Last week, the first case of a state attorney general pursuing civil action for patient privacy violations was publicized in an article posted on FierceHealthcare. The lawsuit affects more than 450,000 individuals whose medical and financial information was compromised when an unencrypted computer disk disappeared. Authorities and the individuals affected were not notified in a timely manner (six months after the incident occurred).
The HITECH Act, which was passed last year, authorized state attorney generals to represent residents of their state for any violation occurring after February 19, 2009 and to obtain statutory damages on their behalf. Restitution amounts increased to a maximum penalty of $1.5 million.
In speaking to hospitals, we often hear how tight budgets are and how they are limited on resources. I know anyone who has ever worked in health care can completely understand and relate to this dilemma. However, I am afraid this public announcement is just the start of many more to come.
Just one violation can drastically affect your reputation. Several violations will affect your bottom line. Make sure you have the resources, tools and policies in place to effectively secure, monitor and report on your patients’ protected health information.
Federal advisers understand the connection between meaningful use and privacy and security but are still slow to articulate exactly how to assure consumers that their digital medical data will be secure. Evidence of this was voiced at the HIT Policy Committee meeting last Monday, where it was noted that a risk “assessment is the only privacy or security requirement providers must meet if they are to qualify for meaningful use of health IT in 2011.” Privacy and security are fundamental to defining meaningful use. Without confidence that records are secure, adoption will be impeded.
Within two weeks of publishing guidelines related to meaningful use, a federal advisory panel met last week to begin the process of updating The Office of the National Coordinator’s (ONC’s) Strategic Plan. The original Federal Health Information Technology (HIT) Strategic Plan was published in June 2008 and covers the period from 2008 to 2012. The draft framework document identifies four strategic themes, including meaningful use and privacy and security.
It’s reassuring that both meaningful use and privacy and security are among the strategic themes. Clearly, for the public to receive full benefit from the new and improved HIT- enabled health system (hence, for meaningful use to be achieved), we need to resolve existing conflicts related to securing electronic health information. Patients need to know that their data is maintained and shared appropriately so that it is accessible to optimize care. The draft plan sets the goals of building public trust and participation. This makes sense since MSNBC reports that at the recent annual International Consumer Electronics Show in Las Vegas both technology experts and consumers expressed concerns about public reluctance to embrace digital health. The lack of patient demand for electronic health records was cited as a major obstacle; according to David Cerino, general manager of the Consumer Health Solutions Group for Microsoft, the three conditions required for widespread acceptance are transparency, control and security.
We need to be sure that policymakers are aware of the significance privacy and security factors will affect adoption of electronic records and health information exchange. Only when consumers’ fears are addressed will we see a considerable universal upsurge in demand for health IT. Only then will the dollars spent and the incentives offered really have an impact on transforming our health system by engaging patients, improving care and reducing cost.
A few of weeks ago I was out in Las Vegas attending the American Society of Health-System Pharmacists (ASHP) show and happened to see a news story about a pretty serious violation occurring at University Medical Center of Southern Nevada (UMC). It seems as if these types of news stories are happening more and more frequently. Recently I’ve had ample material to cite when talking to sites about information protection because of all of these examples from different healthcare institutions.
This one is pretty serious and could end up costing this institution plenty in financial terms as well as their reputation. The case centers around patient information that appears to have been leaked to local attorneys with the intent of soliciting business. Here is the video news story from KVBC in Las Vegas. In doing some more research on this I also found another article about the same event with more detail published in the Las Vegas Review Journal. This article also has some great general information about HIPAA and the new penalties that this hospital and others may be facing.
One piece that I found really interesting was the quote at the end of this article about UMC currently not being able to provide a meaningful report to patients about access to their records. Based on my knowledge of the market, I’d bet that many other healthcare institutions are in the same boat and very much exposed to the same type of breach.
Are you working at one of those facilities? Or maybe worse, have you been a patient at a facility where a breach has occurred? Do you wonder if someone out there might have your medical data, financial data, or more? I certainly do.
As 2010 begins, attention is on the release of the proposed rule on meaningful use, but it is clear that questions about how to maintain privacy and security of protected health information (PHI) are looming and will need to be addressed in the months ahead. As stated in preliminary reports, the fifth outcomes policy priority for meaningful use is “to ensure adequate privacy and security protections for personal health information.” Both patients and providers express concerns that could potentially greatly hinder the progress of electronic health records and health information exchange adoption.
Virtually every day there is news about a new privacy breach or casual conversation reveals that friends distrust the safety of their personal health data if it is available online. Providers’ ambivalence was underscored by the recent studies published in the Journal of the American Medical Informatics Association: on the one hand, they recognize the potential benefits of improved efficiency, quality of care and reduction of cost, but they are concerned about the potential for privacy breaches. In fact, some mental health providers indicated that they may be less apt to record highly confidential information in electronic records than they would on paper.
Whether automated or paper-based, privacy and security protection need to be part of the cultural and ethical framework. As healthcare data become more and more available in digital form, healthcare, like all automated industries, needs to take appropriate measures to ensure cyber-security, business continuity and risk management.
Iatric Systems has developed relationships with several organizations that offer services to help our customers reinforce and strengthen their privacy and security frameworks. On January 19, Transcendent Group will provide a complimentary webinar on how to build a comprehensive security risk assessment into your overall security plan (register for this webinar). This is the first in a series of sessions to ensure that your organization is doing what it can to keep patient data safe and secure.
For more about the meaningful use package, read the Healthcare IT News article: CMS, ONC deliver meaningful use package. What do you think about this package?
As the New Year approaches, we must make sure we are prepared to face the challenges of the expanded HIPAA legislation referred to as the HITECH Act (Health Information Technology for Economic and Clinical Health). There are a lot of things to consider, so I thought posting an itemized list of the expanded obligations under HIPAA, along with the new obligations imposed with the HITECH Act, would provide a quick reference of items to review or address.
Expanded Penalties (Effective Immediately)
Expanded Obligations – Business Associates (Effective 2/17/2010)
Expanded Obligations – Unsecured Information (Effective not later than 9/16/2009)
Expanded Obligations – RHIOs, HIEs, and PHR Vendors (Effective 2/17/2010)
Expanded Obligations – Accounting for Disclosures (Effective no earlier than 1/11/2011)
New Obligations – Restrictions on Disclosure of PHI (Effective 2/17/2010)
New Obligations – PHR Vendors and Breaches of Security (Effective no earlier than 8/17/2009)
New Obligations – Marketing and Fundraising Activities (Effective 2/17/2010)
New Obligations – Government Oversight (Effective no earlier than 2/17/2010)
There are several documents available for review online. A really nice summary of the itemized changes is available from Legal HIM formation. It can be difficult and time consuming to read the actual regulations. Having a summary that provides a quick and easy to understand description of the expanded and new obligations gives you the starting point to proactively research and address your compliance requirements.
