HHS raises the stakes for patient data breaches

The good news for patients is that their personal health information (PHI) is becoming more secure all the time. But it takes unfortunate breaches, such as an event that occurred in Charlotte in August 2013, to highlight the need for increasingly stronger data-security provisions.

The incident involved an unsecure email sent by an employee of a major health system containing the protected information—including names, addresses, phone numbers, diagnoses, medications and insurance records—of more than 1,300 patients. The health system admits that the email was sent as part of a patient care coordination process without the proper security protocols but claims that it was unlikely received by anyone except the intended individual.

In accordance with federal privacy regulations, the organization was required to notify all affected patients. It was also responsible for informing the community, thanks to regulations requiring healthcare facilities to make public any information-security breach involving more than 50 patients. While it appears that the data will never wind up as malicious content, the health system has certainly suffered a near-term character blow. Healthcare providers looking to avoid the same fate must take new HIPAA regulations that place tighter controls over PHI very seriously.

Stronger Provisions on the Books

To combat security breaches such as the one in Charlotte, the Dept. of Health and Human Services (HHS) enacted on March 23, 2013, what it calls “the most sweeping changes to the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules since they were first implemented. Known as the HIPAA Omnibus rule (and written into the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009), it creates stronger privacy-related documentation provisions, such as more detailed authorizations to release patient information. It also creates hefty penalties for data breaches—up to $1.5 million per incident.

The Omnibus rule also places greater limits on the use of patient information for marketing and fundraising purposes; expands the definition of a data breach; and requires healthcare providers to amend their notice of privacy practices, among other provisions. But perhaps the most significant controls to emanate from the omnibus rule are those that hold healthcare organizations responsible for their business associates’ actions.

The business associate provisions come in light of revelations that healthcare vendors are responsible for a surprising number of adverse incidents. In fact, a study by the Office for Civil Rights (OCR) concluded that 45 percent of healthcare providers and other covered entities had an average of five HIPAA data breaches during any given year, with two-thirds of incidents involving business associates.

To ensure they are meeting the provisions, healthcare organizations should vet all vendors to ensure they are HIPAA-compliant and carefully review their histories with PHI security.

Secure Data Transmission is Paramount

On Sept. 23, 2013, HHS began enforcing the new HIPAA Omnibus rule with the OCR auditing providers and their vendors to ensure they are meeting the provisions, including conducting risk assessments and developing plans for safeguarding patient information. Penalties for noncompliance will be assessed according to the severity of the infraction.

The lowest-tier cases involve providers that did not reasonably know of the breach. Intermediate-tier instances involve organizations that “knew, or by exercising reasonable diligence would have known” of the violation but did not act with willful neglect. The highest-tier cases, which could be accompanied by up to $1.5 million in fines, involve providers that acted with “willful neglect."

Among the most vulnerable areas of a data breach involve responses to medical record requests from health plans. Providers require HIPAA-compliant solutions that are able to securely capture and transmit electronic medical records, such as sending supporting documentation for medical review. The most effective solutions are those that are easily integrated with other technologies such as document imaging systems, electronic health record (EHR) solutions and revenue cycle management systems.

Advanced technologies enable providers to create a single uniquely-numbered “electronic envelope” containing all the requested medical documentation needed for medical record reviews via scanned images, print captures, screen captures and imported files. Once the medical documentation is submitted, a bi-directional information exchange engine securely routes the file to the appropriate stakeholder for retrieval, meeting HIPAA requirements for secure data transmission. The transport exchange engine will often serve as a central repository for electronic patient records, reducing a provider’s dependence on paper documents and additional data storage mediums.

Other solutions allow users to securely capture document images, such as information from a paper-based medical record, via a smartphone’s camera. To ensure that the data remains secure, images are not stored in the device gallery or the phones SIM card. Rather, data is sent to an information exchange engine, where it can then be securely forwarded to the appropriate recipients.

The new HIPAA Omnibus rule governing the protection of PHI is not one to be taken lightly. Healthcare organizations must closely examine their business associate relationships and educate their partners on the severity of penalties for a breach of information. They must also shore up their modes of information exchange with advanced technologies to protect patient data as it moves from one entity to another. Monetary penalties for an information breach are just the tip of the iceberg. The damage to a healthcare organization’s reputation is far more widespread and longstanding.