Steve Fox interviewed by InformationWeek about EHR contracts

Posted on August 24, 2010 by Vadim Schick

Our own Steve Fox was interviewed by InformationWeek regarding the essential protections healthcare providers should include in their EHR contracts with health IT  vendors.  In particular, Steve warned providers against simply accepting vendor agreements without carefully reviewing and negotiating the key provision therein. Via InformationWeek:

"Many health IT vendors offer online contacts that prompt the physician to click the 'agree' button. Unfortunately some of these agreements have no warranties and in fact disclaim many standard warranties, so the vendors are selling their products 'as is,' which means if something goes wrong they are not responsible," Fox told InformationWeek after his presentation. "Some contracts even go further and say if a third party, for example the patient, would sue as a result of a problem with the EHR, the physician has to indemnify and defend the vendor even if it was the vendor that caused the problem."

You can read more after the jump, or by clicking here.

 

Steve also opined on the reluctance of vendors to promise meeting future regulatory requirements, including the upcoming standards for Stages 2 and 3 of meaningful use:

"We do know there will be new meaningful use requirements for Stage 2 and 3, and it's a moving target. Many vendors are unwilling to agree to future, unknown regulations, saying 'We don't know what we don't know,' but vendors need to remember that providers are paying them a lot of money for support and maintenance to meet those requirements. This is a big area of tension between providers and vendors right now," Fox said.

Finally, Steve offered a few suggestions on some of the critical provisions relating to data access and ownership, as well as safeguarding the privacy and security of protected data:

For those providers adopting software-as-a-service models to outsource their EHRs, Fox recommends that providers restrict vendors from holding data "hostage" and ensure unfettered access to customer data, including protected health information (PHI), on vendors' systems.

He also said providers should insist that vendors routinely back-up data and mandate the return of customer data upon termination of the contract as well as ensure security of data and access to such data if the vendor goes out of business.

With regard to security, Fox said providers need to stress confidentiality of PHI and make clear who owns the data and establish guidelines for the use of data by a vendor. Healthcare providers should also negotiate agreements that include intellectual property issues, obligations of nondisclosure, remedies for breach of patient information, and indemnification obligations.

"Health IT Contracts Offer Little Protection For Buyers," InformationWeek (August 24, 2010).

 
Tags: , , , , , , , , , , , , , , , ,

Final breach notification rules delayed

Posted on July 29, 2010 by Steve Fox and Vadim Schick

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. The rule became effective on September 23, 2009. 

During the 60 day public comment period, HHS received 120 comments, after which HHS developed a final rule and submitted it to the Office of Management and Budget for regulatory review on May 14, 2010.  However, on July 27, 2010, HHS issued a statement that they are withdrawing the final rule from OMB:

HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months.

HHS's withdrawal remains a bit of mystery.  However, Post & Schell's Ed Shay has a couple of thoughts, which you can read after the jump.

Ed Shay believes one of the reasons could be the controversy regarding the "harm threshold" element of the rule, which we discussed earlier this year.  This "harm threshold" essentially requires the organization which discovers a breach to undergo a risk assessment test to determine whether a breach would cause "significant harm" to the affected person.  According to Ed:

Apart from the politics of the IFR, there is the underlying reality of asking the industry to reach reasonably consistent determinations on risk of harm. I am sure many on this list have now been through the exercise of evaluating risk of harm, an exercise which leave room for a wide range of judgment in my opinion. Some covered entities will over-report, others will under-report [especially when reporting a 500+ breach may invite a large penalty for the underlying unauthorized use or disclosure. I think that he guidance on what goes into the risk of harm analysis is quite limited, even when one pursues the reference to the OMB circular, or state law which varies greatly on what constitutes reputational harm. Based upon almost one year of reported HIPAA breaches that have very likely been compared by OCR to breaches reported under state laws in states with no risk of harm proviso, OCR may be finding that a lot that OCR expected to be reported is not being reported--with the inference being that risk of harm has proven too judgment dependent in its implementation.

If risk of harm is not the issue, then I would offer that finalizing subcontractor BAs would have to precede finalizing breach notification. If subcontractor BAs survives the proposed rule, then reporting upstream has to be addressed in final breach notification rules.

You can find HHS's brief press release on the subject by clicking here.
Tags: , , , , , , , , , , , ,

Rite Aid settles FTC and OCR privacy charges

Posted on July 29, 2010 by Steve Fox and Vadim Schick

The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a major settlement with both the Federal Trade Commission (FTC) and HHS's Office of Civil Rights (OCR) regarding charges that Rite Aid violated federal privacy and security laws and regulations by failing to keep its customers' and employees' data safe. 

Rite Aid employees were reported to discard prescriptions and pill bottles containing sensitive patient data into the dumpsters behind various Rite Aid pharmacies, which were easily accessible to the public.  Such practices violate the HIPAA Privacy Rule, which requires covered entities to safeguard the privacy of patient information, even when such information is being destroyed.  Rite Aid's actions may also violate the company's own promises to their customers regarding keeping their health information private and secure (this broken promise being the basis for FTC's charges).

 

In addition, OCR and FTC found that Rite Aid:

  • failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
  • failed to adequately train employees on how to dispose of such information properly;
  • failed to employ a reasonable process for discovering and remedying risks to personal information; and
  • did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Pursuant to their settlement with HHS, Rite Aid agreed to pay HHS a cool $1 million and agreed to implement a strong corrective action program (lasting 3 years) which includes:

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and
  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Finally, Rite Aid has also agreed to external independent assessments of its pharmacy stores’ compliance with the FTC consent order, which will be in place for 20 years.

FTC and OCR have previously filed charges against CVS Caremark, another major pharmacy chain which was reported to engage in similar violations to Rite Aid's.  

The current economic conditions require most organizations to do more with less. The unfortunate end result is that long term projects, such as major privacy and security compliance reviews and overhauls get postponed and overlooked.  Rite Aid and CVS cases should remind covered entities and other organizations responsible for keeping patient information safe that neglect or procrastination with regard to privacy policies and practices can lead to major fines, PR embarrassments and excessive compliance and legal costs. 

It is also key to remember that your organization must comply with its own privacy policies and procedures -- otherwise, FTC can charge your organization for "false promises," as was the case with Rite Aid.  In order to comply with such policies, however, your organization must train the staff about the critical importance of privacy.  Without such training, all the policies and procedures will be rendered entirely ineffective.

You can read the full OCR press release by clicking here.

