Advocate Health Care already facing first lawsuit for July 15 breach involving 4 million EHR patient records

Chicago area Advocate Health Care suffered the country’s biggest health care record breach to date on July 15 – when four unencrypted laptops containing over four million patient records were stolen.  Seven weeks later the legal repercussions to July’s event are already beginning to unfold with last week’s filing of a class-action complaint in Cook County Circuit Court.

Once again, we are reminded both of the repercussions of such a loss and, more importantly, how easy it is to prevent this.  I’m not suggesting that the theft could have been prevented, but if the laptops had been encrypted, then this would have been a non-event (at least as far as the breach notification issue).  No one outside of Advocate would even know about the theft, because Advocate wouldn’t have had to report the loss and it would not have made the news at all.  So the take-away:  encrypt all of your mobile devices, including laptops, thumb drives, smart phones, etc.

Via Modern Healthcare:

The recent massive data breach at Advocate Health Care has already had legal consequences.

Downers Grove, Ill.-based Advocate and a subsidiary, Advocate Medical Group, are facing a state class-action lawsuit filed on behalf of two named plaintiffs and 4 million individuals whose personally identifiable health records were taken along with four desktop computers in a burglary in July. The computers were password protected but not encrypted, according to Advocate.

The five-count, 12-page complaint in Cook County Circuit Court in Chicago alleges negligence, deceptive business practices, invasion of privacy, intentional infliction of emotional distress and consumer fraud, all violations of Illinois law.

According to the class-action complaint, Advocate “continued its use of nonsecure, unencrypted computers and software to maintain the private and confidential patient data” it had collect, in violation of two state privacy laws.

The suit alleges Advocate violated the Illinois Personal Information Protection Act when it “permitted an unauthorized acquisition of computerized data that compromised the security, confidentiality, or integrity of personal information,” and the Illinois Medical Patients Rights Act when it “facilitated and allowed for the unlawful disclosure of patients' private and confidential health information.”

The lawsuit requests a jury trial and judgment of an unspecified dollar amount for actual damages, costs and other relief the court deems appropriate.

The named plaintiffs were former Advocate patients, Pierre Petrich, and her minor daughter, Amara Petrich, of Northbrook, Ill. The suit was filed by Chicago personal injury attorney Robert Clifford.

The suit alleges the plaintiffs' records were part of the massive July 15 data breach at an administrative office of the 1,100-plus physician Advocate Medical Group in Park Ridge, Ill. At just over four million records, it is the largest breach by a healthcare provider since the federal government began requiring public reporting of larger healthcare records breaches in 2009.

Personally identifiable data on the compromised records varied, according to an Advocate spokeswoman, but included patients' names, addresses, dates of birth, Social Security numbers, diagnoses and medical record numbers.

Advocate previously made the federal “wall of shame” list kept by HHS' Office for Civil Rights after the theft of an unencrypted laptop in 2009 carrying 812 patient records.

Thus far, 659 breaches involving records of 500 or more individuals have made the list, accounting for more than 22.8 million records being exposed. Of those involving electronic devices, 48% of the incident reports mentioned theft, 11% loss; and 8% hacking, all of which could have been mitigated by encryption.

The breach is being investigated by the OCR, the chief federal agency enforcing the health information privacy and security rules under the Health Insurance Portability and Accountability Act, and by the Illinois Attorney General's office, for possible HIPAA and Illinois privacy law violations, spokespersons for those agencies have said.

Advocate has faced criticism for not encrypting the data. Encryption is a technique in which software is used to scramble messages or data, rendering them unusable and unreadable to anyone who doesn't have the key, another piece of software code to unscramble the protected information.

An Advocate spokeswoman said an encryption program launched by the organization in 2009 had not reached the four computers in the Park Ridge office.

Advocate's Kelly Jo Golson, senior vice president of public affairs and marketing, in a statement, said “We deeply regret any inconvenience this incident has caused our patients who have entrusted us with their care. Our focus continues to be delivering the highest level of care and service. We are also committed to providing all individuals impacted by this incident with resources to answer their questions and tools to protect their personal information. Although we are unable to comment specifically on active litigation matters, we want to reassure our patients that we do not believe the data was targeted and we have no information that leads us to believe that the information has been misused.”

By Joseph Conn

Advocate Health Care sued following massive data breach,” Modern Healthcare (September 6, 2013)

Breaking: HHS releases final rule on HITECH Act provisions

HHS has announced a long-awaited omnibus final rule that implements a number of provisions of the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, commonly known as the "Stimulus Bill," to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

We will update the blog with more analysis of the final rule, but, in the meantime, you can find the press release here. You can see a copy of the rule via Federal Register here.

Via HHS Press Release:

The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.

The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.


Settlement of first small scale HIPAA breach announced by HHS

In a sign that HHS is serious about small data breaches, the Office of Civil Rights (OCR) and The Hospice of North Idaho reached a settlement agreement to resolve allegations of a 2010 breach involving 441 patient records. OCR Director Leon Rodriguez reminded the industry that every covered entity, regardless of size, must implement the privacy and security safeguards - including, e.g., encryption of protected health information on mobile devices - required under HIPAA, as amended pursuant to the HITECH Act.

This settlement comes at the same time as the OCR rolls out its new educational initiative aimed at securing protected data on mobile devices. You can learn more about this initiative here.

Via HHS Press Release:

The Hospice of North Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  This is the first settlement involving a breach of unprotected electronic protected health information (ePHI) affecting fewer than 500 individuals.

The HHS Office for Civil Rights (OCR) began its investigation after HONI reported to HHS that an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 patients had been stolen in June 2010.  Laptops containing ePHI are regularly used by the organization as part of their field work.  Over the course of the investigation, OCR discovered that HONI had not conducted a risk analysis to safeguard ePHI.  Further, HONI did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.  Since the June 2010 theft, HONI has taken extensive additional steps to improve their HIPAA Privacy and Security compliance program.

“This action sends a strong message to the health care industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients’ health information.” said OCR Director Leon Rodriguez. “Encryption is an easy method for making lost information unusable, unreadable and undecipherable.”

The Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification Rule requires covered entities to report an impermissible use or disclosure of protected health information, or a “breach,” of 500 individuals or more to the Secretary of HHS and the media within 60 days after the discovery of the breach.  Smaller breaches affecting less than 500 individuals must be reported to the Secretary on an annual basis.

A new educational initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, has been launched by OCR and the HHS Office of the National Coordinator for Health Information Technology (ONC) that offers health care providers and organizations practical tips on ways to protect their patients’ health information when using mobile devices such as laptops, tablets, and smartphones.  For more information, visit

The Resolution Agreement can be found on the OCR website at

HHS announces first HIPAA breach settlement involving less than 500 patients:
Hospice of North Idaho settles HIPAA security case for $50,000
,” HHS Press Release (January 2, 2013)

3.8 million record breach in South Carolina: lessons learned

Hackers recently infiltrated South Carolina's state tax records, absconding with the largest haul to date of Social Security numbers, credit and debit card numbers from a state agency.  State officials describe how the theft was worked, and list enhanced security measures that could have prevented the attack.
See New York Times article at "South Carolina Offers Details of Data Theft and Warns It Could Happen Elsewhere".

Laptop theft costs Massachusetts provider $1.5 million in HHS settlement

Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (MEEI) will be paying HHS $1.5 million in installments over three years for a 2010 incident.  It is worth noting that OCR also reached a $1.5 million settlement with Blue Cross Blue Shield of Tennessee (BCBST) earlier this year for a breach involving over a million patient records on stolen hard drives.  The MEEI data breach, on the other hand,  involved only 3,621 patient records.

Regardless of OCR's exact motives for such a high fine for such a significantly smaller scale breach, it is clear that OCR takes compliance with the HIPAA Privacy and Security Rules very seriously, especially in cases where patient data is stored on portable devices. It is also important to keep in mind that, as we pointed out after the BCBST breach, the $1.5 million settlement amount may well be exceeded by the costs and expenses associated with notification and credit monitoring expenses, as well as investigating and correcting this breach by MEEI.

Via Modern Healthcare:

HHS' Office for Civil Rights announced that Massachusetts Eye and Ear Infirmary and its affiliated physician group, Massachusetts Eye and Ear Associates, agreed to pay $1.5 million to settle a HIPAA security-rule violation case.

The $1.5 million settlement with Boston-based Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, collectively known as MEEI, is part of a resolution agreement (PDF) with the Office for Civil Rights. MEEI's alleged violations of the Health Insurance Portability and Accountability Act's security rule stem from the reported 2010 theft of a laptop computer storing 3,621 patient records, according to HHS.


The Office for Civil Rights alleges that the infirmary and the group not only failed to secure data on the laptop but also failed to comply with several other HIPAA security-rule requirements, including performing “a thorough analysis of the risk to the confidentiality” of individually identifiable patient information stored on the portable device and not “adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.” The term ePHI refers to electronic protected health information. 

