Health IT Law Blog : Health IT Law Blog : Post & Schell: Law Firm : HIT & Electronic Health Records

Meanwhile, plans to evacuate about 200 patients from Coney Island Hospital were underway early Tuesday afternoon, said Evelyn Hernandez, a spokeswoman for New York City Health and Hospitals Corp., which owns the hospital. Backup power was restored on Tuesday to Coney Island Hospital after it lost power during the storm. Most patients who depend on ventilators or other devices were evacuated ahead of the storm, but seven critically ill patients remained at Coney Island Hospital and relied on battery-supported ventilators during the power outage. Those patients were transferred elsewhere Tuesday morning. 
 
In New Jersey, Palisades Medical Center, North Bergen, began evacuating 83 patients Tuesday morning, said Donna Leusner, a spokeswoman for the New Jersey Department of Health. Flood damage knocked out power to Palisades Medical Center, said a spokeswoman with Hackensack (N.J.) University Medical Center, where Palisades patients were transferred by National Guard troops after 9 a.m. on Tuesday. Hackensack University Medical Center was expected to accept 51 patients from Palisades Medical Center, Nancy Radwin, an HUMC spokeswoman said.
 
Approximately 30 New Jersey acute-care hospitals were operating on backup generators after the storm, said Kerry McKean Kelly, a spokeswoman for the New Jersey Hospital Association.
 
Eight Pennsylvania hospitals experienced power outages and were operating on backup generators on Tuesday, the state Health Department said.
 
North Shore-Long Island Jewish Health System reported that Glen Cove (N.Y.) Hospital, Huntington (N.Y.) Hospital, Plainview (N.Y.) Hospital, Syosset (N.Y.) Hospital and its Stern Family Center for Rehabilitation, Manhasset, were operating on backup power, as was one campus of the two-campus Staten Island University Hospital in New York City.
 
Also, Staten Island University Hospital could no longer access electronic health records after flooding on Monday disrupted power to the building where data is stored. Doctors continued to use paper records on Tuesday.
 
Other hospitals lost access to EHRs during the storm. Doctors at West Penn Allegheny Health System in Pittsburgh reverted to paper and written orders as the storm came ashore and damaged a data center in Mountain Lakes, N.J. Dan Laurent, a spokesman for the system, said Allegheny General and Western Pennsylvania hospitals, both in Pittsburgh, and the emergency room at Forbes Regional Hospital, Monroeville, could not access electronic medical records between 8:30 p.m. on Monday and 4 a.m. on Tuesday.

By Melanie Evans

“Superstorm Sandy knocks out power at East Coast hospitals, prompting evacuations,” Modern Healthcare (October 30, 2012)

Approved in Suffolk Superior Court, the settlement includes a $250,000 civil penalty and a payment of $225,000 for an education fund to be used by the attorney general's office to promote education related to protecting personal information and health information. The total amount of the settlement was $750,000, but the settlement credits South Shore Hospital for $275,000 to reflect security measures it has taken subsequent to the breach.

As a result of the settlement, South Shore Hospital will be required to take steps to ensure compliance with data security laws and regulations, as well as to undergo an audit of its security measures, the news release said.
 

“South Shore Hospital to pay $475K over patient data breach,” Boston Business Journal (May 9, 2012)

So the new ONC guide, which seeks to offer a comprehensive, easy-to-understand resource to help providers incorporate robust privacy and security routines into their clinical workflow, comes at a crucial time.

Developed by OCPO in partnership with the American Health Information Management Association (AHIMA) Foundation, the 47-page guide offers detailed guidance on topics such as security risk analyses and management tips, and working with EHR and health IT vendors.

The guide also offers a 10-step plan for reinforcing privacy and security protections before attesting for meaningful use:

1. Confirm your organization is a covered entity. Most healthcare providers are covered entities, and thus, have HIPAA responsibilities for individually identifiable health information. The Department of Health and Human Services offers tools that can help you confirm your organization's status.

2. Provide leadership. Emphasizing the importance of protecting patient information to all your employees is central to ensuring a culture where security is treated with the importance it deserves.

3. Document your process, findings and actions. The Centers for Medicare & Medicaid Services (CMS) advises all providers attesting for meaningful use to retain all relevant records that support attestation. Record all your practice decisions, findings and actions related to safeguarding patient information.

4. Conduct security risk analysis. A security risk analysis – or a reassessment, if you've already done one – compares your current security measures to what is legally and pragmatically required to safeguard personal health information, and identifies high priority threats and vulnerabilities.

5. Develop an action plan. Using your risk analysis results, discuss and develop an action plan to mitigate the identified risks. The plan must have five components, the guide notes: administrative, physical, and technical safeguards; policies and procedures; and organizational standards.

6. Manage and mitigate risks. Begin implementing your action plan. Develop written and up-to-date policies and procedures about how your practice protects personal health information. Do not lose sight of basic security measures, some of which can be low-cost and highly effective.

7. Prevent with education and training. To safeguard patient information, your workforce must know how to implement your policies, procedures, and security audits, according to ONC. HIPAA covered providers must train their workforces (employees, volunteers, trainees, and contractors) on your policies and procedures. Staffs must receive formal training on breach notification.

8. Communicate with patients. Your patients may be concerned about confidentiality and security of their health information in an EHR, the guide points out. Emphasize the benefits of EHRs to them as patients, perhaps using consumer education handouts that others have developed, and reassure them that you have a system to proactively protect their health information.

9. Update business associate agreements. Ensure your business associate agreements require compliance with HIPAA and HITECH breach notification requirements. This will require your business associates to safeguard protected health information they get from your practice, train their workforce, and adhere to breach notification requirements.

10. Attest for the security risk analysis meaningful use objective. Only apply for an EHR incentive program once you'd fulfilled the security risk analysis requirement and have documented your efforts, the ONC guide emphasizes, pointing out that when you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect electronic health information. Participants in the EHR Incentive Program can be audited.

Beyond HIPAA and HITECH, ‘ensuring privacy and security of health information, including information in electronic health records, is a key component to building the trust required to realize the potential benefits of electronic health information exchange,’ the ONC guide notes. ‘If individuals and other participants in a network lack trust in electronic exchange of information due to perceived or actual risks to electronic health information or the accuracy and completeness of such information, it may affect their willingness to disclose necessary health information and could have life-threatening consequences.

Access the ONC Guide to Privacy and Security of Health Information here.

“ONC privacy and security guide offers 10 steps for MU,” Healthcare IT News (May 9, 2012)