Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules. Here’s a link to read all of the HIPAA Breach Notification Rules guest posts.

In the world of release of information (ROI), we see the breach of one or two records much more frequently than the massive, over-500 events. Smaller, one- or two-record breaches do not require immediate notification to HHS. The HITECH Act says they should be aggregated and sent to HHS at the end of each year. In 2010, the agency received more than 25,000 reports of smaller breaches affecting more than 50,000 individuals. The complete Annual Report to Congress (PDF) from HHS for 2009 and 2010 is available online.

The most common, inadvertent breaches within the ROI process involve sending the wrong record to the wrong person or third party. It is usually human error that produces these breaches. For example, the CE gets a written request from an insurance company, attorney or patient for medical record #12345. Someone pulls the wrong medical record either paper-based or electronic, say medical record #12344 and sends it. The result—a breach!

Training, education, skilled staff and solid procedures are the best approach to minimizing human error-based breaches, but they are inevitable. If and when it happens, the CE must evaluate sending a notification to the patient.

Another observation about breaches is that reactions to them seem to be very polarizing. Sometimes we see “breach fatigue” by patients. They hear so much about breaches that any leakage of their information is considered “no big deal” and simply a reality of modern, high-tech times. “After all, who really cares about the appendectomy I had ten years ago?” The opposite pole is that some patients become very upset and exhibit a sense of great concern.

Ultimately, the balance between a patient’s right of confidentiality and the provider’s needs for workflow consistency will continue to evolve. In the meantime, until a final breach notification rule is released, every CE must determine for itself how patient notices are analyzed and handled.

Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

It is widely expected that Health and Human Service (HHS) final disclosure rules will mandate notification be done in every case. Should this occur as predicted, additional patient education will be needed to avoid the concerns mentioned above.

Further complicating matters is the fact that hospitals must adhere to HHS rules AND those at the state level. State laws in some cases are more onerous than federal laws and they continue to morph. Just trying to stay on top of all the changes may be reason enough to disclose every instance of breached information. Whether it contains protected health information (PHI) or not, some states require patient notification in every instance of the inadvertent release of certain i.d. information.

In next week’s post, we’ll cover whether small breaches are still reportable.

Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

Some hospitals feel that, since the risk analysis only produces subjective results, why bother? They believe that the effort and expense incurred derives no real benefit for CE or patient, and they just notify the potentially affected patient in every instance.

In my opinion, notifying the patient for each breach is a little risky in itself. Patients often have no context in which to view a breach.

For example, losing a flash drive containing unencrypted PHI on 1,000 patients entails obvious risks – the risk of someone finding and misuing the information, for example. The law rightfully requires patient notification in such cases. However, if a patient’s record is inadvertently mailed to a house number that does not exist (perhaps due to a typo which transposed two digits), chances are good that the post office will either return the records to the sender or else the package will go undelivered.

If the records are not accounted for, it is generally accepted that it should be considered a breach; however, telling the patient this may raise an alarm about something that probably will not happen. A thorough risk analysis, although subjective, might conclude that such a breach did NOT have a “substantial risk of reputational or financial harm” to the patient. This was apparently HHS’s thinking when it required the risk analysis to be conducted.

In next week’s post, we’ll cover the possible changes to the breach notification rules.

Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

Eight thousand providers. One question. When do we notify patients of a breach? I hear this question several times a week from all types of covered entities; hospitals, clinics and physician offices. Many are confused or misinformed about the answer. Furthermore, real world experience varies dramatically. Some providers notify everyone. Others notify only when necessary. What’s the answer?

First and foremost, you do not have to notify the patient each and every time there is a breach of protected health information (PHI). The law requires notification only if you meet one of two conditions:
1) When 500 or more records have been breached at the same time, you must notify the patients involved, OR
2) When you as the covered entity (CE) have conducted the required “risk analysis” and determined the patient (or patients) could suffer substantial financial or reputational harm.

The issue with the second requirement is the term “substantial”. It is very subjective and not fully defined within the rules. Conducting a risk analysis and determining the extent would appear to be a classic case of the fox guarding the hen house. As such, many observers expected hospitals NOT to notify, or perhaps under-notify, as the cost of a breach can be very high — both direct costs and the soft cost of reputational harm to the CE. However, we see providers taking a “better safe than sorry” approach and over-notifying.