“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” Office for Civil Rights Director Leon Rodriguez said in a news release. “This enforcement action emphasizes that compliance with the HIPAA privacy and security rules must be prioritized by management and implemented throughout an organization, from top to bottom.”

The settlement amount is to be paid in three equal installments of $500,000—the first on Oct. 15 of this year and the next two on the same date in 2013 and 2014.

The 17-page resolution agreement also requires the organization “to adhere to a corrective action plan” and permits an independent monitor to make semi-annual assessments of MEEI's compliance with the plan for three years.

The American Recovery and Reinvestment Act of 2009 required the reporting to HHS of breaches affecting 500 or more individuals and the creation of a public accessible website listing the breaches. There are now 490 such self-reported breach incidents on the list, which is maintained by the Office for Civil Rights. Combined, those breaches exposed the records of more than 21 million individuals, according to the office.

The infirmary is on the list twice. A November 2009 incident involving 1,076 records stemmed from a police investigation into improper use of credit card information that led to the firing of two infirmary employees.

By Joseph Conn

Mass. provider to pay $1.5 million in HIPAA settlement,” Modern Healthcare (September 17, 2012)

Tagging technique keeps more sensitive portions of an EHR more private

State and federal privacy laws rigorously restrict sharing of mental health and other highly sensitive patient records.  A technique called “data tagging” may be key in facilitating health care providers’ compliance with these requirements.

Via Modern Healthcare:

Using off-the-shelf content standards and messaging protocols, the Veterans Affairs Department and the Substance Abuse and Mental Health Services Administration of HHS have successfully demonstrated how to electronically tag mental health and other highly sensitive clinical records to help providers comply with stringent state and federal privacy laws limiting the sharing of those records without patient consent.

Development of the electronic patient-consent management system came in response to the VA's and SAMHSA's own needs to protect the privacy of patients under two federal medical record privacy laws that are more robust than the privacy rule under the Health Insurance Portability and Accountability Act.

The demo was part of a Data Segmentation for Privacy Initiative by the Office of the National Coordinator for Health Information Technology at HHS. It also answers a 2010 call by the President's Council of Advisors on Science and Technology to use metadata tagging to enhance privacy while making medical data more readily available for research. A metadata tag provides information about the underlying data.

Tagging a patient's record at the “granular” or data-element level enables patients to give consent to the exchange of some parts of their medical record—such as a diagnosis code for diabetes and a drug prescription for its treatment—but not other parts, such as the diagnosis of a sexually transmitted disease or a mental health counseling session.

“The bottom line is we're trying to provide patients some ability to control what information is shared and make it easy on them,” said Mike Davis, VA project lead and Veterans Health Administration security architect.

Federal law applying specifically to the VA requires that, under typical circumstances, the VA must obtain a veteran's consent before his or her medical records can be shared outside the organization. The VA also abides by another federal law that bars federally funded alcohol and drug treatment providers from sharing information about such treatment without patient consent. The latter law creates a consent requirement that sticks to and flows with the data, so that each subsequent provider to receive it also must obtain patient consent to disclose it elsewhere.

Privacy laws in several states also contain these sticky provisions, said Joy Pritts, chief privacy officer at ONC, who attended the demo in Baltimore this month during a conference sponsored by Health Level 7. The healthcare standards development organization has produced a classification and coding system to identify and constrain particularly sensitive information; the system was used by the VA and SAMHSA in the demo, as were the ONC's Direct messaging protocols.

In the demonstration, a care summary was exchanged between providers for a patient enrolled in an alcohol and drug abuse treatment program. The VA/SAMHSA system tagged discrete elements of the record “do not re-disclose.”

One missing piece in the automated privacy protection scheme, however, is how to deal with dictated notes containing sensitive patient data. A text document could be constrained by tagging the entire document, Davis said, but that would need to be done by hand, whereas tagging of discrete data can be done by the system, which can sit as a layer between one provider's EHR and another's.

Patients can specify their wishes with computerized consent directives created online at home or on a provider's computer system, he said.

Davis said there is no timeline for rolling out these functions across the VA, but the VA has several pilot sites running where the system is in daily use recording a veteran's simple “yes/no” electronic consent directives for exchange of their records with outside providers.

Pritts said ONC has two additional pilots planned, one with the VA and one with private-sector providers.

“I think this can work for what's called structure data—medications in the medication list, allergies in the allergies list, diagnostic codes in the problem list, lab test results, vital signs—that type of information,” said Daniel Gottlieb, a partner in the Chicago office of McDermott Will & Emery who heads the firm's health information technology and data protection practice.

With the EHR systems used by providers today, “typically the technology doesn't have the capability” to segregate those drugs on a medication list for a common ailment from those drugs to treat another, more sensitive one, such as a psychiatric condition, Gottlieb said.

“That leaves you with two options in the real world,” he said. “One is not to make that medication list available” outside the organization. “Or, you can take the position that providing high-quality care” is the greater good, “and just decide that you're going to accept that legal risk.”

Gottlieb said many providers lean toward the latter, for instance if a patient is taking medication for a psychiatric disorder but also for a chronic condition such as diabetes. “There could be the potential for the adverse reaction between the psychiatric drug and some other drug,” prescribed either in the same hospital or by another provider. “I think most people think avoiding that reaction takes precedent over the privacy concern.”

By Joseph Conn

Working with the rules: Data tagging allows selective sharing with EHRs,” Modern Healthcare  (September 22, 2012)

Cybersecurity risk management by boards and senior executives: 12 recommendations

According to Forbes, a recent Carnegie Mellon study has found that corporate boards “are not actively addressing cyber risk management.”  The researchers collected data from corporations worldwide and across all industrial sectors, and found that while boards actively attend to risk management as part of their oversight, “there is still a gap in understanding the linkage between cybersecurity risks and enterprise risk management”. 

The study's report, well worth reviewing for its instructive if sometimes disturbing findings, concludes that by implementing the following twelve recommendations, boards and senior management can "significantly improve their organizations’ security posture and reduce risk":


  1. Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk expertise.
  2. Ensure that privacy and security roles within the organization are separated and that responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management.
  3. Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues.  This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO, CRO, the CPO, and business line executives.
  4. Review existing top-level policies to create a culture of security and respect for privacy.  Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility.
  5. Review assessments of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans.
  6. Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based upon key aspects of the organization’s security program, including annual audits and control requirements. Carefully review notification procedures in the event of a breach or security incident.
  7. Conduct an annual audit of the organization’s enterprise security program, to be reviewed by the Audit Committee.
  8. Conduct an annual review of the enterprise security program and effectiveness of controls, to be reviewed by the board Risk Committee, and ensure that identified gaps or weaknesses are addressed.
  9. Require regular reports from senior management on privacy and security risks.
  10. Require annual board review of budgets for privacy and security risk management.
  11. Conduct annual privacy compliance audits and review incident response, breach notification, disaster recovery, and crisis communication plans.
  12. Assess cyber risks and potential loss valuations and review adequacy of cyber insurance coverage.

Boards Are Still Clueless About Cybersecurity,” Forbes (May 16, 2012).

"Governance of Enterprise Security: CyLab 2012 Report -- How Boards and Senior Executives Are Managing Cyber Risks" by Jody Westby, Carnegie Mellon CyLab (May 16, 2012) 

EHR hackers turn to extortion

Hackers recently struck a small medical practice in suburban Chicago, encrypted the facility’s digital medical records, and then demanded a ransom payment in exchange for allowing the facility to regain access to its records.  Medical industry observers note that this is not the first instance of this new type of criminal hacking activity.

This case should serve as a reminder to healthcare providers that, in addition to significant concerns regarding securing patient data from unlawful access, use or disclosure, such organizations should make sure that their patient data is backed up and accessible through more than one channel, in order to avoid a "hostage" situation like the one described below.

Via Bloomberg News:

As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.

The Surgeons of Lake County, a medical facility in the northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored, reported on its Tech Blog.  

Unlike many other data breaches, the hackers made no attempt to keep their presence a secret. In fact, they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password.

The doctors turned the server off and notified the authorities, refusing to pay.

“This story is so ironic -- most people worry that their health records will be spread all over their local newspaper,” said Dorothy Glancy, a professor at Santa Clara University’s law school who specializes in digital privacy. “But in this case, the doctors -- in fact, nobody -- can access these records.”

The Surgeons of Lake County isn’t the first health care provider to be targeted by extortionists. The incident, which was spotted by privacy blogger Dissent Doe in a federal database of health-related breaches, showcases an unsettling new strain of opportunism that is emerging as criminals try to exploit the industry’s shift to digital medical records.