You can read the full FTC press release by clicking here.
Tags: , , , , , , , , , , , , , , , , , ,

HHS issues NPRM on HIPAA Privacy, Security and Enforcement Rules

Posted on July 8, 2010 by Steve Fox and Vadim Schick

On July 7, 2010, HHS issued a notice of proposed rule making (NPRM) regarding the changes to the HIPAA Privacy, Security and Enforcement Rules, as provided in the HITECH Act, in order "to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules."  Via HHS Press Release:

The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

You can view the NPRM by clicking here.

"Notice of Proposed Rulemaking to Implement HITECH Act Modifications," HHS Press Release (July 7, 2010).

Tags: , , , , , , , , , , , , , , , , ,

HealthNet and Connecticut settle breach suit

Posted on July 8, 2010 by Steve Fox and Vadim Schick

In November of 2009, health insurance provider HealthNet reported a loss of a portable disk drive (which occurred six months prior to HealthNet's report). The disk drive contained compressed, though not encrypted, data, including social security and bank account information, on nearly half a million persons.  This loss outraged the Connecticut Attorney General Richard Blumenthal, eventually leading Connecticut to file suit against the insurer for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data.

However, on July 6, 2010, Blumenthal (who is currently running to replace Chris Dodd (D-CT) in the U.S. Senate) announced that Connecticut has reached a settlement with HealthNet and its parent companies over this breach.  According to Blumenthal, this is the very first time a state Attorney General reached such a settlement for a HIPAA violation. The settlement included:

  • $250,000 fine to be paid to Connecticut;
  • $500,000 contingency fund, to be paid to the state in the event it is determined that someone accessed the protected data on the lost disks; and
  • a "corrective action plan" which is aimed to enhance security of protected data in possession of HealthNet and its parent companies.

It is important to keep in mind that the penalties could have been even higher. Yet regardless of the amount of the fine, this breach cost much more to HealthNet than $250,000.  The costs associated with investigations, breach notification, and possible legal fees almost certainly cost the organization more than the amount of the fine imposed by Connecticut.  Thus, HealthNet's example should serve as a great reminder about the importance of doing everything possible to avoid a breach, and knowing how to handle a breach effectively if one does occur.

"Blumenthal wins $250,000 in Health Net settlement," TheDay.com (July 6, 2010).

Tags: , , , , , , , , , , ,

Major breach at a New York hospital affects over 130,000 patients

Posted on July 1, 2010 by Steve Fox and Vadim Schick

Lincoln Medical and Mental Health Center (LMMHC) in New York suffered a major breach affecting 130,495 of its patients, according to a notice provided to HHS.  The breach occurred when the hospital's contractor, Siemens Medical Solutions USA, shipped seven password-protected, but not encrypted, CDs containing patient information via FedEx; and these CDs were subsequently lost in transit.  Via Bloomberg Business Week:

The CDs were sent by the hospital's billing processor, Siemens Medical Solutions USA, around March 16, but never arrived at their intended destination. They included sensitive health and personal information including Social Security numbers, addresses, dates of birth, health plan numbers, driver's license numbers and even descriptions of medical procedures, the hospital said on a note posted to its Web site.

<...> Siemens is no longer FedExing CDs to Lincoln, the hospital said. It is not aware of any of the data being improperly accessed.

LMMHC's breach should serve as a reminder for all healthcare providers currently negotiating health IT contracts to include proper protections in the event its vendor causes a breach or loss of protected data.  This is particularly crucial in the post-HITECH Act era.  

We always include specific compliance with privacy laws warranties, indemnification clauses and limitation of liability carve-outs for vendor's own negligent acts or omissions which result in a data breach or loss.  LMMHC's example clearly illustrates that providers must insist on such protections -- often, over strenuous objections from vendors -- because, otherwise, providers may be exposed to a wide range of expenses and damages from third-party claims, fines, investigations and breach notification associated with a data breach or loss resulting from vendor's actions.

For more information, please listen to or view the slides from our Webinar on negotiating "must-have" provisions in HIT contracts.

"New York hospital loses data on 130,000 via FedEx," Bloomberg Business Week (June 29, 2010).

Tags: , , , , , , , , , , , , ,

California hospital breached patient privacy by faxing records to a wrong number

Posted on June 28, 2010 by Steve Fox and Vadim Schick

Breaches are not always caused by lost laptops or hackers.  They often result from simple errors by the hospital's or another provder's own staff.  In a very recent example, the California Department of Public Health found two instances of serious mishandling of protected patient information at Children's Hospital of Orange County.  Via Orange County Register:

In the first instance, the state found that after a doctor called to give the hospital a new fax number, patient records were instead sent to an auto business. Six faxes with health care information were picked up from the business, the report says.

A month later, the auto shop again notified the hospital that it had received a fax with a patient's name, date of birth and details of visits. The hospital discovered that the wrong fax number had not been changed in a data base.

Hospital staff said the breach would have been prevented if a test fax had been sent as required by hospital policy, the report said.

The other privacy breach occurred when the name of an emergency room patient's doctor was incorrectly entered into the system. Records were then faxed to the wrong doctor who notified the hospital.

CHOC is auditing its database to make sure information is accurate.

It is not clear whether CDPH is going to impose a fine on CHOC like the agency did earlier this month to five different hospitals. Regardless, this episode should serve as a great reminder for healthcare providers about how simple mistakes can lead to costly and highly embarrassing data breaches, especially in instances where the provider fails to adhere to its own privacy policy. 

"State blames CHOC in wrong-site surgery," Orange County Register (June 25, 2010).

Tags: , , , , , , , , , ,

Updated: breaches and fines on the rise

Posted on June 16, 2010 by Steve Fox and Vadim Schick

The number of reported health information breaches is growing rapidly: 32 breaches were reported on the OCR web site from September 2009 to February 2010, but the number almost tripled, to 93 breaches, by June 11, 2010.  Such significant increases in reported breaches may be attributed to the notification and reporting requirements in the HITECH Act, which went into effect this year.  We cannot possibly report or list all of the relevant breaches, but we would like to highlight a few important ones:

  • On May 28, 2010, Cincinnati.com reported that “Cincinnati Children's Hospital Medical Center is beefing up its computer security after a laptop computer containing more than 61,000 patient records was stolen.”  Information lost included not only PHI, but also Social Security numbers and even credit card data.  The records on the laptop were password protected, but they were not encrypted.  The hospital reported the breach, hired a consulting company to deal with same, and offered affected individuals ID theft protection at no charge.  The cost of this breach has already been extremely high, but it could be even higher if credit card companies go after Children's Hospital for losses associated with loss of improperly stored credit card information. 
  • Five hospitals in California were fined a combined total of $675,000 by the California Department of Public Health for patient privacy violations, failing to prevent unauthorized access to confidential patient medical information of 245 patients, which were improperly accessed by a total of 32 employees.  On June 10, 2010, Press-Enterprise reported that the Community Hospital of San Bernardino was fined by the state of California a total of $325,000 for breaches of more than 200 patient records by two employees in 2009.  Violations were significant, but, considering the fine, far from gruesome.

