; the money spent directly on the breach itself was a fraction of that.

Compare this to the $1 million fine incurred by Mass. General Hospital for the loss of 192 patient records left by a negligent employee on a subway train.

With these numbers in mind, here are my takeaways from these stories:
- Who is responsible for what breach is not clear enough. I had to re-read the definition for covered entities to make sure that Mass eHealth doesn’t fall under it. If the law takes such a lax attitude to IT contractors – who BTW provide the bulk of the IT infrastructure at many hospitals – where’s the incentive for anyone to do things differently?
- There’s a crazy penalty structure in place. A hospital losing 192 records resulted in a million dollar fine. A non-profit losing 998 records incurred $6000 in expenses. So if you’re a hospital, you’re better off with contractor negligence than your employees/equipment being the responsible party.
- Rules can be creatively interpreted.
- There’s not enough negative fallout for data breaches for healthcare/HIT organizations to do things differently. Say, if in addition to the notice on the HHS wall of shame and fines, there were other repercussions like, I don’t know, a digital time-out of sorts for both contractors and healthcare organizations, maybe healthcare and IT would begin to care more.

John’s Comment: This is definitely an interesting case. With the new HITECH laws I can’t imagine how this doesn’t fall under the Business Associate agreement which would require that they follow the HIPAA laws just like any provider. The article does say that contractors aren’t responsible, but that seems like bad legal advice given by the contractor’s lawyer. I’m not a lawyer, but I’ll have to email a healthcare lawyer friend of mine to have him comment on this case as well.

It’s also worth noting that all of the breaches mentioned above have been through laptops or other devices left behind. None of the major breaches have been a hacker getting into an EMR or EHR system. Everyone likes to blame the EHR software for privacy issues, but so far they haven’t happened. They will one day, but the bigger privacy issue is still unsecured devices and human breaches (ie. staff looking at inappropriate records).

From MinnPost.com, a post on Sen. Al Franken’s second hearing as chairman of the Senate Subcommittee on Privacy, Technology and the Law. Franken’s take was that federal agencies tasked with enforcing digital privacy are not doing so. While we might be aware on some subliminal level about the lack of enforcement, when presented in sheer numbers, the statistics are shocking.

According to the MinnPost article:

“Total, there have been 364 “major breaches” of 18 million patient’s private data since 2009, Franken said. Meanwhile, enforcement of data privacy laws have been lax — out of the 22,500 complaints the Health and Human Services Department has received since 2003, it’s levied only one fine and reached monetary settlements in six others. Of the 495 cases referred to the Department of Justice, only 16 have been prosecuted.”

Here on the HHS website, you can see all the breaches affecting 500 or more people (sort by Breach Date to see recent breaches). Even with all the rules around reporting, effectively, given the lack of enforcement, hospitals and care organizations stand to gain the most in this lax enforcement landscape. I’d be curious to know the process of fining and reaching settlements, whether it is proportional to the amount of data stolen/lost. More importantly, I’d like to know what organizations are doing differently if data thefts have been identified – the worst thing for an organization would be to pay the fine, and continue with the same faulty processes that led the breach in the first place.

We’ve posted about it earlier on this blog as well, and it’s a point worth reiterating – most data breaches are not the result of hordes of internet hackers out to get your computer system, they’re due to human errors or negligence.

Here are some recent cases of patient data that has emerged from EMRs in unexpected places:
Lost in Break-In: By now, we’ve all probably already shaken our collective heads over the Tricare data breach involving data for 4.9 million military patients. Scientific Applications International Corp. (SAIC), one of Pentagon’s principal contractors, was the outfit that was responsible for the data loss, which was stolen from a break-in into a SAIC employee’s car. The data was contained in backup tapes, and contained information such as SSN, addresses and phone numbers of patients, and personal health data.

There are several perplexing things about this story – a) the statement on Tricare’s website claiming nothing important was really lost: “The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure” per this story.
b) SAIC’s success with HHS contracts – SAIC was awarded a lucrative $15 million contract by HHS, despite the breach.

Posted on a Homework Help forum: According to this NYT story and its follow-up, patient records (names, diagnosis codes, account numbers, admission codes) from emergency visits for a six month period at Stanford Hospital, CA, were posted online. Supposedly, a Stanford vendor sent the data to a prospective contractor as part of a testing exercise. The contractor posted it all online, on a website offering tutoring help no less, without realizing it was actual patient data. The story says Stanford had the data removed from the website, and reported the breach to federal and state authorities, as well as the patients. Stanford is arguing that none of its staff has done anything wrong, and that it severed its relationship with the contractor. To me, this is the proverbial buck being passed.