Data Breach
The attackers’ choice of tactics, particularly the use of encryption, indicates a level of sophistication and targeting that suggests they knew what they were doing, said Rick Kam, president of ID Experts, a Portland, Oregon-based company that makes data-breach prevention technology and specializes in health care.

Based on the number of practices moving to electronic health records, “many more” of these types of breaches should be expected, Kam wrote in an e-mail.

Until now, medical-data blackmail has been a niche crime, largely because of the difficulty and risk involved. Spam and online bank fraud are easier ways for fraudsters to make money.

One case involved Express Scripts (ESRX), the large prescription- drug benefits manager, and a threat it received in 2008. Someone sent the St. Louis-based company personal information on about 75 of its members, including identification numbers and prescription records, and demanded an unspecified sum. The company refused to pay, and eventually told 700,000 customers that their information could have been exposed.

Patient Confidentiality
In 2003 and 2004, health care facilities came under fire for outsourcing their transcription chores when several California hospitals were blackmailed by their own workers in India and Pakistan.

The spiraling cost of health care and lack of insurance for millions of people have made medical identity theft a growing risk. Security and privacy risks are also emerging with the creation of “health information exchanges,” vast databases that states are setting up to handle electronic medical records.

It’s unclear whether the Illinois surgical center’s records were backed up or have been recovered. The organization declined to comment.

“Safeguarding every patient’s personal information is a top priority at the Surgeons of Lake County,” Scott Otto, the center’s president, said in a statement. “We are devoting significant people and technological resources to help protect patient confidentiality.”

For all of the benefits of making health records electronic, this incident highlights a downside, said Santa Clara University’s Glancy.

“This is a warning bell,” she said. “Maybe they’re the canary in the coal mine that unpredictable things can happen to data once it’s digitized.”

By Jordan Robertson

"Hacking Expecting [sic] To Increase As More Facilities Institute EHRs," Bloomberg News (August 10, 2012)

Data breach costs Massachusetts hospital $750,000

South Shore Hospital in Weymouth, Massachusetts agreed this week to pay $475,000 to settle allegations connected with a 2010 data breach affecting the confidential health records of more than 800,000 patients. The hospital has already spent $275,000 on new security measures, since the breach, bringing the total cost of the breach up to $750,000.

Via Boston Business Journal:

The settlement resulted from a data breach reported to the attorney general's office in July 2010 that included individual's names, Social Security numbers, financial account numbers, and medical diagnoses, the news release said.

South Shore Hospital shipped three boxes containing 473 unencrypted back-up computer tapes with the personal information and health information from 800,000 individuals, the release said. The tapes were being shipped to a remote location so that Archive Data Solutions could erase the tapes and resell them, according to the release. Only one of the boxes arrived to its destination in Texas, the press release said, and the missing boxes have not been recovered. There are no reports of unauthorized use of the personal information.



Approved in Suffolk Superior Court, the settlement includes a $250,000 civil penalty and a payment of $225,000 for an education fund to be used by the attorney general's office to promote education related to protecting personal information and health information. The total amount of the settlement was $750,000, but the settlement credits South Shore Hospital for $275,000 to reflect security measures it has taken subsequent to the breach.

As a result of the settlement, South Shore Hospital will be required to take steps to ensure compliance with data security laws and regulations, as well as to undergo an audit of its security measures, the news release said.

South Shore Hospital to pay $475K over patient data breach,” Boston Business Journal (May 9, 2012)

HHS publishes EHR privacy and security guide

The ONC’s Office of the Chief Privacy Officer (OCPO) has published a "Guide to Privacy and Security of Health Information” intended to help healthcare practitioners and their staffs better understand the roles of privacy and security in the meaningful use of electronic health records.

Via Healthcare IT News:

Earlier this spring Healthcare IT News reported the results of a study from HIMSS Analytics and Kroll that showed security breaches are still widespread in healthcare – despite increased attention paid to patient privacy.

The ‘HIMSS Analytics Report: Security of Patient Data,’ suggested that, despite increasingly stringent regulatory activity with regard to reporting and auditing procedures, most providers were prioritizing compliance with the rules over actually bolstering their own organizations' security protocols.

So the new ONC guide, which seeks to offer a comprehensive, easy-to-understand resource to help providers incorporate robust privacy and security routines into their clinical workflow, comes at a crucial time.

Developed by OCPO in partnership with the American Health Information Management Association (AHIMA) Foundation, the 47-page guide offers detailed guidance on topics such as security risk analyses and management tips, and working with EHR and health IT vendors.

The guide also offers a 10-step plan for reinforcing privacy and security protections before attesting for meaningful use:

1. Confirm your organization is a covered entity. Most healthcare providers are covered entities, and thus, have HIPAA responsibilities for individually identifiable health information. The Department of Health and Human Services offers tools that can help you confirm your organization's status.

2. Provide leadership. Emphasizing the importance of protecting patient information to all your employees is central to ensuring a culture where security is treated with the importance it deserves.

3. Document your process, findings and actions. The Centers for Medicare & Medicaid Services (CMS) advises all providers attesting for meaningful use to retain all relevant records that support attestation. Record all your practice decisions, findings and actions related to safeguarding patient information.

4. Conduct security risk analysis. A security risk analysis – or a reassessment, if you've already done one – compares your current security measures to what is legally and pragmatically required to safeguard personal health information, and identifies high priority threats and vulnerabilities.

5. Develop an action plan. Using your risk analysis results, discuss and develop an action plan to mitigate the identified risks. The plan must have five components, the guide notes: administrative, physical, and technical safeguards; policies and procedures; and organizational standards.

6. Manage and mitigate risks. Begin implementing your action plan. Develop written and up-to-date policies and procedures about how your practice protects personal health information. Do not lose sight of basic security measures, some of which can be low-cost and highly effective.

7. Prevent with education and training. To safeguard patient information, your workforce must know how to implement your policies, procedures, and security audits, according to ONC. HIPAA covered providers must train their workforces (employees, volunteers, trainees, and contractors) on your policies and procedures. Staffs must receive formal training on breach notification.

8. Communicate with patients. Your patients may be concerned about confidentiality and security of their health information in an EHR, the guide points out. Emphasize the benefits of EHRs to them as patients, perhaps using consumer education handouts that others have developed, and reassure them that you have a system to proactively protect their health information.

9. Update business associate agreements. Ensure your business associate agreements require compliance with HIPAA and HITECH breach notification requirements. This will require your business associates to safeguard protected health information they get from your practice, train their workforce, and adhere to breach notification requirements.

10. Attest for the security risk analysis meaningful use objective. Only apply for an EHR incentive program once you'd fulfilled the security risk analysis requirement and have documented your efforts, the ONC guide emphasizes, pointing out that when you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect electronic health information. Participants in the EHR Incentive Program can be audited.

Beyond HIPAA and HITECH, ‘ensuring privacy and security of health information, including information in electronic health records, is a key component to building the trust required to realize the potential benefits of electronic health information exchange,’ the ONC guide notes. ‘If individuals and other participants in a network lack trust in electronic exchange of information due to perceived or actual risks to electronic health information or the accuracy and completeness of such information, it may affect their willingness to disclose necessary health information and could have life-threatening consequences.




Access the ONC Guide to Privacy and Security of Health Information here.

ONC privacy and security guide offers 10 steps for MU,” Healthcare IT News (May 9, 2012)


Audit criticizes OCR and ONC over data privacy efforts

HHS's own Office of Inspector General (OIG) issued a scathing report regarding pervasive breaches in privacy and security of patient data. OIG specifically called out the Office of Civil Rights (OCR), charged with enforcement of HIPAA Privacy and Security Rules, for failing to investigate and punish the vast majority of violators.

The audit tested seven hospitals' compliance with HIPAA in seven different states, and found 151 vulnerabilities in the systems and controls intended to cover e-PHI, 124 of which were categorized as "high-impact" (i.e., ones which may result in costly losses, injury or death.)  Violations included unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. Via Modern Healthcare:

The audits of the seven hospitals revealed weaknesses in hospital IT defenses of electronic protected health information, or ePHI, ranging from the fact that several hospitals still were using obsolete and vulnerable encryption protocols to the fact that all seven had vulnerable access controls in which “Outsiders or employees at some hospitals could have accessed, and in one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge.”

“These vulnerabilities placed the confidentiality, integrity and availability of ePHI at risk,” the auditors said. The individual hospital audit reports were not disclosed “because the reports contained restricted, sensitive information that may be exempt from release under the Freedom of Information Act,” according to the report.


OIG also criticized the Office of National Coordinator for Health IT (ONC) for their failure to develop standards ensuring privacy and security of patient data as part of ARRA's push for digitizing medical records:

As a yardstick for ONC performance as a security champion, the inspector general's auditors reviewed last year's ONC-developed interim final rule and final rule on standards, implementation specifications and certification criteria for the ARRA-funded electronic health record system incentive payment program. The auditors found both wanting.

