Although a data breach only needs to be reported for healthcare organizations if financial harm results, it is irresponsible for a healthcare organization to ignore a breach of their customer’s private health information.  If the health information can be tied in any way to the individual, ethical responsibility to your customer should motivate reporting of the data breach and notification to the proper authorities.

For official reporting to the U.S. Department of Health & Human services, there are two different reporting groups.  For data breach of under 500 individuals and for any breach greater than 500.  Many healthcare providers are hesitant to report the data breach officially to HHS as the new requirements under the HITECH Act also state that a breach over 500 individuals will be posted on the HHS website.  It seems virtually impossible that no data breach has occurred yet there are no organizations reported on the HHS website that I have found yet. As seen here

Reporting a breach to HHS is relatively simple as it is an online form that does not require much technical knowledge or submission of any technical data or proof of the breach.  Network Forensics can be extremely complicated for the novice user and the breach will most certainly be physically obvious for most of the initial cases reported until healthcare data security is audited more carefully than it is today.  See the form for reporting a notice to the Secretary of HHS here.

It is also a good idea to report any security incident even if it is not required by the terms set forth by the HHS to the US-CERT.  Incidents reported here are inclusive of just more than a breach causing financial harm and should be completed even if a computer virus outbreak is detected at a provider.  The reporting form at the US-CERT is also simple to complete and does not require any major technical forensics knowledge.  To see the form for reporting general network and data incidents to US-CERT click here.

As for notification to your patients, unless financial harm is shown, HIPAA does not require healthcare organizations to report the incident to the individuals, but should you?  Most definitely!  Most states already have reporting requirements for data breaches of personally identifiable information and it is simply the responsible and ethical choice for any provider wishing to maintain any level of trust with their patients and clients.  To see a sample letter written by the FTC for notification of a data breach, visit their website.

AMENDMENT:  Since this was written, the HHS website now has posted providers they are aware of where more than 500 records were breached.

This area is restricted for registered users only. Please Register or login to view this page.

A provisional rule announced by Congress will only force health care providers to notify patients of breaches to customer data only if the breach “poses a significant risk of financial, reputational, or other harm to the individual.”  How will the risk factors be determined?  Will existing state laws on data breaches provide protection where the federal government falls short?  Who is the real threat to your electronic health record?

In a poll sponsored by RSA of 400 top level executives, 52% described the majority of their data losses as accidental.  Many of the reported data losses were due to inappropriate access by the wrong people.  This data supports a problem that internal controls of access and control of data is the largest  issue facing our healthcare providers in protecting our patient data.    According to the Data Loss Open Security Foundation, 12% of all data losses are medical related.  With the push to a national electronic healthcare technology infrastructure, that number is surely to increase over the next five years.  Most consumers appreciate notification of these negligent data breaches.  Perhaps even assign a healthcare provider rating based on the breaches to better inform consumers of the most secure and trustworthy healthcare providers.

Hospital and insurance representatives argue that notification costs would be too high if every breach was reported.  Examples for routine breaches of handling data include statements sent to wrong addresses and improper employee access but when your health information is part of this routine error in handling would you want to know?  Consumers should be asking “why is my health information mishandled so often?”  Proper investment in security and access controls should limit risk and subsequently the cost of data breaches.  The arguments provided by hospital and insurance representatives seem best used as evidence of gross negligence not an argument limiting notifications to patients.

But do you have any legal protection?  Many states have already passed laws that would include a breach of patient health data in the state mandated reporting requirements of an improper access or loss of data but new federal rulings could preempt those state laws where your medical record is concerned.  Negligent security requirements mandated for protection of electronic health records at the federal level will not sufficiently protect your records with the current requirements and restrictions.  With federal laws regarding reporting on health care data breaches most likely winning out over state mandated reporting requirements, it appears the corporate lobbyists are exposing the nation to public electronic health records rather than private electronic health records and you may never even know when your record is breached.

Write your state and federal Congressmen and let them know your concerns for the protection and privacy of your health records.  While network security should never be overlooked, the majority of data breaches occur inside an organization.  Increased controls and requirements for handling patient health records is needed to sufficiently protect your private and personal information.  As with too many points of privacy and security with the electronic health records, there are too many unanswered questions and undefined points of protection.

