Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Health Data Breaches: Hazy HIPAA Laws, Crazy Outcomes

Posted on December 28, 2011 I Written By

Priya Ramachandran is a Maryland based freelance writer. In a former life, she wrote software code and managed Sarbanes Oxley related audits for IT departments. She now enjoys writing about healthcare, science and technology.

You’ve no doubt heard it. The healthcare industry has the dubious distinction of having had the three of the top six IT related security breaches this year. This article in the Healthcare Finance News quotes figures published by the Ponemon Institute, a research organization. According to the article, there’s been a 32 percent increase in frequency of data breaches, in other words, the frequency has increased by almost a third.And it has cost the industry $6.5 billion.

But a similar story in the NY Times shows us how woefully inadequate our existing data protection laws are (This story also quotes the numbers from the same Ponemon Institute study). An employee from a Massachussetts eHealth Collaborative lost a laptop containing 13,687 records. Each of those records contained some combination of a patient’s name, SSN, birthdate and other identifying information. Now, by law, healthcare organizations are required to report breaches involving 500 or more patients and the Department of Health and Human Services.

However, says NYT, Micky Tripathi, the non-profit’s president and CEO, soon figured out “just how many ways there were to count to 500. The law requires disclosure only in cases that “pose a significant risk of financial, reputational or other harm to the individual affected. His team spent hours poring over a backup of the stolen laptop files. Of the nearly 14,000 patient records on the stolen laptop, most records did not warrant disclosure. In 2,777 cases, for instance, a record listed only a patient’s name.”

The NYT story also points out another strange loophole that came to the aid of the non-profit – the entities responsible for protecting patient health are the providers, not contractors such as Mass. eHealth.

“In the eyes of the law, Mr. Tripathi’s nonprofit is a contractor that acts on behalf of health providers. The legal burden of protecting patient data actually falls on his clients: the physicians and hospitals who entrusted his nonprofit with their files.”The laws create a perverse outcome,” he says. “It was our fault, but from a federal perspective, it wasn’t our breach.””

So of the 14,000 or so patients affected, Micky Tripathi’s non-profit only needed to notify 998 people. Of these, only one organization had patients more than 500 in number, requiring a mugshot report on the HHS wall of shame, and an offer of free credit monitoring from Mass eHealth.

In the end, the cost of credit monitoring services to Mass eHealth was a mere $6000 though the article says the non-profit ended up spending close to $300,000 in the aftermath. I wonder if this includes the cost of the necessary sleuthing involved and so on. If this is the case, the numbers are incidental expenses; the money spent directly on the breach itself was a fraction of that.

Compare this to the $1 million fine incurred by Mass. General Hospital for the loss of 192 patient records left by a negligent employee on a subway train.

With these numbers in mind, here are my takeaways from these stories:
Who is responsible for what breach is not clear enough. I had to re-read the definition for covered entities to make sure that Mass eHealth doesn’t fall under it. If the law takes such a lax attitude to IT contractors – who BTW provide the bulk of the IT infrastructure at many hospitals – where’s the incentive for anyone to do things differently?
There’s a crazy penalty structure in place. A hospital losing 192 records resulted in a million dollar fine. A non-profit losing 998 records incurred $6000 in expenses. So if you’re a hospital, you’re better off with contractor negligence than your employees/equipment being the responsible party.
Rules can be creatively interpreted.
There’s not enough negative fallout for data breaches for healthcare/HIT organizations to do things differently. Say, if in addition to the notice on the HHS wall of shame and fines, there were other repercussions like, I don’t know, a digital time-out of sorts for both contractors and healthcare organizations, maybe healthcare and IT would begin to care more.

John’s Comment: This is definitely an interesting case. With the new HITECH laws I can’t imagine how this doesn’t fall under the Business Associate agreement which would require that they follow the HIPAA laws just like any provider. The article does say that contractors aren’t responsible, but that seems like bad legal advice given by the contractor’s lawyer. I’m not a lawyer, but I’ll have to email a healthcare lawyer friend of mine to have him comment on this case as well.

It’s also worth noting that all of the breaches mentioned above have been through laptops or other devices left behind. None of the major breaches have been a hacker getting into an EMR or EHR system. Everyone likes to blame the EHR software for privacy issues, but so far they haven’t happened. They will one day, but the bigger privacy issue is still unsecured devices and human breaches (ie. staff looking at inappropriate records).

The Top Three Things The Mass Media Does To Delay EMR Adoption

Posted on June 18, 2011 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Now that the government is pushing EMR use, the mainstream press has begun to report on the issue.

True, some astute editors are beginning to dig in to the problems that matter, such as securing patient data and challenges to getting physicians on board.

But most consumer publications, with their penchant for simplifying and condensing issues, are muddying the waters even further. Here’s some things they’re doing which, I’d argue, are actually slowing down the EMR adoption process:

*  Asking consumers whether they “want” an EMR: Let’s be honest: most consumers have only a vague idea of what an EMR is. You might as well ask them whether they’d like oh, I don’t know, a confoobatron. If they think those confoobatrons are supposed to be the latest thing in medicine, they’ll say sure, I’d want one of those!  In other words, you’re not giving doctors and hospitals real feedback as to how EMRs will foster relationships with their patients. It’s easy for clinicians to write off such responses as bogus and avoid adoption for a while longer.

* Focusing on a few spectacular security breaches: Yes, it’s really unfortunate that hospital staffers stole a peek at some Hollywood celeb’s medical data, or that a stolen laptop stocked with unencrypted data exposed patients at Hospital A to medical ID theft. But in playing up spectacular security breaches, mass media players distract everyone from the real issues. As we all know, most hospitals and doctors have far less glamorous problems to worry about, such as encrypting data, controlling access by role and seeing to it that staff are trained in security policies. But playing up a few disasters — such as stolen laptops or celebrity medical record leaks — makes it sound like security is beyond the reach of your average provider.

* Doing little to examine why physician adoption of EMRs is still low: While you will see the likes of USA Today look at abysmal EMR adoption rates, these stories usually collect a few random interviews with association heads or a random private practitioner and cite a few of their random headaches. These stories don’t dig into the really important issues (such as fear of productivity loss, lack of clinician buy in and techno-phobia) that are stopping the train. While doctors obviously read trade publications like this one, they’re human, and if the USA Today story they skimmed on the train doesn’t address their concerns, it’s easy to stay tuned out on EMRs for a while longer.

OK, maybe I’m being a bit unfair here.  Having been an editor for decades, I know the mass media can’t take the place of blogs like this that focus on serious professional issues. But I still wish that my colleagues in the consumer press would give EMR issues as much serious thought as, say, professional football. Wouldn’t that be refreshing?