The report's authors differentiated between two types of security measures. One they described as “application security controls” that “function inside systems or applications to ensure that they work correctly.” Such measures include security controls covered by the ONC final rule and used in testing and certification of electronic health-record systems as able to meet meaningful-use requirements for providers participating in the federal IT incentive payment programs. An example is a requirement that certified EHRs be able to encrypt data shared between providers.

The auditors called the other type of measures “general information technology security controls,” described as “structure, policies and procedures that apply to an entity's overall computer operation.”

An example would be a policy that requires providers to use encryption software on their systems and encrypt all data copied from an EHR and placed on a portable storage device, such as a laptop, CD or a portable thumb drive. The auditors found that the ONC had included application controls in writing its interoperability specifications for meaningful use, but that "there were no (health IT) standards that included general IT security controls.”

Other examples of general controls not addressed by the ONC but suggested for development by the report would be requirements that providers use two-factor authentication to gain access to an organization's health IT system and policies that mandate that organizations install “patches” or bug fixes in a routine and timely manner to computers that process and store EHRs.

"Audit reports hit HHS on digital security," Modern Healthcare (May 17, 2011).


Study: Data Breaches Cost U.S. Hospitals Billions

A new study by the Ponemon Institute concluded that data breaches cause enormous losses for U.S. hospitals:  on average, over a two-year period, each hospital will incur about $2 million in losses due to data breaches, which results in $12 billion cumulative loss for all U.S. hospitals.

The study also found that:

  • Most healthcare organizations experience undetected breaches of patient data due to lack of preparation and staffing. 71% of healthcare organizations reported having inadequate resources, 52% reported having appropriately trained personnel, and 69% reported having insufficient policies and procedures in place to prevent and quickly detect patient data loss; thus leaving such organizations with little or no confidence in their ability to appropriately secure patient records.
  • Protecting patient data is not a priority for 70% of hospitals, with 67% reporting having less than 2 staffers dedicated to privacy and security issues.
  • 71% do not believe the new federal regulations pursuant to the HITECH Act have significantly changed the management practices of patient records.

 According to the Wall Street Journal's Health Blog:

  • A full 60% of the organizations included in the study had more than two data breaches over the previous two years, at a cost of $2 million per organization.


  • The average breach involved 1,769 lost or stolen records.


  • Senior personnel at the organizations surveyed felt unprepared to prevent or quickly detect breaches. Some 58% of the organizations “have little or no confidence” in the ability of their organization to detect all patient data loss or theft.


  • Patients were the first to detect data breaches, report 41% of the organizations.
  • Most of the respondents have either put in place an electronic medical records system or are in the process of doing so. And 74% of those with an EHR system say it has made data more secure. Another 12% said the system made no difference in security, 10% say it made data less secure and 4% were unsure.

You can read the full study by registering here.

"Study: Data Breaches Cost Hospitals $6 Billion Per Year," WSJ Health Blog (November 9, 2010).


Study: Less than 7% of doctors email patients

According to a new study by the Center for Studying Health System Change, less than 7% of U.S. physicians communicate with their patients via e-mail. According to the Wall Street Journal, most physicians did not have access to electronic health records or other health information technology allowing secure communication with patients online. Yet even among those physicians with access to such technology, only 19.5% reported communicating with patients via email regularly.

Via the Journal:

This survey didn’t ask non-emailing physicians why they weren’t trading LOLs and emoticons with their patients, but the CSHSC brief has a host of previously cited reasons: “lack of reimbursement, the potential for increased workload, maintaining data privacy and security, avoiding increased medical liability and the uncertain impact on care quality.” (Given that list, it’s hard to figure out why any physician would choose to email patients.)

Doctors working in practices the have already converted to electronic medical records were more likely to communicate with patients via email. So were physicians in HMOs or academic centers, compared to those in solo or two-doctor practices.


 Given the reimbursement issue, it’s not surprising that physicians on a fixed salary were more likely to communicate with patients than those with other compensation arrangements. (Aetna and Cigna are among the insurers reimbursing providers for communicating with patients via secure messaging.) Other options for compensation include a set per-patient fee paid to physicians for agreeing to coordinate care using email and other means or an annual fee paid directly by patients for email access privileges, the brief says.

Policy types “might more systematically explore whether email or other secure electronic communication with patients can deliver on its promise to enhance communication, increase patient engagement and satisfaction, improve patient outcomes and quality of care and boost efficiency,” the brief says. If email does all (or some) of that, “expanding incentives to encourage email communication between physicians and patients might be a worthwhile investment.”

"You've Got Mail - But Not From Your Doctor," Wall Street Journal (October 7, 2010).


Updated: Slides from Webinar on HIPAA Privacy and Security Rules

Post & Schell, in collaboration with Kroll Fraud Solutions, presented a free webinar examining the crucial changes and updates to the HIPAA Privacy and Security Rules included in the Notice of Proposed Rulemaking (NPRM) issued by the Office of Civil Rights of the U.S. Department of Health and Human Services on July 8, 2010. Post & Schell's Steve Fox and Vadim Schick highlighted the key provisions in the NPRM, including:

  • New restrictions on use and disclosure of protected health information (PHI) for marketing, fundraising, and other commercial purposes
  • Providing patients with e-copies of their PHI
  • Extension of HIPAA Privacy and Security Rules to business associates
  • Effect of new rules on business associate agreements

In addition, our guest presenter for this webinar, Alex Ricardo, CIPP of Kroll Fraud Solutions, discussed the practical implications of this new set of regulations on covered entities and business associates, including:

  • Assessing an organization's policies, procedures and practices for compliance with the HIPAA Rules and these updates
  • Reviewing current contractual agreements and relationships with business associates and their subcontractors
  • Training staff of the organization
  • Breach preparedness and breach response

You can view or download the slides from this presentation by clicking here.

For more information, contact Vadim Schick at or 202-661-6945.

California fines hospital $250,000 for failing to comply with state breach statute

As we mentioned previously, California has the strictest data breach notification statute in the country, allowing entities only five days to report a breach, but not permitting even the customary delays  for law enforcement efforts. California Department of Public Health (CDPH) is charged with enforcement of this statute, contained in Section 1280.15 of the California Code, and may impose the maximum of $250,000 fine for each breach incident.

CDPH imposed the maximum $250,000 fine on Lucile Salter Packard Children's Hospital (LSPCH) at Stanford University for failing to report within five days a breach involving 532 patients.  The breach resulted from an employee of LSPCH stealing a laptop containing PHI for these 532 patients.

The somewhat shocking part is that CDPH levied the maximum fine on this hospital, even though the hospital reported this breach after an investigation less than two weeks later.  LSPCH discovered the breach on February 1, 2010, but did not report the breach until February 19, 2010.  In fact, CDPH learned of the breach from the hospital's notice. While a clear violation of the five-day rule (however just or draconian the rule may be), it does not seem to be an egregious violation which would merit the maximum fine. LSPCH believes that its notification to the state and to the affected individuals was reasonable and timely and is appealing the fine.

Packard Children's believes it did what it is supposed to:

The computer in question was used by an employee whose job required access to patient information. Even though the employee had signed written commitments to keep patient information confidential and secure in accordance with legal requirements and hospital policies, the hospital received reports that the now-former employee allegedly removed the computer from hospital premises and took it home. The hospital immediately began a thorough investigation and also reported the matter to law enforcement in an attempt to recover the computer quickly.

As soon as the hospital and law enforcement determined the computer was not recoverable, the hospital voluntarily reported the incident to the California Department of Public Health (CDPH) and federal authorities, as well as the families of potentially-affected patients. The hospital also provided to the families identity theft protection and other support services.

Theft charges have been filed against the former employee.

Packard Children’s believes that there has been no unauthorized or inappropriate access to the information on the computer. “We use very sophisticated tools to conduct investigations such as this,” said Ed Kopetsky, chief information officer at Packard Children’s. “We are able to detect if the missing computer connects to a network that has access to the Internet and we’ve been monitoring this activity regularly to determine if this computer has been online anywhere. It has not.”

"This theft was very unfortunate," said Susan Flanagan, RN, chief operating officer. "We hold ourselves to the highest standards in taking care of the children we treat, and we are committed to providing the best care possible and to protecting our children's privacy. The privacy and security safeguards we employ are some of the most advanced technologies and controls available to hospitals today.”

This response seems proper and reasonable.  What more could a hospital do? In California, report the breach within the required five days. But even if the hospital missed the deadline, imposing the maximum fine for the reasonable response outlined above seems too harsh.

Finally, it is worth pointing out that California is clearly determined to enforce these laws. According to Health Leaders Media, CDPH levied over $1.8 million in fines against 143 hospitals under the breach notification statute and the similar requirement for reporting wrong-site surgery or foreign objects left inside a patient.