Leyden, John. Incompetence a bigger IT security threat than malign insiders.

(2009) : Internet. http://www.theregister.co.uk/2009/08/25/rsa_accidental_security_breach_survey/

November 15, 2009.

Schwartz, Emma. Health Industry Winning Round On Privacy of Digital Health

Records. (2009) : Internet. http://www.huffingtonpost.com/2009/11/13/health-industry-winning-r_n_357476.html

November 15, 2009.

State-by-State Listing of Data Loss and Freedom of Information Legislation

(2005-2009) : Internet. http://datalossdb.org/us_states

November 14, 2009.

Data Loss Statistics.

(2005-2009) : Internet. http://datalossdb.org/statistics

November 14, 2009.

A shift is occurring in the enforcement of HIPAA…. Again! Less confusion on enforcement and dispersion of penalties for violation of HIPAA requirements as a result. No longer will there be split departmental enforcement for HIPAA violations at the federal level.

http://tinyurl.com/kloqb7

Abstract
The 2009 HITECH Act expands HIPAA coverage and definition to include covered entity business associates, definition of security breach and disclosure requirements, new restrictions on use and disclosure of protected health information, new patient rights, mandatory compliance audits and heightened HIPAA enforcement.

2009 HIPAA; what has changed?
Many changes have been made to HIPAA as part of the 2009 HITECH Act. Many expansions to existing rules were qualified and additional penalties and actions required for violation. Proactive response to new requirements should be best practice for all health care providers with careful attention paid to the additional expansion on requirements and enforcement over the next 18 months.

Expanded definition of security breach
One of the most significant changes is the burden placed on a health care provider or covered entity who suffers a breach of unprotected health information. This breach does not apply just to electronic data, but any breach of data stored by the provider. HITECH establishes a rule that all individuals affected by the breach must be notified within 60 days of the security violation. Additionally, if more than 500 records were compromised then “prominent media outlets” must be notified as well. A breach is defined as an acquisition of an individual’s unsecured identifiable health information by any person without the their authorization. Additionally, the notification of the breach will be posted on the HHS website when more than 500 records are breached.

New restrictions on use and disclosure
Additional restrictions on use and disclosure of protected health information are also in the expansion of HIPAA privacy. A covered entity is prohibited from receiving remuneration in excess of the cost of preparing and transmitting the data and only with authorization of the individual and for research purposes. Marketing to individuals based upon protected health information becomes more restrictive as well and often prohibits any direct marketing if money is exchanged by any parties involved in marketing to the individual without the individual’s consent.

New guidelines will be set forth on definition of minimum information necessary for treatment. This is used to determine what information can be transmitted between parties except for treatment of the patient. These are due within 18 months and will be defined by HHS.

New patient rights
Patients will be happy to hear that several new rights have been granted to the patient regarding use and disclosure of their health information. Patients have the right to request providers not share their health information with a health insurer if the patient is paying full cost of the services provided. Additionally, providers are required to provide a patient with a copy of their health record once a year. Additionally, covered entities maintaining electronic health records must provide audit accounting of all disclosures for treatment, payment and health care operations for a three-year period. Many of these features will be included in a patient health record portal that good EHR systems should include. Last of all is the right to opt out of fundraising communications and opportunities. Opt-out rights have been present in the past, but fundraising communications must communicate the patient’s right to opt out in future fundraising solicitations.

HIPAA coverage for business associates
Additional restrictions on how data is shared with covered entity business associates have been defined as well. All business associates of a covered entity must comply with HIPAA security requirements and data sharing policies. This legislation now brings technology vendors, practice management companies, transcription services, billing services, attorneys, accountants and many other types of business associates under direct regulation of HIPAA.

Heightened HIPAA enforcement
New more severe penalties are effective immediately for HIPAA violations.
Increased Monetary Penalties

Additionally, the State Attorney General’s office are now granted authority to bring civil action against HIPAA violations. The HITECH Act also clearly defines that criminal penalties may be imposed under HIPAA for individuals or entities that wrongfully obtain protected health information.

Mandatory Compliance Audits
HHS will be required to conduct periodic audits of covered entities and business associates to evaluate HIPAA compliance.

Subscribe to eHRTech.info to stay updated with the latest information and resources for your eHR system.