In next week’s post, we’ll cover the risks of over-notifying after a breach.

I was recently sent an Information Week article on the “Steady Bleed: State of HealthCare Data Breaches.” The article basically tries to list out all of the data breaches that are happening in healthcare and how healthcare companies aren’t doing what they need to do to protect patient data.

Now, I’ll be the first to acknowledge that more can always be done. I even agree that more can and needs to be done to protect patient information. However, I don’t agree with the article’s assertion that the use of an electronic health record (EHR) is the reason why health care providers are so poorly securing patient information.

Many of you might remember my post on EMR and EHR about HIPAA Breaches related to EMR. In that post, I discuss how it’s unfair for someone to automatically assume that if there was a breach, then it was the electronic medical record software’s fault. In the analysis I did in the above post, I found that most of the HHS list had nothing to do with EMR software. In fact, many of the HIPAA breaches were lost devices which contained lists of insurance information. EHR had nothing to do with that.

I’m not saying that breaches don’t happen with an EMR. They do. However, most of the examples given in the Information Week article could have happened just as easily in the paper world. It didn’t take an electronic health record for people to start looking up famous sports stars health information.

Maybe the real difference with an EHR is that now we can know and track who accesses each patient record. That just means that now we actually know about all the violations whereas with paper charts they’d just happen and we’d likely never know about it or have a way to prove that it happened. So, yes, the number of reported HIPAA breaches should be going up. We have more information to report on.

The good thing long term is that with an EHR we now have tracking mechanisms that allow us to hold someone accountable for their breaches of HIPAA. If this accountability is taken seriously, the number of breaches will go down. That’s a much better long term solution than the naive ignorance of not knowing about breaches in the paper chart world.

Sure not all EHR software is secure. They need to fix that and improve that. However, the numbers and reports I’ve seen don’t seem to indicate that breaching an EHR software’s security is the real problem. There are far easier ways to take patient data than trying to breach an EHR’s security system. Let’s focus on those other ways that people take patient data and punish it appropriately. That’s far more productive than saying that we’re rushing too quickly into an unsecured EHR world.

I’m not sure how many of my readers have heard about the Virginia Prescription Monitoring Program being hacked yesterday. The Prescription Monitoring Program is used by pharmacists and others to discover prescription drug abuse. The story gets really interesting since it looks like the hackers encrypted over 8 million patient records and over 35 million prescriptions. Then, the hackers posted the following note on the Virginia Prescription Monitoring Program website (according to wikileaks):

“I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.”

The website has now been entirely disabled and just times out if you try to visit the site.

The Washington Post blog has reported the following:

Sandra Whitley Ryals, director of Virginia’s Department of Health Professions, declined to discuss details of the hacker’s claims, and referred inquires to the FBI.

“There is a criminal investigation under way by federal and state authorities, and we take the information security very serious,” she said.

A spokesman for the FBI declined to confirm or deny that the agency may be investigating.

Whitley Ryals said the state discovered the intrusion on April 30, after which time it shut down Web site site access to dozens of pages serving the Department of Health Professions. The state also has temporarily discontinued e-mail to and from the department pending the outcome of a security audit, Whitley Ryals said.

“We do have some of systems restored, but we’re being very careful in working with experts and authorities to take essential steps as we proceed forward,” she said. “Only when the experts tell us that these systems are safe and secure for being live and interactive will that restoration be complete.”

Seems interesting that 5 days after they discovered the intrusion the website is still not back online. Must have been a pretty serious hack job.

The Washington Post also explained that this is the second such extortion attack using patient health care data.

In October 2008, Express Scripts, one of the nation’s largest processors of pharmacy prescriptions, disclosed that extortionists were threatening to disclose personal and medical information on millions of Americans if the company failed to meet payment demands. Express Scripts is currently offering a $1 million reward for information leading to the arrest and conviction of the individual(s) responsible for trying to extort money from the company.

Stories like this will set back any sort of RHIO or national HIE movement. Sure makes you think about the security of it all. What is interesting is that the patient data doesn’t seem to have much value outside of extortion. Otherwise, I’d think those who breached the system would have used it in some other way.