Although a data breach only needs to be reported for healthcare organizations if financial harm results, it is irresponsible for a healthcare organization to ignore a breach of their customer’s private health information.  If the health information can be tied in any way to the individual, ethical responsibility to your customer should motivate reporting of the data breach and notification to the proper authorities.

For official reporting to the U.S. Department of Health & Human services, there are two different reporting groups.  For data breach of under 500 individuals and for any breach greater than 500.  Many healthcare providers are hesitant to report the data breach officially to HHS as the new requirements under the HITECH Act also state that a breach over 500 individuals will be posted on the HHS website.  It seems virtually impossible that no data breach has occurred yet there are no organizations reported on the HHS website that I have found yet. As seen here

Reporting a breach to HHS is relatively simple as it is an online form that does not require much technical knowledge or submission of any technical data or proof of the breach.  Network Forensics can be extremely complicated for the novice user and the breach will most certainly be physically obvious for most of the initial cases reported until healthcare data security is audited more carefully than it is today.  See the form for reporting a notice to the Secretary of HHS here.

It is also a good idea to report any security incident even if it is not required by the terms set forth by the HHS to the US-CERT.  Incidents reported here are inclusive of just more than a breach causing financial harm and should be completed even if a computer virus outbreak is detected at a provider.  The reporting form at the US-CERT is also simple to complete and does not require any major technical forensics knowledge.  To see the form for reporting general network and data incidents to US-CERT click here.

As for notification to your patients, unless financial harm is shown, HIPAA does not require healthcare organizations to report the incident to the individuals, but should you?  Most definitely!  Most states already have reporting requirements for data breaches of personally identifiable information and it is simply the responsible and ethical choice for any provider wishing to maintain any level of trust with their patients and clients.  To see a sample letter written by the FTC for notification of a data breach, visit their website.

AMENDMENT:  Since this was written, the HHS website now has posted providers they are aware of where more than 500 records were breached.

As part of the 2009 HITECH Act, a national health information technology infrastructure (NHITI) is required for access and use of electronic health records resulting in a more “effective marketplace, greater competition…[and] increased consumer choice (HITECH Act, Section 3001(b)).”  Such a system is not only necessary, but it is cardinal to improving delivery and reducing costs of health care in the United States.  Properly executed, a NHITI with appropriate controls and security protocols will have the means to protect individual electronic health records (EHR), prevent provider mistakes, report errors and audit abuses of the health system.

A letter from Dr. David Blumenthal, National Coordinator for Health Information Technology, restated the requirements of the HITECH Act and the reasons for a NHITI.  Blumenthal stresses the key premise of the technology infrastructure should allow information to follow patients while removing any technical, business and bureaucratic obstacles from the process of sharing an EHR.  He also states that “Americans must also be assured that the most advanced technology and proven business practices will be employed to secure the privacy and security of their personal health information.”

The best process for defining the operation of a NHITI should start with a working group focused on national standards for interoperability and security of a health information exchange.  Working groups should be comprised of an interdisciplinary group of industry experts tasked to create a national open protocol for the secure and private transfer of electronic health information.    Ideally, such an exchange would occur over a private and secure network limited to health care providers and required users with limited and monitored access.  Public access to personal healthcare records should utilize secure gateways similar to architecture utilized on Department of Defense (DoD) classified networks.

It is also important to note that most security violations occur internal to an organization.  Internal security, privacy and access controls may be more important to securing the national health information infrastructure although perimeter controls are by no means useless.  Working groups to develop security and privacy policies for internal use of data, perimeter controls of the exchange and interoperability of data exchange should all be formed as soon as possible.

A nationwide health information data exchange will contain extremely private and personal health information.  The public has no reason to fear such a data repository if proper measures are taken to manage security and privacy risks.  Dr. Blumenthal emphasizes the importance of this network and the need for strong security but are we heading in the right direction to satisfy the requirements necessary?

This article was originally published on Healthcare Professional Live

Abstract
The 2009 HITECH Act expands HIPAA coverage and definition to include covered entity business associates, definition of security breach and disclosure requirements, new restrictions on use and disclosure of protected health information, new patient rights, mandatory compliance audits and heightened HIPAA enforcement.

2009 HIPAA; what has changed?
Many changes have been made to HIPAA as part of the 2009 HITECH Act. Many expansions to existing rules were qualified and additional penalties and actions required for violation. Proactive response to new requirements should be best practice for all health care providers with careful attention paid to the additional expansion on requirements and enforcement over the next 18 months.