Please click here to read more.

In the first instance,

an unidentified radiology technician accessed 204 records for 177 patients between Jan. 10, 2009, and Feb. 22, 2009, without having a clinical reason to do so. The investigation report doesn't indicate whether the employee used the information she got or contacted the patients.

In a second investigation, inspectors found that a medical imaging department employee allowed a friend who was visiting her into a restricted access room where the employee worked. The visitor could overhear patients discuss their personal information with the employee, a report states.

This should serve as an important reminder about the far-reaching nature of medical information privacy laws -- both federal and local.  California has a particularly strict medical privacy law, enacted in 2008.  Breach does not mean just a lost laptop, hacking or intentional access of a celebrity's records, as we saw last year in California.  It could be a wide range of activities, and hospitals and other providers should pay close attention to the fast-changing regulatory environment, create or modify their policies and procedures accordingly and, perhaps even more crucially, train their staff to comply with such necessary policies and procedures.

"Missing records on stolen laptop from Cincinnati Children's Hospital," Cincinnati.com (May 28, 2010).

"SB hospital fined $325,000 for breach of patient records," Press-Enterprise (June 10, 2010).

"Large Patient Information Breaches List Nears Century Mark," Health Leaders Media (June 16, 2010).
Tags: , , , , , , , , , , , , ,

Medical associations sue FTC over Red Flags Rule

Posted on May 24, 2010 by Steve Fox and Vadim Schick

Just days prior to the latest enforcement deadline of the Red Flags Rule ("RFR"), medical and osteopathic associations sued the Federal Trade Commission (FTC) over the applicability of RFR's identity theft prevention requirements to their member organizations.  FTC is to begin enforcement of the Rule on June 1, 2010.  Among other claims, medical associations are seeking the U.S. District Court for the District of Columbia to prevent the FTC from defining healthcare providers as "creditors" under FACTA.  According to Health Data Management:

'The worst part is, I think, from a strictly ethical point of view, that you have to approach every new patient with suspicion about their identity,' said AMA spokesman Robert Mills. 'That violates every precept of the physician-patient relationship; the FTC is asking doctors to violate their role as trusted healer and counselor.'

The physician groups say that the rule requires them to set up identity theft prevention and detection programs, which aren't necessary, and said the FTC was 'arbitrary and capricious' in extending the application of the law to them. Also, the extension of the Red Flag Rule to doctors would do nothing to improve care, the physician groups say.

<...> According to the lawsuit, complying with the Red Flags Rule 'imposes significant burdens on physicians, particularly sole practitioners, and those practicing in small groups.'

Since most personal health information is already protected by HIPAA, including as modified by the HITECH Act, medical associations argue that the additional privacy safeguards imposed by RFR are simply not necessary.  In addition, the American Bar Association succeeded in excluding lawyers from RFR requirements.  Physicians argue that the exemption of lawyers should apply to healthcare professionals.

We will keep you posted regarding any developments in this case.  However, until the court rules on the AMA's motion, healthcare organizations should remember the June 1, 2010 enforcement date for the Red Flags Rule.  Click here for more information regarding the RFR requirements, but keep in mind the new enforcement date of June 1, 2010.

"Lawsuit: Red Flags Rule Violates Doctor/Patient Relationship," Health Data Management (May 21, 2010).
Tags: , , , , , , , , , ,

Facebook's privacy struggles

Posted on May 19, 2010 by Vadim Schick

The Wall Street Journal devoted the front page of its "Marketplace" section to a report on Facebook's struggles with privacy advocates, regulators like FTC, and, at times, even its own employees.

The company can't afford not to act. The Federal Trade Commission is taking a close look at how online social networks are using people's data, and people close to the matter say it is increasingly focused on Facebook. <...>

A group of senators led by Sen. Charles Schumer (D., N.Y.) called on Facebook to roll back the changes and more than a dozen privacy groups lodged a complaint with the FTC on grounds that Facebook was displaying user information without their consent.

Facebook faces a herculean task of keeping personal information of its 500 million subscribers private and secure.  Privacy is a major stumbling block for this young company, which hopes to earn billions in ad revenues by using the private data it collects from its subscribers. 

Facebook must clearly articulate to its subscribers the privacy risks and security settings available to them; but, ultimately -- as the clever someecard, above, suggests -- the best way to ensure the privacy of one's personal information is not to share it with the world, via Facebook or any other online social networking site.

"Facebook Grapples With Privacy Issues,"  Wall Street Journal (May 19, 2010).

Tags: , , , , , , ,

Prison sentence for hospital employee who breached patient privacy

Posted on May 4, 2010 by Vadim Schick

Back in January, we wrote about Huping Zhou, a former employee at the UCLA Healthcare System, who pleaded guilty to federal charges of breaches of patient privacy.  Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.

On April 27, 2010, Zhou was sentenced to four months in prison after pleading guilty to four misdemeanor counts of HIPAA violations. Zhou is the first person ever sentenced to prison for violating HIPAA.  According to NBC Los Angeles:

Federal officials say Zhou is a licensed cardiothoracic surgeon in China. In 2003, he went to work for UCLA as a researcher with the UCLA School of Medicine. But his tenure was short and stormy. School officials notified him that he would be dismissed in October that year, and that's when federal officials say the snooping began.

In his plea agreement, Zhou admitted his actions, and that he had no legitimate reason for accessing the records. Federal authorities say there's no evidence that he did it for profit. Apparently, he just did it because he could.

"Former UCLA Healthcare Worker Sentenced to Prison for Snooping, " NBC Los Angeles (April 28, 2010).

Tags: , , , , , , , , ,

Connecticut radiologist breaches privacy of hundreds

Posted on April 1, 2010 by Steve Fox and Vadim Schick

HealthImaging.com reported yesterday that a Connecticut radiologist, previously affiliated with the Griffin Hospital in Derby, Conn. "accessed patient radiology reports on the hospital's PACS using the passwords of other radiologists and an employee within the radiology department. The passwords were obtained and/or used without their knowledge." From HealthImaging.com:

From the investigation conducted by Griffin, it appears the radiologist who gained unauthorized access scanned the PACS directory listings of 957 patients who had radiology studies performed at Griffin during the period and selected and downloaded the image files of 339 of these patients.