Lost in the Subway: The first NYT story mentions how the paper records of 192 patients left on a subway by an employee of Massachusetts General Hospital in Boston. The hospital has agreed to pay a $1 million federal fine for HIPAA violations.

So to summarize some lessons learned from these data breaches:
Loss of paper records is worse than the loss of electronic records: This should be obvious to anyone who’s not a schoolgirl with a fancy diary guarded by a lock.

Your data is only as safe as your weakest link: If you’re farming out your data to vendors, then you have to know what policies your vendor has in place. If your vendor subcontracts further, then you have to keep going down the line till you are reasonably assured of data safety. When the hammer falls, it is *you* who will be coughing up the fines.

Prep with Data-handling Policies and Procedures that you and your staff religiously follow: The data was lost in very human ways – data left inside a car, posted by an untrained contractor. This just means you need to have robust, and enforced, policies in place for how patient data is handled by your employees. Maybe in your company this means that your employees can’t take work home, or that they must clear their workspaces of any patient data before they leave. Decide what makes sense in the context of your business, and maybe hire someone to enforce these rules.

Give kickbacks to HHS: If you’re in the business of contracting with the government, seriously figure out how SAIC has managed to stay in HHS’ good books. I wish I were kidding with this one.

Right now, HHS is considering a new rule which would demand that hospitals, medical practices and health plans provide anyone who asks with a list of who has accessed their electronic medical records.

The proposed rule, which will go into effect January 2013 if approved, shouldn’t be a big deal in theory. After all, since 2005 healthcare companies directly involved in patient care have had to keep their own log of who accesses patient records electronically.  But apparently, the industry is arguing that providing a report on who saw your EMR file would be a massive hassle. (Even the rule’s author told USA Today that “the burden could be significant.”)

OK, I’m beginning to get a bit of a headache. Correct me if I’m wrong, but isn’t such monitoring — a detailed record of who looked at what record — a completely standard security measure for any organization with its act together?

I’m also wondering why the heck the article suggests that it would be difficult to get such access logs across departments. Again, I’m not an IT executive and I don’t play one on TV, but how much would EMR security be worth if you could only track access department by department?

I’ll admit that the more paper that remains in the process, the trickier things get. If a consumer wanted a complete list of who’d accessed their files, and the healthcare organization still conducted some major processes on paper, things could get pretty time-consuming. (Though even in that case, healthcare organizations better be aware of who’s peeked at what patient’s data.)

Still, I detect a smokescreen here. While there are probably entities — notably smaller practices with lower-end EMRs in place — that would be burdened by this requirement, many more would probably find it no trouble to handle if they tried. In fact, if a provider has spent big bucks on an EMR that can’t dig up access records easily, they should get their multi-million-dollar investment back.

I understand health plans’ and hospitals’ reluctance to turn over such information, which could drag them into lawsuits, divorces (“Did my wife really have the right to see my records?”) and medical ID theft prosecutions, to name just a few possibilities.  Once targeted, the entity would have to prove, sometimes laboriously, why a given person actually did have good reason to access a certain patient record, and sometimes they’d look bad even if they were in the right.

But if that’s the real issue, and I strongly suspect it is, I’d prefer to see health plans and providers come out and admit that they don’t want to get dragged into fights they may not win. Saying they can’t afford to comply with what should be a simple request just makes them look dishonest. And that can only lead to further headaches down the road.

Someone sent me an email with this link to the list of HIPAA breaches affecting 500 or more individuals. One of my popular searches on EMR and HIPAA is about HIPAA lawsuits, so you can imagine the lawyers are salivating over this list.

In a quick count, I found 31 on the list that were desktop, laptop, or other computer related device. In another quick count, I counted 46 on the list (feel free to correct my counts, but the range is right). The person who emailed me suggested that most of the list was breaches of EMR. I personally don’t think that’s the case.

One thing seems pretty certain. Technology has opened the doors for larger breaches. In the paper world, it’s a little harder to lose/misplace/steal 500 or more individuals information. It happens, but it’s much easier in the digital world. Plus, there’s a lot more vagueness in technology when a breach happens.

In the digital world, it’s often a best guess about what happened during a breach. Most of the time breaches happen in the technical world, they probably didn’t give a rip about the healthcare data. However, there’s the potential that they did, so you get to report it. Enough of that tangent.