"Hospital Fined $250,000 For Not Reporting Data Breach," Health Leaders Media (September 10, 2010).

Rite Aid settles FTC and OCR privacy charges

The Rite Aid Corporation, the third largest pharmacy chain in the United States, reached a major settlement with both the Federal Trade Commission (FTC) and HHS's Office of Civil Rights (OCR) regarding charges that Rite Aid violated federal privacy and security laws and regulations by failing to keep its customers' and employees' data safe. 

Rite Aid employees were reported to discard prescriptions and pill bottles containing sensitive patient data into the dumpsters behind various Rite Aid pharmacies, which were easily accessible to the public.  Such practices violate the HIPAA Privacy Rule, which requires covered entities to safeguard the privacy of patient information, even when such information is being destroyed.  Rite Aid's actions may also violate the company's own promises to their customers regarding keeping their health information private and secure (this broken promise being the basis for FTC's charges).


In addition, OCR and FTC found that Rite Aid:

  • failed to implement adequate policies and procedures to appropriately safeguard patient information during the disposal process;
  • failed to adequately train employees on how to dispose of such information properly;
  • failed to employ a reasonable process for discovering and remedying risks to personal information; and
  • did not maintain a sanctions policy for members of its workforce who failed to properly dispose of patient information.

Pursuant to their settlement with HHS, Rite Aid agreed to pay HHS a cool $1 million and agreed to implement a strong corrective action program (lasting 3 years) which includes:

  • Revising and distributing its policies and procedures regarding disposal of protected health information and sanctioning workers who do not follow them;
  • Training workforce members on these new requirements;
  • Conducting internal monitoring; and
  • Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS.

Finally, Rite Aid has also agreed to external independent assessments of its pharmacy stores’ compliance with the FTC consent order, which will be in place for 20 years.

FTC and OCR have previously filed charges against CVS Caremark, another major pharmacy chain which was reported to engage in similar violations to Rite Aid's.  

The current economic conditions require most organizations to do more with less. The unfortunate end result is that long term projects, such as major privacy and security compliance reviews and overhauls get postponed and overlooked.  Rite Aid and CVS cases should remind covered entities and other organizations responsible for keeping patient information safe that neglect or procrastination with regard to privacy policies and practices can lead to major fines, PR embarrassments and excessive compliance and legal costs. 

It is also key to remember that your organization must comply with its own privacy policies and procedures -- otherwise, FTC can charge your organization for "false promises," as was the case with Rite Aid.  In order to comply with such policies, however, your organization must train the staff about the critical importance of privacy.  Without such training, all the policies and procedures will be rendered entirely ineffective.

You can read the full OCR press release by clicking here.

You can read the full FTC press release by clicking here.

HHS issues NPRM on HIPAA Privacy, Security and Enforcement Rules

On July 7, 2010, HHS issued a notice of proposed rule making (NPRM) regarding the changes to the HIPAA Privacy, Security and Enforcement Rules, as provided in the HITECH Act, in order "to strengthen the privacy and security protections for health information and to improve the workability and effectiveness of the HIPAA Rules."  Via HHS Press Release:

The proposed modifications to the HIPAA Rules include provisions extending the applicability of certain of the Privacy and Security Rules’ requirements to the business associates of covered entities, establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes, prohibiting the sale of protected health information, and expanding individuals’ rights to access their information and to obtain restrictions on certain disclosures of protected health information to health plans. In addition, the proposed rule adopts provisions designed to strengthen and expand HIPAA’s enforcement provisions.

You can view the NPRM by clicking here.

"Notice of Proposed Rulemaking to Implement HITECH Act Modifications," HHS Press Release (July 7, 2010).

HealthNet and Connecticut settle breach suit

In November of 2009, health insurance provider HealthNet reported a loss of a portable disk drive (which occurred six months prior to HealthNet's report). The disk drive contained compressed, though not encrypted, data, including social security and bank account information, on nearly half a million persons.  This loss outraged the Connecticut Attorney General Richard Blumenthal, eventually leading Connecticut to file suit against the insurer for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data.

However, on July 6, 2010, Blumenthal (who is currently running to replace Chris Dodd (D-CT) in the U.S. Senate) announced that Connecticut has reached a settlement with HealthNet and its parent companies over this breach.  According to Blumenthal, this is the very first time a state Attorney General reached such a settlement for a HIPAA violation. The settlement included:

  • $250,000 fine to be paid to Connecticut;
  • $500,000 contingency fund, to be paid to the state in the event it is determined that someone accessed the protected data on the lost disks; and
  • a "corrective action plan" which is aimed to enhance security of protected data in possession of HealthNet and its parent companies.

It is important to keep in mind that the penalties could have been even higher. Yet regardless of the amount of the fine, this breach cost much more to HealthNet than $250,000.  The costs associated with investigations, breach notification, and possible legal fees almost certainly cost the organization more than the amount of the fine imposed by Connecticut.  Thus, HealthNet's example should serve as a great reminder about the importance of doing everything possible to avoid a breach, and knowing how to handle a breach effectively if one does occur.

"Blumenthal wins $250,000 in Health Net settlement," (July 6, 2010).

California hospital breached patient privacy by faxing records to a wrong number

Breaches are not always caused by lost laptops or hackers.  They often result from simple errors by the hospital's or another provder's own staff.  In a very recent example, the California Department of Public Health found two instances of serious mishandling of protected patient information at Children's Hospital of Orange County.  Via Orange County Register:

In the first instance, the state found that after a doctor called to give the hospital a new fax number, patient records were instead sent to an auto business. Six faxes with health care information were picked up from the business, the report says.

A month later, the auto shop again notified the hospital that it had received a fax with a patient's name, date of birth and details of visits. The hospital discovered that the wrong fax number had not been changed in a data base.

Hospital staff said the breach would have been prevented if a test fax had been sent as required by hospital policy, the report said.

The other privacy breach occurred when the name of an emergency room patient's doctor was incorrectly entered into the system. Records were then faxed to the wrong doctor who notified the hospital.

CHOC is auditing its database to make sure information is accurate.

It is not clear whether CDPH is going to impose a fine on CHOC like the agency did earlier this month to five different hospitals. Regardless, this episode should serve as a great reminder for healthcare providers about how simple mistakes can lead to costly and highly embarrassing data breaches, especially in instances where the provider fails to adhere to its own privacy policy. 

"State blames CHOC in wrong-site surgery," Orange County Register (June 25, 2010).

Updated: breaches and fines on the rise

The number of reported health information breaches is growing rapidly: 32 breaches were reported on the OCR web site from September 2009 to February 2010, but the number almost tripled, to 93 breaches, by June 11, 2010.  Such significant increases in reported breaches may be attributed to the notification and reporting requirements in the HITECH Act, which went into effect this year.  We cannot possibly report or list all of the relevant breaches, but we would like to highlight a few important ones:

  • On May 28, 2010, reported that “Cincinnati Children's Hospital Medical Center is beefing up its computer security after a laptop computer containing more than 61,000 patient records was stolen.”  Information lost included not only PHI, but also Social Security numbers and even credit card data.  The records on the laptop were password protected, but they were not encrypted.  The hospital reported the breach, hired a consulting company to deal with same, and offered affected individuals ID theft protection at no charge.  The cost of this breach has already been extremely high, but it could be even higher if credit card companies go after Children's Hospital for losses associated with loss of improperly stored credit card information. 
  • Five hospitals in California were fined a combined total of $675,000 by the California Department of Public Health for patient privacy violations, failing to prevent unauthorized access to confidential patient medical information of 245 patients, which were improperly accessed by a total of 32 employees.  On June 10, 2010, Press-Enterprise reported that the Community Hospital of San Bernardino was fined by the state of California a total of $325,000 for breaches of more than 200 patient records by two employees in 2009.  Violations were significant, but, considering the fine, far from gruesome.

Please click here to read more.

In the first instance,

an unidentified radiology technician accessed 204 records for 177 patients between Jan. 10, 2009, and Feb. 22, 2009, without having a clinical reason to do so. The investigation report doesn't indicate whether the employee used the information she got or contacted the patients.

In a second investigation, inspectors found that a medical imaging department employee allowed a friend who was visiting her into a restricted access room where the employee worked. The visitor could overhear patients discuss their personal information with the employee, a report states.

This should serve as an important reminder about the far-reaching nature of medical information privacy laws -- both federal and local.  California has a particularly strict medical privacy law, enacted in 2008.  Breach does not mean just a lost laptop, hacking or intentional access of a celebrity's records, as we saw last year in California.  It could be a wide range of activities, and hospitals and other providers should pay close attention to the fast-changing regulatory environment, create or modify their policies and procedures accordingly and, perhaps even more crucially, train their staff to comply with such necessary policies and procedures.