On and after Feb. 26, Griffin received inquiries on behalf of patients regarding unsolicited contact by the physician who offered to perform professional services at another area hospital despite the patients' interest in having those services provided at Griffin. The inquiries prompted the investigation that revealed unauthorized intrusions into Griffin's PACS and, thereby, the breach of protected patient health information.

This should serve as a reminder for healthcare providers regarding maintaining the safeguards necessary to prevent wrongful access to patient data.  For example, and there is no indication that this is what occurred in this case, clinicians and other hospital staff should not keep their system passwords on sticky notes next to or on their monitors.  Even if you believe that everyone in your office is fully trustworthy, you never know who can get a hold of such restricted information as usernames and passwords.  The reputational and financial damage to your organization could be very substantial; and your contract with the PACS system vendor is unlikely to indemnify or protect you from such losses.

"Radiologist breaches data, images of nearly 1,000 patients via PACS," HealthImaging.com (March 31, 2010).

Tags: , , , , , , , , , , , , , , ,

ONC publishes white paper on consent options

Posted on April 1, 2010 by Vadim Schick

The Office of National Coordinator for Health IT (ONC) published on its web site a white paper analyzing the policies behind obtaining consent for the purposes of electronic health information exchange.  The paper examined the concept of patient control of their health information, focusing on "the issues, nuanced considerations, and possible tradeoffs associated with the various consent options to help facilitate informed decision making."  While the paper was written by researchers at the George Washington University, under contract with ONC, ONC clearly stated in the preamble that this white paper does not actually represent the views of the ONC or HHS.

You can find the full paper (and the attachments) by clicking here.  You can view the executive summary by clicking here.

Tags: , , , , , , , , , , ,

In the news: medical ID theft on the rise; CHIME comments on meaningful; and more

Posted on March 24, 2010 by Steve Fox and Vadim Schick
  • Javelin Strategy & Research survey found over 275,000 cases of medical identity theft in 2009, with an average price tag greater than $12,000 per incident.  This is twice as many cases as in 2008.  Keeping health information safe is going to be of paramount importance in the next decade, especially considering the steep rise in use of electronic health records. According to Computerworld.com (citing a study by IDC, a research firm), "about a quarter of all Americans -- 77 million people -- already have an EHR, up from 14% from in 2009." By 2015, experts believe the number will reach up to 60%, partially due to the transformation of the health IT industry by the HITECH Act.
  • In its comments to CMS regarding the meaningful use NPRM, College of Healthcare Information Management Executives (CHIME) insisted that the present "all or nothing" approach to achieving meaningful use is going to prevent significant numbers of eligible providers from receiving any incentive payments under the HITECH Act.  According to American Medical News:

Among CHIME's suggestions: a gradual implementation process that would allow physicians to qualify for incentives by achieving 25% of meaningful use objectives by 2011, 50% by 2013, 75% by 2015, and 100% by 2017.

'Without an approach that rewards progress or provides sufficient time, organizations with limited resources will likely have little chance of qualifying for payments, thus widening the 'digital divide' in the country,' CHIME wrote.

  • U.S. Senate passed a bill which, if approved by the House and signed by the President, would limit the definition of "hospital-based" eligible professionals to just those practicing in an inpatient or emergency room hospital setting.  If passed, this change would make the Medicare and Medicaid EHR incentive payments available to a far wider range of eligible professionals.
  • CCHIT may be getting some competition from the Drummond Group, which announced plans to become an ONC-authorized certifying body of EHR technology (ONC-ATCB).

"U.S. Senate backs expanded physician eligibility for MU," HealthImaging.com (March 11, 2010).

"Drummond Group in EHR testing for the 'long term'," Healthcare IT News (March 12, 2010).

"Patient Billed for Liposuction as Medical Theft Rises," Bloomberg.com (March 23, 2010).

"As health data goes digital, security risks grow," Computerworld.com (March 22, 2010).

"EMR meaningful use rules warrant gradual approach," American Medical News (March 17, 2010).
Tags: , , , , , , , , , , , , , , ,

Pritts named first ONC Chief Privacy Officer

Posted on February 18, 2010 by Steve Fox and Vadim Schick

Joy Pritts, a researcher and faculty member at Georgetown University's Health Policy Institute, was named as the first Chief Privacy Officer for the Office of National Coordinator for Health IT.  This position was created pursuant to a provision in ARRA, last year's economic stimulus legislation.

In her new position, Ms. Pritts will advise Dr. Blumenthal on forming policies on privacy, security and data stewardship of electronic health information, as well as coordinate similar efforts on state, federal and international levels.

Ms. Pritts is a graduate of Oberlin College and Case Western Reserve University School of Law.  She has testified before Congress on data privacy issues, and served as a member of Technical Advisory Panel for the multi-state Health Information Security and Privacy Collaborative (HISPC) and on the board of the National Governors Association’s State Alliance for e-Health.

According to Government Health IT:

Blumenthal said Pritts, who started her job Feb. 16, has extensive experience on all the issues that ONC grapples with. For instance, she was heavily consulted by members of Congress in legislating the HITECH health IT incentive law.

'So she has an understanding of the legislative process and a policy understanding, in addition to having worked for the government previously,' Blumenthal said in answer to a reporter’s question after a meeting of HHS’s Health IT Policy Committee.

'She has a combination of an understanding of government, understanding of the issues, and her legal background is very important – her research and policy qualifications,' he added.

"HHS appoints Joy Pritts chief privacy officer," Government Health IT (February 17, 2010).

 
Tags: , , , , , , , , , , , ,

Study finds big increases in physicans' online communications with patients

Posted on February 16, 2010 by Steve Fox and Vadim Schick

According to American Medical News (AMN), a new report by Manhattan Research states that online communications by physicians have increased by 14% since 2006.  The survey of 1900 physicians found that 39% of physicians use online communication tools such as email, secure messaging, or instant messaging.

Dermatologists lead all other surveyed practices in the volume of online communications, which, according to Girish Munavalli, MD, assistant professor of dermatology at Johns Hopkins University School of Medicine, can be attributed to "a lot of triage calls and calls for clarification of instructions" which come from dermatologists' large patient volumes. "This is perfect for short e-mail communication and reminders," added Dr. Munavalli.

