Many of you have now heard that the HHS Office of Civil Rights withdrew the Final Rule for Breach Notification pending “further consideration”. The language had been submitted for final administrative review on May 14, 2010.
The breach notification statute in ARRA/HITECH and the associated IFR (interim final rule) require that organizations with breaches must notify each patient directly and, if the breach covers over 500 records, they must notify HHS, which publishes a list of such breaches on its website.
By definition, and beyond the statements by HHS, breaches of protected health information are a hot button issue in the press, and an important topic for privacy advocates, healthcare organizations, and patients.
As background,
- Read a notice on the HHS website that cites the complexity of the issue and states that “the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur.”
- HHS intends to publish a final rule in the Federal Register in the coming months.
- HIMSS has confirmed with HHS that the IFR continues in full force and effect until a final rule is issued.
But, take note…The IFR also added a provision not contained in ARRA - the so-called “harm standard” – that requires healthcare organizations to notify patients only if the breach causes actual harm to the patient. The provision allows the healthcare organization itself to make the determination of potential harm.
Privacy advocates and congressional representatives have demanded that HHS remove the harm provision, while some provider groups expressed support for the harm standard, arguing that deletion of this provision would cause an onerous reporting burden and “notification fatigue” for patients.
My take…Following recent press coverage and reviewing the current list of reported breaches on the HHS site, several observations stand out:
- A significant number of the breaches reported thus far have resulted from theft/loss of portable computers or storage devices containing PHI (physical/administrative security).
- Many of the breaches documented on the list, as well as some detailed in the press, have resulted from breaches at a Business Associate of the healthcare organization (Business Associate Agreements).
- In addition to legal judgments, fines and reputational damage, the Corrective Action Plans (“CAPs”) for several recent breaches require that the organization make changes in areas such as security controls, security programs and training. (These are basic security program elements.)
To be sure, safeguarding PHI is a difficult, ongoing task. However, by now, healthcare organizations should clearly see the risk they take when not putting sufficient attention and resources into security risk assessment and compliance activities.
When recent data show that many breaches have resulted from the failure of organizations to implement basic security controls in their own healthcare setting and at their Business Associates, as required by HIPAA, it is time for healthcare professionals to take notice.
Tools and resources are available at HIMSS and elsewhere. We simply must deal head-on with security challenges. This is a call to action.
Cari McLean
Joyce Lofstrom, MS, APR
Adam Bazer
Carla M Smith, MA, CNM, FHIMSS
Christel Anderson
Dave Roberts
Thomas S. Keefe, MA, FHIMSS
JoAnn W. Klinedinst, CPHIMS, PMP, FHIMSS
Joyce Sensmeier, MS, RN-BC, CPHIMS, FHIMSS, FAAN
Elinore Boeke
Mary Griskewicz MS, FHIMSS
H. Stephen Lieber, CAE
Lisa A. Gallagher, BSEE, CISM, CPHIMS
John Casillas
Juliet A. Santos, MSN, CCRN, FNP-BC
Tom Leary, MALA, FHIMSS
Karen Malone
Nancy Vitucci
Lauren Brown
David Collins, MHA, CPHQ, CPHIMS, FHIMSS
mattschlossberg
Mary Beth Micucci
John. H. Daniels, FHIMSS, FACHE
John P Hoyt FHIMSS FACHE
Jennifer Horowitz
Richard M. Hodge, MBA, MPA
kawagner
Liz Anderson
Ed Larsen
Arnol Simmons
Helen Figge, RPh, PharmD, MBA
Amanda Griffith
James (Jim) St. Clair, CISM, PMP, SSGB
Shelley Price, MS, FHIMSS
jfrenchhimss
Michelle Glenn
Zahid Butt MD, FACG
Amy Thorpe, FHIMSS
Michael A. Gaspar
ftvelasco
gumprx
Edna Boone, MA, CPHIMS Senior Director mHIMSS
Dear Lisa, Thank you, this was very useful. In fact the day announcement was made, news mentioned “withdrawn” and many people who heard that asked me if the rule doesnt apply any more! I had to tell them, IFR is still in effect.
If you have noticed the details of breaches which were fined by a state entity, the causes were not just theft or loss of a computer, but more than that. I reviewed three cases and reason i found are eye openers; some examples:
1. Policies and procedures not updated: Many of providers policies and procedures were as old as 2003 and not reviewed
2. Inability to limit access as per roles: Provider had a system – PCI (patient care Information) – which is considered a PHI system and the privacy officer stated that, their IS personnel told her that they do not have any means of blocking or limiting what information can be accessed once logged in.
3. Inadequate safeguards to prevent unauthorized access: The Director of the hospital stated that they decided to audit the access of only i) VIP patient records, ii)patients with unusual diagnoses and iii) patients with “no information” request (patients who requested that their information was kept confidential and not disclosed without their permission). The Director went on to state that, the measures they have would not have discovered what the employee was doing.
4. Inadequate Audit logs: Privacy officer stated that she started doing the audit only in June last year and she doesn’t have a schedule of audit in place yet.
5. Inadequate alert on unauthorized access: The Director of Clinical Informatics stated that, their computer system do not have a system to alert anyone to inappropriate or unusual access to clinical records.
6. Inadequate measures to secure medical records: Director of Informatics stated that, he has not talked to the vendor (who supplies their PHI system), on patient confidentiality, safeguard for records and tracking of unusual activity by users.
In fact, none of the entities who were fined, had loss of a computer as a reason for breach, but causes of breach were any of the above or more.
What is your take on these cases of california?
Regards
Follow me on Twitter @cranjanbmc
Great article Lisa. I would also stress that the depth of tools and resources available related to Privacy and Security from HIMSS is unsurpassed.
Lisa’s comments are right on, but I would add, and think both the recent incidents we have witnessed as well as the results of the recently released HIMSS Analytics Study on the Impact of HITECH on Healthcare Privacy and Security would support, that many Business Associates have not stepped up to their responsibility and present a real risk to the Covered Entities they work with. I think the Study cited over 30% of Business Associates interviewed did not even know that HIPAA had been extended to cover them. I know this is something that many have spoken to and written about, but clearly greater outreach to businesses serving the healthcare industry is needed to close this gap. Subcontractors are more at risk as they are by definition one or more layers removed from the Covered Entity and may not have direct interaction. Business Associates will need to ensure their subcontractors receive appropriate notice and education as well.
Part of the responsibility for this outreach belongs to the Covered Entities themselves, and many would argue that they alone are in the best position to accomplish this. First because they know who their Business Associates are, and secondly because there is an obligatory relationship garnering the Business Associates attention. They also have a responsibility to identify who their Business Associate and to review those relationships to make sure the proper documentation is in place. In fact, some hospitals have already begun tightening up their processes with venders by including security specifications in RFPs and selection criteria, revising and reissuing Business Associate Agreements to address updated requirements from HITECH, and even formal Security Agreements detailing as part of their contracts to ensure expectations for data privacy and protection are clearly articulated and conveyed.
Compliance is not a profit center, but a cost center. One of the hospitals we talked to said, we do not have budget for this! Every hospital has about 20+ business associates (BA), but only a few check for compliance by a BA.
Health Information Exchanges, (HIE) are also BA. If you look at their budgets, the spend on security and privacy, is negligible. Political will to enforce the regulation may need some time! How many hospitals have cheked the compliance level of a their HIE? Does CMS or HHS has any mechanism to certify them as HIPAA Complied?
Duh!