"Missing records on stolen laptop from Cincinnati Children's Hospital," (May 28, 2010).

"SB hospital fined $325,000 for breach of patient records," Press-Enterprise (June 10, 2010).

"Large Patient Information Breaches List Nears Century Mark," Health Leaders Media (June 16, 2010).

Facebook's privacy struggles

The Wall Street Journal devoted the front page of its "Marketplace" section to a report on Facebook's struggles with privacy advocates, regulators like FTC, and, at times, even its own employees.

The company can't afford not to act. The Federal Trade Commission is taking a close look at how online social networks are using people's data, and people close to the matter say it is increasingly focused on Facebook. <...>

A group of senators led by Sen. Charles Schumer (D., N.Y.) called on Facebook to roll back the changes and more than a dozen privacy groups lodged a complaint with the FTC on grounds that Facebook was displaying user information without their consent.

Facebook faces a herculean task of keeping personal information of its 500 million subscribers private and secure.  Privacy is a major stumbling block for this young company, which hopes to earn billions in ad revenues by using the private data it collects from its subscribers. 

Facebook must clearly articulate to its subscribers the privacy risks and security settings available to them; but, ultimately -- as the clever someecard, above, suggests -- the best way to ensure the privacy of one's personal information is not to share it with the world, via Facebook or any other online social networking site.

"Facebook Grapples With Privacy Issues,"  Wall Street Journal (May 19, 2010).

Prison sentence for hospital employee who breached patient privacy

Back in January, we wrote about Huping Zhou, a former employee at the UCLA Healthcare System, who pleaded guilty to federal charges of breaches of patient privacy.  Zhou, 48, accessed the UCLA patient records system 323 times during the three-week period, mostly looking for the files of celebrities, after being let go by the hospital. Names of targeted celebrities have not been revealed.

On April 27, 2010, Zhou was sentenced to four months in prison after pleading guilty to four misdemeanor counts of HIPAA violations. Zhou is the first person ever sentenced to prison for violating HIPAA.  According to NBC Los Angeles:

Federal officials say Zhou is a licensed cardiothoracic surgeon in China. In 2003, he went to work for UCLA as a researcher with the UCLA School of Medicine. But his tenure was short and stormy. School officials notified him that he would be dismissed in October that year, and that's when federal officials say the snooping began.

In his plea agreement, Zhou admitted his actions, and that he had no legitimate reason for accessing the records. Federal authorities say there's no evidence that he did it for profit. Apparently, he just did it because he could.

"Former UCLA Healthcare Worker Sentenced to Prison for Snooping, " NBC Los Angeles (April 28, 2010).

Connecticut radiologist breaches privacy of hundreds reported yesterday that a Connecticut radiologist, previously affiliated with the Griffin Hospital in Derby, Conn. "accessed patient radiology reports on the hospital's PACS using the passwords of other radiologists and an employee within the radiology department. The passwords were obtained and/or used without their knowledge." From

From the investigation conducted by Griffin, it appears the radiologist who gained unauthorized access scanned the PACS directory listings of 957 patients who had radiology studies performed at Griffin during the period and selected and downloaded the image files of 339 of these patients.

On and after Feb. 26, Griffin received inquiries on behalf of patients regarding unsolicited contact by the physician who offered to perform professional services at another area hospital despite the patients' interest in having those services provided at Griffin. The inquiries prompted the investigation that revealed unauthorized intrusions into Griffin's PACS and, thereby, the breach of protected patient health information.

This should serve as a reminder for healthcare providers regarding maintaining the safeguards necessary to prevent wrongful access to patient data.  For example, and there is no indication that this is what occurred in this case, clinicians and other hospital staff should not keep their system passwords on sticky notes next to or on their monitors.  Even if you believe that everyone in your office is fully trustworthy, you never know who can get a hold of such restricted information as usernames and passwords.  The reputational and financial damage to your organization could be very substantial; and your contract with the PACS system vendor is unlikely to indemnify or protect you from such losses.

"Radiologist breaches data, images of nearly 1,000 patients via PACS," (March 31, 2010).

ONC publishes white paper on consent options

The Office of National Coordinator for Health IT (ONC) published on its web site a white paper analyzing the policies behind obtaining consent for the purposes of electronic health information exchange.  The paper examined the concept of patient control of their health information, focusing on "the issues, nuanced considerations, and possible tradeoffs associated with the various consent options to help facilitate informed decision making."  While the paper was written by researchers at the George Washington University, under contract with ONC, ONC clearly stated in the preamble that this white paper does not actually represent the views of the ONC or HHS.

You can find the full paper (and the attachments) by clicking here.  You can view the executive summary by clicking here.

In the news: medical ID theft on the rise; CHIME comments on meaningful; and more

  • Javelin Strategy & Research survey found over 275,000 cases of medical identity theft in 2009, with an average price tag greater than $12,000 per incident.  This is twice as many cases as in 2008.  Keeping health information safe is going to be of paramount importance in the next decade, especially considering the steep rise in use of electronic health records. According to (citing a study by IDC, a research firm), "about a quarter of all Americans -- 77 million people -- already have an EHR, up from 14% from in 2009." By 2015, experts believe the number will reach up to 60%, partially due to the transformation of the health IT industry by the HITECH Act.
  • In its comments to CMS regarding the meaningful use NPRM, College of Healthcare Information Management Executives (CHIME) insisted that the present "all or nothing" approach to achieving meaningful use is going to prevent significant numbers of eligible providers from receiving any incentive payments under the HITECH Act.  According to American Medical News:

Among CHIME's suggestions: a gradual implementation process that would allow physicians to qualify for incentives by achieving 25% of meaningful use objectives by 2011, 50% by 2013, 75% by 2015, and 100% by 2017.

'Without an approach that rewards progress or provides sufficient time, organizations with limited resources will likely have little chance of qualifying for payments, thus widening the 'digital divide' in the country,' CHIME wrote.

  • U.S. Senate passed a bill which, if approved by the House and signed by the President, would limit the definition of "hospital-based" eligible professionals to just those practicing in an inpatient or emergency room hospital setting.  If passed, this change would make the Medicare and Medicaid EHR incentive payments available to a far wider range of eligible professionals.
  • CCHIT may be getting some competition from the Drummond Group, which announced plans to become an ONC-authorized certifying body of EHR technology (ONC-ATCB).

"U.S. Senate backs expanded physician eligibility for MU," (March 11, 2010).

"Drummond Group in EHR testing for the 'long term'," Healthcare IT News (March 12, 2010).

"Patient Billed for Liposuction as Medical Theft Rises," (March 23, 2010).

"As health data goes digital, security risks grow," (March 22, 2010).

"EMR meaningful use rules warrant gradual approach," American Medical News (March 17, 2010).

Rising numbers and costs of data breaches

There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information.  Here are just a few notable reports on this subject:

  • reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat:  "the last quarter of [2009] saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months."  According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they "have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks."
  • Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that "Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches."  The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.


There are also a couple of examples of individual healthcare organizations suffering from increasing costs associated with data breaches:

  • According to Chattanooga Times Free Press (via iHealthBeat), BlueCross BlueShield of Tennessee announced that it has spent more than $7 million to respond to a security breach resulting from 57 hard drives having been stolen from its training facility, which may have compromised personal and health data of up to 500,000 members.  $7 million tab does not appear to be the end of it:

The insurer has notified 220,000 BlueCross members about the data theft. The company also is offering no-cost credit-monitoring services for affected members. In addition, BlueCross is working to notify attorneys general in 32 states about the breach [pursuant to the HITECH Act].   <...>

BlueCross officials said 20,500 members already have signed up for the no-cost credit-monitoring services. In addition, the company has hired more than 700 contract and BlueCross employees to help determine what data the hard drives contained. The insurer said it might need to spend significantly more money to evaluate the missing data and provide additional identity protection services.

  • Considering the experience of BCBS of Tennessee, the costs associated with HealthNet's infamous data breach must be even higher. On top of providing two years of free credit-monitoring for hundreds of thousands of affected members, HealthNet is being sued by the state of Connecticut for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data.  The missing hard drive contained "27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records."  Further complicating HealthNet's situation is the fact that the company waited for six months to inform the affected customers of the possible breach.

"Healthcare hacks on the rise," (January 26, 2010).

"Survey: Data breaches from malicious attacks doubled last year," cnet News (January 25, 2010).

"Tab for Response to Data Breach Hits $7 Million for BCBS of Tennessee," IHealthBeat (January 26, 2010).

"AG files suit in health data privacy breach," (January 13, 2010).



CBS News reports on EHR efforts

By popular demand, here is the video of David Pogue's report on the Obama Administration's efforts to digitize patient records in the U.S. 

Watch CBS News Videos Online

"Charting a New Course," CBS News (September 13, 2009).