Dermatologists are followed by oncologists, neurologists, endocrinologists, infectious disease specialists, and primary care physicians.

Of course, certain obstacles remain.  Some doctors abstain from using such technology because of liability worries, while many patients prefer in-person meetings because of concerns regarding privacy of their health information.  Still, the report suggests that this increase may be due to the growing comfort level and acceptance of online communication between physicians and patients.  And it may even indicate a larger trend of greater familiarity and use of other health-related technologies, such as EMRs and personal health records.

Graphic via AMN.  Source: "Physicians in 2012: The Outlook on Health Information Technology," Manhattan Research, January.

"Online contact growing between physicians, patients," American Medical News (February 15, 2010).

 

 
Tags: , , , , , , , , , , , , ,

Rising numbers and costs of data breaches

Posted on January 28, 2010 by Vadim Schick

There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information.  Here are just a few notable reports on this subject:

  • Infosecurity.com reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat:  "the last quarter of [2009] saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months."  According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they "have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks."
  • Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that "Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches."  The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.

 

There are also a couple of examples of individual healthcare organizations suffering from increasing costs associated with data breaches:
 

  • According to Chattanooga Times Free Press (via iHealthBeat), BlueCross BlueShield of Tennessee announced that it has spent more than $7 million to respond to a security breach resulting from 57 hard drives having been stolen from its training facility, which may have compromised personal and health data of up to 500,000 members.  $7 million tab does not appear to be the end of it:

The insurer has notified 220,000 BlueCross members about the data theft. The company also is offering no-cost credit-monitoring services for affected members. In addition, BlueCross is working to notify attorneys general in 32 states about the breach [pursuant to the HITECH Act].   <...>

BlueCross officials said 20,500 members already have signed up for the no-cost credit-monitoring services. In addition, the company has hired more than 700 contract and BlueCross employees to help determine what data the hard drives contained. The insurer said it might need to spend significantly more money to evaluate the missing data and provide additional identity protection services.

  • Considering the experience of BCBS of Tennessee, the costs associated with HealthNet's infamous data breach must be even higher. On top of providing two years of free credit-monitoring for hundreds of thousands of affected members, HealthNet is being sued by the state of Connecticut for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data.  The missing hard drive contained "27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records."  Further complicating HealthNet's situation is the fact that the company waited for six months to inform the affected customers of the possible breach.

"Healthcare hacks on the rise," Inforsecurity.com (January 26, 2010).

"Survey: Data breaches from malicious attacks doubled last year," cnet News (January 25, 2010).

"Tab for Response to Data Breach Hits $7 Million for BCBS of Tennessee," IHealthBeat (January 26, 2010).

"AG files suit in health data privacy breach," theday.com (January 13, 2010).

 

 
Tags: , , , , , , , , , , , , , , , , ,

CBS News reports on EHR efforts

Posted on October 21, 2009 by Steve Fox and Vadim Schick

By popular demand, here is the video of David Pogue's report on the Obama Administration's efforts to digitize patient records in the U.S. 


Watch CBS News Videos Online

"Charting a New Course," CBS News (September 13, 2009).

Tags: , , , , , , , , , , , , , , , , , , ,

New York Times interviews David Blumenthal

Posted on October 21, 2009 by Steve Fox and Vadim Schick

David Pogue, a reporter for the New York Times, posted the transcript of his interview with Dr. David Blumenthal, National Coordinator for Health IT. Mr. Pogue interviewed Dr. Blumenthal for a CBS news report on digitization of healthcare in America (the video is available after the jump).

Here are some highlights from the interview:

On current state of health IT in the US:

We found that about 17 percent of physicians in 2008 had adopted an electronic health record, and about ten percent of hospitals. <...> The rest is paper. It's basically the same system that physicians have used since Hippocrates, which is writing on some piece of paper.

On reimbursement penalties for those failing to achieve meaningful use by 2015:

From 2011 to 2015, there is a bonus. The Congress has put $45 billion on the table to ease physicians and hospitals into this new world of computerized medicine.After 2015, if you have not adopted, and you see Medicare or Medicaid patients, you may experience a penalty. 2015 is six years off. Six years is plenty of time for physicians to get themselves organized to put a record in place and avoid those penalties.

 

On cost of EMRs:

On average, the cost is between $40,000 and $50,000, of which about a third is the software and the hardware, about a third is the cost of getting it set up in the office, and about a third is maintaining it. Much of the expense is related to the cost of implementing and the cost of maintaining it over time.

On privacy and security:

Privacy and security are foundational to a modern health information system. You cannot get the computer into this business without assuring people that their information, their personal information, will be safe.

So we are looking at the best possible technical solutions, technical protections, to privacy and security. We want to make sure that we have looked at every opportunity for encryption, every security device that the best minds can think of, to make information safer. We've got it in other parts of the industry, but we don't have it for healthcare. So I think that's a very important agenda item for us.

<...>

There are two kinds of anxieties. One is that their data may be used for purposes that they haven't authorized it. So if they haven't authorized their personal data to be used for research, they don't want it for that purpose. And the way the law gets around that problem is by saying that information should be de-identified; that is, it should be abstracted from the record in a way that can never be traced back to that individual.

And then that information can be used for research on drug safety, or research on the value of particular treatments, or anything els that may be useful to human health.

There's another kind of fear, and that is the fear of the breach or break-in, or hacking. And there have been some examples of that.

That's where better encryption and better barriers to hacking are critical. And, you know, we have a new cybersecurity initiative that President Obama has put in process. It's well known that the security of information is a national need for defense purposes. It's also, I think, a very important need for this domestic policy purpose. So we want to work with that security initiative to know that we've taken advantage of everything that the federal government and the computer industry knows about how to keep records secure.

Finally, the big picture:

Well, it's a big challenge, it's an exciting challenge, and a historic challenge. There's nothing that's worth doing that's easy to do in life, and this is one of those.

But I really think that history is on the side of this activity. To be a 21st-century physician, to be a 21st-century hospital, we can't record data the same way the Greeks did in 500 B.C. We've gotta move to use the computer to support our work. And that's what we're trying to do.

There'll be bumps on the road. We're not gonna be perfect. We'll make mistakes. But I think the wind is at our back in terms of the historical trends. And we'll get there, sooner or later.

"Computerized Health Records," New York Times (October 15, 2009).

"Charting a New Course," CBS News (September 13, 2009).