One other problem with the assertion that most of this list is from an EMR breach is that I was surprised how many insurance providers were on the list. In fact, it seems like a large portion of the breaches were insurance lists probably. Not sure that’s an EMR breach.

I think it’s also interesting to note that this list of breaches is probably far below the reality. This is just the list of reported cases. I can’t imagine how many breaches happen that go unreported.

Of course, this begs the question of whether we should be moving to electronic records at all if there’s more possibility for breaches. My answer is that of course we should. Although, it should give us real pause as we consider the security of those systems as well. Stuff happens, but we shouldn’t put the possibility of breaches make us set aside the benefits of technology.

Healthcare InformationWeek has an article that discusses the challenges of EMR security and privacy. A lot of the stuff is nothing new to those of us in the healthcare space. Although, it’s interesting to see how they summarize things like the goal to be full EMR by 2014 and the EMR stimulus money.

However, the article did include these interesting stats on the number of breaches that happen in healthcare and the focus IT managers put on privacy and data security in healthcare.

Healthcare providers and other health businesses aren’t stepping up to protect privacy, according to a recent study. Some 80% of healthcare organizations have experienced at least one incident of lost or stolen health information in the past year, according to the study, released this month from security management company LogLogic and the Ponemon Institute, which conducts privacy and information management research.

Also, some 70% of IT managers surveyed said senior management doesn’t view privacy and data security as a priority, and 53% say their organizations don’t take appropriate steps to protect patient privacy. Less than half judge their existing security measures as “effective or very effective.”

I was surprised that 80% of organizations have had an incident of lost or stolen health information. However, I honestly don’t see this ever changing. Stuff happens even with the very best efforts.

I did also like this quote of John Halamka about the challenge of balancing privacy and security with sharing the patient information to provide better patient care.

“You want to protect the patient’s preferences for confidentiality,” Halamka said. But you also need to get information where it’s needed. “If you come to the emergency department in a coma, and you have a record that includes psychiatric treatment, HIV, drug abuse, and other information, would you share part of it or all of it? My preference would be all of it, with the hope that emergency workers would use it discreetly, to save my life.” But other people may feel differently, Halamka said, and healthcare policy needs to serve all those needs.

I’m a little surprised that Halamka has had psychiatric treatment, HIV and drug abuse. He’s doing quite well considering that history. (that’s sarcasm in case you didn’t note it) His history aside, I’m totally with him on wanting that information available as well. However, he’s totally correct that many people wouldn’t want that stuff shared. Enabling the consumer to make that decision though is a hard nut to crack.

Another example of a lost laptop storing sensitive information:

A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Assn. employee. It is not yet known whether any identity theft has resulted from the data breach.

The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors, Jeff Smokler, spokesman for the Chicago-based Blues association, said Oct. 6. That number represents every physician who is part of the BlueCard network, which allows Blues members to access networks in other states, Smokler said.

Some 16% to 22% of those physicians listed — as many as 187,000 — used their Social Security numbers as a tax ID or NPI number, Smokler said.

The association updates its file of BlueCard network physicians weekly, Smokler said. An unidentified employee downloaded the unencrypted file onto his personal computer to work on it at home, a practice that is against company policy, he said.

“We are re-evaluating that protocol and how we prevent this from happening again,” Smokler said.

This is why we’ve required and checked that our EMR software doesn’t store any PHI on our computers. It’s all stored on the server.

From an Interview with Bill Gates of Microsoft. Some of his views about electronic medical records and healthcare. See complete article.

Mr. Gates was also critical of the United States government’s unwillingness to adopt a national identity card, or allow some businesses, like health care, to centralize data-keeping on individuals. “It has always come back to the idea that ‘The computer knows too much about you,’ ” he said. The United States “got off to a bad start” when it comes to using computers to keep data about its citizens, he said. Doctors are not allowed to share records about an individual patient, and virtual doctor visits are banned, he said, which “wastes a lot of money.” The United States “had better come up with a better model” for health care, he said.

I agree and disagree with Mr. Gates. We need more data sharing and more interoperability BUT confidentiality IS an important issue. Just look at how the drug tests became public about Major League Baseball Players when they were PROMISED it would be strictly confidential!!!! I don’t trust big government or big business. Question: How do you tell an attorney or politician or corporate executive are lying? Answer: Their lips or moving or their fingers are typing!

We have to make sure medical information about individuals remains confidential and remains in the control of the individual.