New York Times interviews David Blumenthal

David Pogue, a reporter for the New York Times, posted the transcript of his interview with Dr. David Blumenthal, National Coordinator for Health IT. Mr. Pogue interviewed Dr. Blumenthal for a CBS news report on digitization of healthcare in America (the video is available after the jump).

Here are some highlights from the interview:

On current state of health IT in the US:

We found that about 17 percent of physicians in 2008 had adopted an electronic health record, and about ten percent of hospitals. <...> The rest is paper. It's basically the same system that physicians have used since Hippocrates, which is writing on some piece of paper.

On reimbursement penalties for those failing to achieve meaningful use by 2015:

From 2011 to 2015, there is a bonus. The Congress has put $45 billion on the table to ease physicians and hospitals into this new world of computerized medicine.After 2015, if you have not adopted, and you see Medicare or Medicaid patients, you may experience a penalty. 2015 is six years off. Six years is plenty of time for physicians to get themselves organized to put a record in place and avoid those penalties.


On cost of EMRs:

On average, the cost is between $40,000 and $50,000, of which about a third is the software and the hardware, about a third is the cost of getting it set up in the office, and about a third is maintaining it. Much of the expense is related to the cost of implementing and the cost of maintaining it over time.

On privacy and security:

Privacy and security are foundational to a modern health information system. You cannot get the computer into this business without assuring people that their information, their personal information, will be safe.

So we are looking at the best possible technical solutions, technical protections, to privacy and security. We want to make sure that we have looked at every opportunity for encryption, every security device that the best minds can think of, to make information safer. We've got it in other parts of the industry, but we don't have it for healthcare. So I think that's a very important agenda item for us.


There are two kinds of anxieties. One is that their data may be used for purposes that they haven't authorized it. So if they haven't authorized their personal data to be used for research, they don't want it for that purpose. And the way the law gets around that problem is by saying that information should be de-identified; that is, it should be abstracted from the record in a way that can never be traced back to that individual.

And then that information can be used for research on drug safety, or research on the value of particular treatments, or anything els that may be useful to human health.

There's another kind of fear, and that is the fear of the breach or break-in, or hacking. And there have been some examples of that.

That's where better encryption and better barriers to hacking are critical. And, you know, we have a new cybersecurity initiative that President Obama has put in process. It's well known that the security of information is a national need for defense purposes. It's also, I think, a very important need for this domestic policy purpose. So we want to work with that security initiative to know that we've taken advantage of everything that the federal government and the computer industry knows about how to keep records secure.

Finally, the big picture:

Well, it's a big challenge, it's an exciting challenge, and a historic challenge. There's nothing that's worth doing that's easy to do in life, and this is one of those.

But I really think that history is on the side of this activity. To be a 21st-century physician, to be a 21st-century hospital, we can't record data the same way the Greeks did in 500 B.C. We've gotta move to use the computer to support our work. And that's what we're trying to do.

There'll be bumps on the road. We're not gonna be perfect. We'll make mistakes. But I think the wind is at our back in terms of the historical trends. And we'll get there, sooner or later.

"Computerized Health Records," New York Times (October 15, 2009).

"Charting a New Course," CBS News (September 13, 2009).


Watch CBS News Videos Online

HIT Standards Committee endorses privacy and security standards

On September 15, 2009, the HIT Standards Committee endorsed a set of privacy and security standards for electronic health record systems. 
These standards will be recommended to Dr. David Blumenthal, the National Coordinator for Health Information Technology, as a basis for establishing the privacy and security criteria for, inter alia, "certified EHR technology" as defined under the HITECH Act.  Eligible healthcare providers must meet the criteria for "meaningful use" of "certified EHR technology" in order to qualify for significant incentives available under the HITECH Act.

The committee’s Privacy and Security Workgroup included access control, authentication, authorization and transmission of health data among the requirements that electronic health record systems must include by 2011 in order to meet the definition of "certified EHR technology."   Specifically for 2011, the Standards Committee approved the Workgroup's recommendation to require certified products to provide the capabilities necessary to support the HIPAA and ARRA security and privacy requirements and best practices for “meaningful use.”  The endorsed privacy and security standards will become more rigorous in 2013 and 2015.

You can find the spreadsheet of endorsed privacy and security standards here.

You can also view the presentation from the Workgroup here.

"Federal panel okays EHR security, privacy standards," Government Health IT (September 15, 2009).



FTC Issues Final Breach Notification Rule for Electronic Health Information

Pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA), the Federal Trade Commission (FTC) issued the final rule regarding notification requirements for breaches of electronic health information by vendors of personal health records and certain affiliated entities:

The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.


The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at

You can find the full text of the rule here.

"FTC Issues Final Breach Notification Rule for Electronic Health Information," FTC Press Release (August 17, 2009).

Healthcare providers must become aware of and comply with PCI DSS

Healthcare providers are generally familiar with and are used to the complex network of state and federal data privacy protection laws (e.g., HIPAA and HIPAA Privacy and Security regulations).  However, most providers may not be aware of another set of data security standards, the Payment Card Industry Data Security Standards (PCI DSS), imposed by a non-governmental, private organization representing the credit card industry.  

Contrary to popular belief, PCI standards apply to any processor of credit cards, regardless of volume of credit card transactions.  (However, PCI DSS differ based on each organization's transactions volume.)  In other words, if your healthcare enterprise or practice accepts credit cards as payment for services (which virtually all practices do), your organization is subject to PCI DSS.  

SC Magazine's recent contribution from Jim Lacy, CFO of healthcare IT company ZirMed, provides an excellent reminder for all healthcare providers accepting credit cards to take note of PCI DSS and begin the process of compliance with such standards.

A few lessons from Jim Lacy's piece and more after the jump.

Jim Lacy reminds healthcare providers of a few basic principles of PCI compliance:

  • As mentioned above, PCI DSS applies to all entities processing credit card transactions, regardless of volume.
  • PCI DSS compliance is not prohibitively expensive.  Certain PCI-compliance services are available online for as little as $150 a year.
  • If your organization is not compliant with PCI DSS, you may not be able to process credit card transactions in certain markets.
  • Aside from suspension of one's ability to process credit card transactions, a data breach for non-compliant providers may cost hundreds of thousands of dollars in fines alone (VISA can impose fines up to $500,000 per incident).
  • HIPAA compliance does not mean compliance with PCI DSS.

In addition to PCI DSS, at least one state, Minnesota, adopted most provisions of PCI DSS prohibiting storage of credit card data as state law, the Plastic Card Security Act (PCSA).  PCSA essentially created a strict liability standard for entities processing over 20,000 credit card transactions a year for any losses or damages caused by a data breach of stored credit card data. 

Thus, a Minnesota healthcare enterprise may be strictly liable to credit card companies or patients for losses or damages resulting from a security breach of stored credit card data, if such provider was not compliant with PCI DSS and the applicable provisions of Minnesota law.

"PCI-DSS: Not on health care provider's radar", SC Magazine (June 19, 2009).


New York Times reports on the growing threat of medical identity theft

The New York Times reported today on the growing threat posed to patients and consumers by medical identity theft.  The article rightfully notes that this threat may only become more prominent with the widespread adoption of electronic health records technology championed by the Obama Administration. 

According to the Times, over 250,000 Americans are victims of medical identity theft each year, and this number does not include those who are not yet aware that they are victims of such identity theft.  The article profiled one case of medical identity theft, that of Brandon Sharp, a 37-year-old manager at an oil and gas company in Houston:

In Mr. Sharp’s case, someone got hold of his name and Social Security number and used them to receive emergency medical services, which many hospitals are obliged to provide whether or not a person has insurance. Mr. Sharp still does not know whether he fell victim to one calamitous perp who ended up in several emergency rooms or a ring of accident-prone conspirators.


The article continued:

In another variant of the crime, someone can use stolen insurance information, like the basic member ID and group policy number found on insurance cards, to impersonate you — and receive everything from a routine physical to major surgery under your coverage. This is surprisingly easy to do, because many doctors and hospitals do not ask for identification beyond insurance information.

Even more common, however, are cases where medical information is stolen by insiders at a medical office. Thieves download vital personal insurance data and related information from the operation’s computerized medical records, then sell it on the black market or use it themselves to make fraudulent billing claims.

The new privacy and security regulations included in the HITECH Act are aimed at increasing protections for privacy of patient information (e.g., new accounting and reporting rules, as well as rules regarding access and accuracy of a patient's record.)  HHS has yet to provide some regulation around such privacy and security requirements. 

Finally, the Federal Trade Commission's "Red Flags Rule" is aimed at preventing medical identity theft.  In fact, one of FTC's suggestions to healthcare organizations for identity theft prevention is to institute a practice of checking patients' ID before providing services to such patients.

"Your Medical Problems Could Include Identity Theft", New York Times (June 12, 2009).