 


Watch CBS News Videos Online
Tags: , , , , , , , , , , , , , , , , ,

HIT Standards Committee endorses privacy and security standards

Posted on September 21, 2009 by Steve Fox and Vadim Schick

On September 15, 2009, the HIT Standards Committee endorsed a set of privacy and security standards for electronic health record systems. 
These standards will be recommended to Dr. David Blumenthal, the National Coordinator for Health Information Technology, as a basis for establishing the privacy and security criteria for, inter alia, "certified EHR technology" as defined under the HITECH Act.  Eligible healthcare providers must meet the criteria for "meaningful use" of "certified EHR technology" in order to qualify for significant incentives available under the HITECH Act.

The committee’s Privacy and Security Workgroup included access control, authentication, authorization and transmission of health data among the requirements that electronic health record systems must include by 2011 in order to meet the definition of "certified EHR technology."   Specifically for 2011, the Standards Committee approved the Workgroup's recommendation to require certified products to provide the capabilities necessary to support the HIPAA and ARRA security and privacy requirements and best practices for “meaningful use.”  The endorsed privacy and security standards will become more rigorous in 2013 and 2015.

You can find the spreadsheet of endorsed privacy and security standards here.

You can also view the presentation from the Workgroup here.

"Federal panel okays EHR security, privacy standards," Government Health IT (September 15, 2009).

 

 

Tags: , , , , , , , , , , , , ,

HHS News: Interim Final Regulations on Breach Notification; Regional Office Privacy Advisors

Posted on August 20, 2009 by Steve Fox and Vadim Schick

On August 19, 2009, pursuant to the HITECH Act, the Department of Health and Human Services (HHS) published the interim final regulations regarding breach notification requirements for health care providers and other entities covered by HIPAA. 

According to the HHS press release:

The regulations, developed by the HHS Office for Civil Rights (OCR), require health care providers and other HIPAA covered entities to promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals. Breaches affecting fewer than 500 individuals will be reported to the HHS Secretary on an annual basis. The regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

You can find the text of the regulation here.

Stay tuned for more analysis of this important set of regulations on this blog. The interim final regulations are effective 30 days after publication in the Federal Register and include a 60-day public comment period. 

Also, pursuant to Section 13403(a) of the HITECH Act, the HHS Secretary Kathleen Sebelius designated an individual in each regional office of HHS (Regional Office Privacy Advisors) in order "to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to the HIPAA Privacy and Security Rules."  The names, addresses, and contact information for each of the Regional Managers are listed here, together with a list of the States for which each Regional Manager has responsibility.

"HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information," HHS Press Release (August 19, 2009).

" Designation of Regional Office Privacy Advisors," HHS Press Release (July 27, 2009).
Tags: , , , , , , , , , , , , , ,

FTC Issues Final Breach Notification Rule for Electronic Health Information

Posted on August 17, 2009 by Steve Fox and Vadim Schick

Pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA), the Federal Trade Commission (FTC) issued the final rule regarding notification requirements for breaches of electronic health information by vendors of personal health records and certain affiliated entities:

The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.

<...>

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach.

You can find the full text of the rule here.

"FTC Issues Final Breach Notification Rule for Electronic Health Information," FTC Press Release (August 17, 2009).

Tags: , , , , , , , , , , , , , , , , ,

New York Times reports on privacy concerns about use of de-identified health information

Posted on August 10, 2009 by Steve Fox and Vadim Schick

The New York Times reported on Americans' growing concern regarding commercial use of their personal health information, especially the use of re-identified prescription drugs information for marketing purposes.  

The article points out correctly that the Recovery Act of 2009 (ARRA) included a few key changes to the present privacy regime, which would make it more difficult for pharmacies and data mining companies to use patient information for marketing or fundraising purposes.  While the new law (and the upcoming applicable HHS regulations sanctioned by ARRA) will close a few loopholes in the current medical privacy regime, data mining companies like IMS Health and Verispan do not seem to be overly worried about these new developments:

The law won’t shut down the medical data mining industry, but there will be more restrictions on using private information without patients’ consent and penalties for civil violations will be increased. Government agencies are still writing new regulations called for in the law.  <...>

IMS Health reported operating revenue of $1.05 billion in the first half of 2009, down 10.6 percent from the period a year earlier. [An IMS representative] said he did not expect growing awareness of privacy issues to affect the business.

The Times article also touches on a few other important areas of concern for privacy advocates:  the effect of widespread adoption and use of electronic health records (EHR's) and personal health records (PHR's) on privacy and security of patients' protected health information.  

Interestingly, the article notes that while "Microsoft and WebMD acknowledge that the privacy rules in the stimulus law apply to them," "Google says the law’s prohibitions do not apply to it, except for its duty to report any breaches of medical privacy."  According to a Google spokeswoman, "Google is bound by the privacy policy that people agree to when they sign up."  Right after the enactment of the Recovery Act, Google claimed that the additional privacy rules included in the ARRA did not apply to its PHR products.  However, Google acknowledged the applicability of ARRA's data breach notification requirements a few months thereafter.  This quote in the Times may reintroduce, if not underscore, Google's ambiguous attitude toward applicability of the new privacy and security rules.

"And You Thought a Prescription Was Private," The New York Times (August 9, 2009).

 

 
Tags: , , , , , , , , , , , ,

New York Times reports on the growing threat of medical identity theft

Posted on June 12, 2009 by Steve Fox and Vadim Schick

The New York Times reported today on the growing threat posed to patients and consumers by medical identity theft.  The article rightfully notes that this threat may only become more prominent with the widespread adoption of electronic health records technology championed by the Obama Administration. 

According to the Times, over 250,000 Americans are victims of medical identity theft each year, and this number does not include those who are not yet aware that they are victims of such identity theft.  The article profiled one case of medical identity theft, that of Brandon Sharp, a 37-year-old manager at an oil and gas company in Houston:

In Mr. Sharp’s case, someone got hold of his name and Social Security number and used them to receive emergency medical services, which many hospitals are obliged to provide whether or not a person has insurance. Mr. Sharp still does not know whether he fell victim to one calamitous perp who ended up in several emergency rooms or a ring of accident-prone conspirators.

 

The article continued:

In another variant of the crime, someone can use stolen insurance information, like the basic member ID and group policy number found on insurance cards, to impersonate you — and receive everything from a routine physical to major surgery under your coverage. This is surprisingly easy to do, because many doctors and hospitals do not ask for identification beyond insurance information.

Even more common, however, are cases where medical information is stolen by insiders at a medical office. Thieves download vital personal insurance data and related information from the operation’s computerized medical records, then sell it on the black market or use it themselves to make fraudulent billing claims.