Expanded definition of security breach
One of the most significant changes is the burden placed on a health care provider or covered entity who suffers a breach of unprotected health information. This breach does not apply just to electronic data, but any breach of data stored by the provider. HITECH establishes a rule that all individuals affected by the breach must be notified within 60 days of the security violation. Additionally, if more than 500 records were compromised then “prominent media outlets” must be notified as well. A breach is defined as an acquisition of an individual’s unsecured identifiable health information by any person without the their authorization. Additionally, the notification of the breach will be posted on the HHS website when more than 500 records are breached.

New restrictions on use and disclosure
Additional restrictions on use and disclosure of protected health information are also in the expansion of HIPAA privacy. A covered entity is prohibited from receiving remuneration in excess of the cost of preparing and transmitting the data and only with authorization of the individual and for research purposes. Marketing to individuals based upon protected health information becomes more restrictive as well and often prohibits any direct marketing if money is exchanged by any parties involved in marketing to the individual without the individual’s consent.

New guidelines will be set forth on definition of minimum information necessary for treatment. This is used to determine what information can be transmitted between parties except for treatment of the patient. These are due within 18 months and will be defined by HHS.

New patient rights
Patients will be happy to hear that several new rights have been granted to the patient regarding use and disclosure of their health information. Patients have the right to request providers not share their health information with a health insurer if the patient is paying full cost of the services provided. Additionally, providers are required to provide a patient with a copy of their health record once a year. Additionally, covered entities maintaining electronic health records must provide audit accounting of all disclosures for treatment, payment and health care operations for a three-year period. Many of these features will be included in a patient health record portal that good EHR systems should include. Last of all is the right to opt out of fundraising communications and opportunities. Opt-out rights have been present in the past, but fundraising communications must communicate the patient’s right to opt out in future fundraising solicitations.

HIPAA coverage for business associates
Additional restrictions on how data is shared with covered entity business associates have been defined as well. All business associates of a covered entity must comply with HIPAA security requirements and data sharing policies. This legislation now brings technology vendors, practice management companies, transcription services, billing services, attorneys, accountants and many other types of business associates under direct regulation of HIPAA.

Heightened HIPAA enforcement
New more severe penalties are effective immediately for HIPAA violations.
Increased Monetary Penalties

Additionally, the State Attorney General’s office are now granted authority to bring civil action against HIPAA violations. The HITECH Act also clearly defines that criminal penalties may be imposed under HIPAA for individuals or entities that wrongfully obtain protected health information.

Mandatory Compliance Audits
HHS will be required to conduct periodic audits of covered entities and business associates to evaluate HIPAA compliance.

Subscribe to eHRTech.info to stay updated with the latest information and resources for your eHR system.

With the introduction of the HITECH Act in early 2009, there is a plethora of information and misinformation surfacing for providers.  This article is a simple breakdown of the HITECH Act and what it means to healthcare providers as of today.  It is important to note that few absolutes have been defined by governing organizations including the method of dispersal.

The HITECH Act is part of the American Recovery & Reinvestment Act signed by President Obama on February 17, 2009.  It includes $36 Billion in funds available to physicians and healthcare providers for implementation AND USE of an EHR system that is certified by the standards to be set forth near the end of 2009.

Funding is available for physicians and in rural areas some physician’s assistants and nurse practitioners who have Medicare and Medicaid billings.  Practitioners have two options, incentives through Medicare or Medicaid but not both.

Medicare incentives are based on a percentage of Medicare billings up to $44,000 over five years starting in 2011.  Physicians in a health provider shortage area will be eligible for a 10% increase.

Medicaid incentives are for physicians who see more than 30% of patients paying with Medicaid (20% for pediatricians) and are eligible for up to $64,000 over five years with the majority of the payment during the first year, $35,000, and $10,000 over the next 4 years.

The HITECH Act declares that physicians must not only implement an EHR system, but demonstrate “meaningful use.”  Within the Act, meaningful use is defined in three ways:
-    User of a certified product complete with ePrescribing capability as determined appropriate by the Secretary of HHS
-    The EHR technology is connected for the electronic exchange of PHI
-    Complies with submission of reports on clinical quality measures
It is important to note that the standards for certification have not been released yet so no system is currently certified.  Additionally, it is expected that meaningful use will be more clearly defined in the upcoming months as more documentation is released by CMS.

Key Milestones
-    September 2009: CMS releases process for obtaining incentives
-    December 2009: Standards for certification should be released
-    2011: First payments from HITECH will be issued
-    2014: Demonstration of meaningful use required or penalties begin

In short, the HITECH Act is like many new legislation and requires additional definition by the regulatory and oversight organizations within the government that will distribute funding and enforce policy.  While this act will benefit most physicians financially over the next 5 years tremendously, it is important to stay updated regularly on new mandates and interpretations of the law.

Subscribe to eHRTech.info to stay updated with the latest information and resources for your eHR system.