Sears settles FTC claims regarding its online tracking software

On June 4, 2009, Sears Holdings Corporation (Sears) settled its dispute with the Federal Trade Commission (FTC) regarding Sears's controversial online tracking software.  Sears paid its customers $10 to join "My SHC community" and download  software which would track participants' online behavior.  However, FTC alleged that Sears did not adequately disclose the enormous scope of information Sears collected on the participants:

<...> Sears represented to consumers that the software would track their “online browsing.” The FTC charges that the software would also monitor consumers’ online secure sessions – including sessions on third parties’ Web sites – and collect information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails. The software would also track some computer activities that were not related to the Internet.

Sears did disclose the full extent of what information it would monitor, but only "in a lengthy user license agreement, available to consumers at the end of a multi-step registration process", which the FTC deemed to be inadequate. 

Under the settlement, Sears is required to destroy the data collected under this program, and to "clearly and prominently disclose the types of data the software will monitor, record, or transmit" if Sears advertises or disseminates any tracking software in the future.  The FTC also required Sears to make such disclosure prior to installation of the software and separate from any user license agreement; and disclose whether any of the data will be used by a third party.

"Sears Settles FTC Charges Regarding Tracking Software", FTC press release (June 4, 2009).
"Sears settles with FTC in privacy flap", Reuters (June 4, 2009).

Steve Fox on the ARRA privacy requirements

In an interview with Thompson's Compliance Information Center, Steve Fox urged healthcare providers to begin the compliance process to meet the new data privacy and security requirements imposed under the American Recovery and Reinvestment Act of 2009: 

“The main message for providers is that ARRA is not something they can wait until next year for,” said Steven J. Fox, Esq., a partner at the law firm Post & Schell in Washington D.C. and co-author of the Guide to Medical Privacy & HIPAA.  Although Fox does not advise covered entities to completely overhaul their HIPAA compliance programs before HHS issues regulations, he does say they should begin reviewing all of their current privacy and security policies and procedures and comparing them with the new ARRA requirements. Entities should conduct “a thorough self analysis to determine where they stand.

Covered entities also should train their staff so they understand the importance of privacy and security. Under ARRA’s new penalty provisions, there is an increased potential of significant fines being levied, so entities should prepare by readying their staff for new requirements.

“People need to be trained and retrained to understand how their jobs are changing” as a result of the ARRA privacy and security provisions, Fox said. But, he cautioned “it is premature to do an overhaul of training programs” right away. “Someone needs to revise the whole compliance training program to include all of the ARRA changes — but not too far in advance before the changes are required,” he said.

This interview also headlined IAPP's Daily Dashboard briefing on April 16, 2009.


Deloitte Publishes Healthcare Consumer Survey Findings

Deloitte published the results of its 2009 survey of more than 4,000 healthcare consumers, and the findings included some good news for the healthcare IT industry:

  • 9% of consumers have an electronic personal health record (PHR), but 42% are interested in creating one connected online to their physicians.  This leaves much room for growth for companies like Microsoft and Google which offer a PHR product.
  • 55% want the ability to communicate with their doctor via email to exchange health information and get answers to questions, and 57% would be interested in scheduling appointments, buying prescriptions and completing other transactions online if their information is protected.
  • 4 in 10 favor increasing government funding and incentives to support adoption of electronic medical records by doctors, hospitals and health plans.

However, consumers remain worried about the privacy and security of their personal health information, with 38% of those surveyed being "very concerned" as opposed to 24% of those who are not concerned at all.  Sixty percent support government establishing standards "for how medical for how medical information is collected, stored, exchanged and protected." 

The full survey findings can be downloaded here.

"Deloitte Survey Finds Healthy Consumer Demand For Electronic Health Records, Online Tools and Services",, April 6, 2009.

"2009 Survey of Health Care Consumers: Key Findings, Strategic Implications", Deloitte Center for Health Solutions, released April 2009.

In the news: CVS and Google; Connect Open Source Software; and more

  • CVS pharmacy customers now have the ability to download their prescription and medication histories to Google Health accounts after CVS and Google expanded their partnership.  Patients at CVS' walk-in MinuteClinics are also able to add summaries of their visits to their Google Health accounts.  It would be interesting to find out if CVS and Google ever executed a Business Associate Agreement.  After the enactment of the HITECH Act, Google famously maintained that its personal health records product is not a subject to the new legislation and certain privacy and security provisions under HIPAA.  ("CVS-Google Health pact now includes drugstores", AP, April 6, 2009.)
  • The federal government released Connect, and open source software which allows public and private entities to share health information via the National Health Information Network.  The source code is free to download (the code and its documentation are available here), but organizations choosing to acquire and use this product will be responsible for costs associated with the installation and maintenance of Connect.  The Social Security Administration, Department of Defense, Veterans Affairs, and the CDC are among the many government agencies using this software for health information exchange already.  ("NHIN software released to open-source community", Government Health IT, April 7, 2009.)



  • This Business Week article analyzes the various data privacy and security concerns facing health care providers and patients alike.  ("Putting Patient Privacy in Peril?", Business Week, April 6, 2009.)
  • The New York Times reports that New York-Presbyterian Hospital became "the first large institution to move beyond the pilot stage this week as it begins to offer consumer-controlled health records for patients... New York-Presbyterian has been working with Microsoft for more than a year, not only on technical matters but also ease-of-use concerns with patients. The introduction will be gradual, beginning with heart patients, who will be told of the potential benefits of personal health records when they visit a New York-Presbyterian hospital or outpatient clinics."  Once again, it would be very interesting to find out if NYB and Microsoft signed a Business Associate Agreement, or if Microsoft acknowledged whether it is now subject to certain privacy and security provisions under HIPAA.  ("A Hospital Is Offering Digital Records", New York Times, April 5, 2009.)


Risk Prevention/Management Advice to Hospitals Regarding Document-Sharing Technology

Hospitals, multi-hospital systems, and integrated healthcare delivery systems are increasingly utilizing data-sharing technology to communicate with, and share documents among, their officers and directors. 

For example, some healthcare business enterprises use online services to upload documents to a “secure” Internet web site for Board members’ review prior to Board meetings, in lieu of sending out such documents via e-mail or in paper form. Healthcare business enterprises using such services need to be aware of many potential security and privacy risks inherent in transmitting, uploading and storing sensitive, confidential or even proprietary information via the Internet.



Communications to a hospital Board may include:

  • Confidential information regarding the hospital’s operations or personnel;
  • Data on non-public commercial and financial affairs of the hospital;
  • Legally privileged information regarding law suits on behalf of or against the hospital; and
  • Confidential and privileged peer review materials, including protected health information (PHI, as defined under HIPAA) of the hospital’s patients.

Prior to acquiring or using such data-sharing technology, healthcare business enterprises should make sure that the software is secure and that both the enterprise and the service provider use appropriate physical and technical security safeguards to protect personal and otherwise protected information. There is no one fail-safe approach to implementation and operation of data-sharing technology, and such technology should be customized to fit the enterprise’s needs and requirements. However, at minimum, preliminary precautions should include:

  • Knowing exactly what information is being distributed, via what channels (e.g., whether it is contained on a laptop, another portable device or on the network);
  • Avoiding access, storage, sharing, or use (including downloading, printing, or emailing) of information from or via unsecured home office computers or other mobile devices;
  • As much as possible, limiting the unencrypted sensitive data being transmitted;
  • Avoiding use of actual personal or confidential data in testing of the software;
  • Implementing access control checks, including restricting access to essential personnel only;
  • Using intrusion detection technology or procedures to quickly detect any unauthorized access; and
  • Training and educating all relevant personnel and all persons with access to such information regarding the enterprise’s data privacy protection policies and procedures.

In order to protect your healthcare business enterprise, your Legal and IT teams should negotiate an agreement with the service provider which, at minimum, includes the following provisions:

  • A warranty from the service provider that their product is safe, secure, and complies with all applicable privacy and security standards; 
  • A requirement for the software provider to comply with your institutional privacy and security policies, as well as all applicable laws and regulations;
  • An explicit prohibition for the service provider to use, communicate, divulge, exploit, duplicate, distribute, publish, reproduce, transfer, dispose of, recreate, modify, or create derivative works based upon or otherwise reveal or make available to any third party, directly or indirectly, for any purpose, except as provided in such contract; and
  • Indemnification, remedies, limitation of liability, and other provisions protecting your business enterprise for any damages resulting from a data breach or loss, in instances where such breach or loss are caused by the purchased software or the service provider.

Finally, the agreement with the service provider should include a Business Associate Agreement (BAA, as defined under HIPAA); however, please keep in mind that the BAA should acknowledge the changes mandated by the recent American Recovery and Reinvestment Act of 2009, as well as numerous new regulations to be promulgated by the Secretary of Health and Human Services under this Act.