The new privacy and security regulations included in the HITECH Act are aimed at increasing protections for privacy of patient information (e.g., new accounting and reporting rules, as well as rules regarding access and accuracy of a patient's record.)  HHS has yet to provide some regulation around such privacy and security requirements. 

Finally, the Federal Trade Commission's "Red Flags Rule" is aimed at preventing medical identity theft.  In fact, one of FTC's suggestions to healthcare organizations for identity theft prevention is to institute a practice of checking patients' ID before providing services to such patients.

"Your Medical Problems Could Include Identity Theft", New York Times (June 12, 2009).

 
Tags: , , , , , , , ,

Sears settles FTC claims regarding its online tracking software

Posted on June 10, 2009 by Steve Fox and Vadim Schick

On June 4, 2009, Sears Holdings Corporation (Sears) settled its dispute with the Federal Trade Commission (FTC) regarding Sears's controversial online tracking software.  Sears paid its customers $10 to join "My SHC community" and download  software which would track participants' online behavior.  However, FTC alleged that Sears did not adequately disclose the enormous scope of information Sears collected on the participants:

<...> Sears represented to consumers that the software would track their “online browsing.” The FTC charges that the software would also monitor consumers’ online secure sessions – including sessions on third parties’ Web sites – and collect information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails. The software would also track some computer activities that were not related to the Internet.

Sears did disclose the full extent of what information it would monitor, but only "in a lengthy user license agreement, available to consumers at the end of a multi-step registration process", which the FTC deemed to be inadequate. 

Under the settlement, Sears is required to destroy the data collected under this program, and to "clearly and prominently disclose the types of data the software will monitor, record, or transmit" if Sears advertises or disseminates any tracking software in the future.  The FTC also required Sears to make such disclosure prior to installation of the software and separate from any user license agreement; and disclose whether any of the data will be used by a third party.

"Sears Settles FTC Charges Regarding Tracking Software", FTC press release (June 4, 2009).
"Sears settles with FTC in privacy flap", Reuters (June 4, 2009).

Tags: , , , , , ,

California fines Kaiser hospital $250,000 for violations of patient privacy

Posted on May 15, 2009 by Steve Fox and Vadim Schick

As we mentioned earlier, Kaiser Permanente fired fifteen employees (and disciplined eight additional employees) for looking at the medical records of Nadya Suleman, the mother of octuplets commonly referred to as "Octomom."

On May 14, 2009, California authorities fined Bellflower Hospital, the Kaiser facility where Ms. Suleman was treated, $250,000, the maximum allowed under California's new patient privacy law. The law allows the California Department of Public Health to impose fines against healthcare facilities of up to $25,000 per patient for the first violation and $17,500 for each additional violation, up to $250,000.

While the spokesperson for Kaiser argued that the healthcare provider "took numerous steps to prevent" violations of Ms. Suleman's privacy, state officials maintain that such steps were insufficient:

The steps Kaiser took to protect Suleman's privacy were not aggressive enough, Billingsley and other state health officials said.

"It's the hospital's job to prevent these breaches from occurring, not just crack down after the fact," said Kim Belshé, secretary of California's Health and Human Services.

Governor Schwarznegger supported this development:  "The fine issued today should be a reminder that there are consequences for violations of medical privacy."

"Kaiser hospital fined $250,000 for privacy breach in octuplet case", Los Angeles Times (May 15, 2009).
 

Tags: , , , ,

Steve Fox on the ARRA privacy requirements

Posted on April 22, 2009 by Vadim Schick

In an interview with Thompson's Compliance Information Center, Steve Fox urged healthcare providers to begin the compliance process to meet the new data privacy and security requirements imposed under the American Recovery and Reinvestment Act of 2009: 

“The main message for providers is that ARRA is not something they can wait until next year for,” said Steven J. Fox, Esq., a partner at the law firm Post & Schell in Washington D.C. and co-author of the Guide to Medical Privacy & HIPAA.  Although Fox does not advise covered entities to completely overhaul their HIPAA compliance programs before HHS issues regulations, he does say they should begin reviewing all of their current privacy and security policies and procedures and comparing them with the new ARRA requirements. Entities should conduct “a thorough self analysis to determine where they stand.

Covered entities also should train their staff so they understand the importance of privacy and security. Under ARRA’s new penalty provisions, there is an increased potential of significant fines being levied, so entities should prepare by readying their staff for new requirements.

“People need to be trained and retrained to understand how their jobs are changing” as a result of the ARRA privacy and security provisions, Fox said. But, he cautioned “it is premature to do an overhaul of training programs” right away. “Someone needs to revise the whole compliance training program to include all of the ARRA changes — but not too far in advance before the changes are required,” he said.

This interview also headlined IAPP's Daily Dashboard briefing on April 16, 2009.

 

Tags: , , , , ,

Deloitte Publishes Healthcare Consumer Survey Findings

Posted on April 9, 2009 by Steve Fox and Vadim Schick

Deloitte published the results of its 2009 survey of more than 4,000 healthcare consumers, and the findings included some good news for the healthcare IT industry:

  • 9% of consumers have an electronic personal health record (PHR), but 42% are interested in creating one connected online to their physicians.  This leaves much room for growth for companies like Microsoft and Google which offer a PHR product.
     
  • 55% want the ability to communicate with their doctor via email to exchange health information and get answers to questions, and 57% would be interested in scheduling appointments, buying prescriptions and completing other transactions online if their information is protected.
  • 4 in 10 favor increasing government funding and incentives to support adoption of electronic medical records by doctors, hospitals and health plans.

However, consumers remain worried about the privacy and security of their personal health information, with 38% of those surveyed being "very concerned" as opposed to 24% of those who are not concerned at all.  Sixty percent support government establishing standards "for how medical for how medical information is collected, stored, exchanged and protected." 

The full survey findings can be downloaded here.

"Deloitte Survey Finds Healthy Consumer Demand For Electronic Health Records, Online Tools and Services", PRNewswire.com, April 6, 2009.

"2009 Survey of Health Care Consumers: Key Findings, Strategic Implications", Deloitte Center for Health Solutions, released April 2009.

Tags: , , , , ,

In the news: CVS and Google; Connect Open Source Software; and more

Posted on April 8, 2009 by Steve Fox and Vadim Schick
  • CVS pharmacy customers now have the ability to download their prescription and medication histories to Google Health accounts after CVS and Google expanded their partnership.  Patients at CVS' walk-in MinuteClinics are also able to add summaries of their visits to their Google Health accounts.  It would be interesting to find out if CVS and Google ever executed a Business Associate Agreement.  After the enactment of the HITECH Act, Google famously maintained that its personal health records product is not a subject to the new legislation and certain privacy and security provisions under HIPAA.  ("CVS-Google Health pact now includes drugstores", AP, April 6, 2009.)
  • The federal government released Connect, and open source software which allows public and private entities to share health information via the National Health Information Network.  The source code is free to download (the code and its documentation are available here), but organizations choosing to acquire and use this product will be responsible for costs associated with the installation and maintenance of Connect.  The Social Security Administration, Department of Defense, Veterans Affairs, and the CDC are among the many government agencies using this software for health information exchange already.  ("NHIN software released to open-source community", Government Health IT, April 7, 2009.)

     

 

  • This Business Week article analyzes the various data privacy and security concerns facing health care providers and patients alike.  ("Putting Patient Privacy in Peril?", Business Week, April 6, 2009.)
  • The New York Times reports that New York-Presbyterian Hospital became "the first large institution to move beyond the pilot stage this week as it begins to offer consumer-controlled health records for patients... New York-Presbyterian has been working with Microsoft for more than a year, not only on technical matters but also ease-of-use concerns with patients. The introduction will be gradual, beginning with heart patients, who will be told of the potential benefits of personal health records when they visit a New York-Presbyterian hospital or outpatient clinics."  Once again, it would be very interesting to find out if NYB and Microsoft signed a Business Associate Agreement, or if Microsoft acknowledged whether it is now subject to certain privacy and security provisions under HIPAA.  ("A Hospital Is Offering Digital Records", New York Times, April 5, 2009.)

 
Tags: , , , , , , , , , , , , ,

Risk Prevention/Management Advice to Hospitals Regarding Document-Sharing Technology

Posted on April 1, 2009 by Steve Fox and Vadim Schick

Hospitals, multi-hospital systems, and integrated healthcare delivery systems are increasingly utilizing data-sharing technology to communicate with, and share documents among, their officers and directors. 

For example, some healthcare business enterprises use online services to upload documents to a “secure” Internet web site for Board members’ review prior to Board meetings, in lieu of sending out such documents via e-mail or in paper form. Healthcare business enterprises using such services need to be aware of many potential security and privacy risks inherent in transmitting, uploading and storing sensitive, confidential or even proprietary information via the Internet.

 

 

Communications to a hospital Board may include:

  • Confidential information regarding the hospital’s operations or personnel;
  • Data on non-public commercial and financial affairs of the hospital;
  • Legally privileged information regarding law suits on behalf of or against the hospital; and
  • Confidential and privileged peer review materials, including protected health information (PHI, as defined under HIPAA) of the hospital’s patients.

Prior to acquiring or using such data-sharing technology, healthcare business enterprises should make sure that the software is secure and that both the enterprise and the service provider use appropriate physical and technical security safeguards to protect personal and otherwise protected information. There is no one fail-safe approach to implementation and operation of data-sharing technology, and such technology should be customized to fit the enterprise’s needs and requirements. However, at minimum, preliminary precautions should include:

  • Knowing exactly what information is being distributed, via what channels (e.g., whether it is contained on a laptop, another portable device or on the network);
  • Avoiding access, storage, sharing, or use (including downloading, printing, or emailing) of information from or via unsecured home office computers or other mobile devices;
  • As much as possible, limiting the unencrypted sensitive data being transmitted;
  • Avoiding use of actual personal or confidential data in testing of the software;
  • Implementing access control checks, including restricting access to essential personnel only;
  • Using intrusion detection technology or procedures to quickly detect any unauthorized access; and
  • Training and educating all relevant personnel and all persons with access to such information regarding the enterprise’s data privacy protection policies and procedures.

In order to protect your healthcare business enterprise, your Legal and IT teams should negotiate an agreement with the service provider which, at minimum, includes the following provisions:

  • A warranty from the service provider that their product is safe, secure, and complies with all applicable privacy and security standards; 
  • A requirement for the software provider to comply with your institutional privacy and security policies, as well as all applicable laws and regulations;
  • An explicit prohibition for the service provider to use, communicate, divulge, exploit, duplicate, distribute, publish, reproduce, transfer, dispose of, recreate, modify, or create derivative works based upon or otherwise reveal or make available to any third party, directly or indirectly, for any purpose, except as provided in such contract; and
  • Indemnification, remedies, limitation of liability, and other provisions protecting your business enterprise for any damages resulting from a data breach or loss, in instances where such breach or loss are caused by the purchased software or the service provider.

Finally, the agreement with the service provider should include a Business Associate Agreement (BAA, as defined under HIPAA); however, please keep in mind that the BAA should acknowledge the changes mandated by the recent American Recovery and Reinvestment Act of 2009, as well as numerous new regulations to be promulgated by the Secretary of Health and Human Services under this Act.

 

 
Tags: , , , , , , , ,

In the news: "Octomom" privacy breach at Kaiser Permanente; uptick in HIT stocks; and more

Posted on March 30, 2009 by Steve Fox and Vadim Schick
  • After what has become a rather typical breach of patient privacy for Southern California, Kaiser Permanente fired fifteen employees (and disciplined eight additional employees) for looking at the medical records of Nadya Suleman, the mother of octuplets commonly referred to as "Octomom".  Previously, similar breaches occurred at UCLA when that medical center's staff leaked celebrities' medical records to the tabloids.  (MercuryNews.com, via AP, March 30, 2009.)
  • Wall Street Journal reported last week that HIT stocks, especially smaller companies, like eClinicalWorks (which provide the software component of Wal-Mart's new EHR package) will benefit greatly from the billions of dollars in HIT funding included in the stimulus bill.  Also, in another sure sign of a growing industry, Quality Systems, the maker of the NextGen EHR software, is "beefing up its sales force." ("Stimulus Funds for E-Records Augur Big Windfall for Small Health Firms", Wall Street Journal, March 24, 2009.)
  • A new bill is introduced in the Pennsylvania Senate that would ban businesses from collecting personal data from driver's licenses.  This should also serve as a good reminder for businesses not to collect or store more information than absolutely necessary.  (Pennlive.com, March 30, 2009.)
  • Perot Systems will launch a new service tomorrow (April 1, 2009) to help hospitals achieve "meaningful use" status under HITECH, geared towards meeting the interoperability and standardization of HIT use.  (Healthcare IT News, March 30, 2009).

 
Tags: , , , , , , , , , , , , ,