It is unfortunate that while we have very clear rights to access and correct our financial records, we don’t have similar rights when it comes to our medical records. While this hasn’t been a high level concern for patients up until now, because the majority of fraud thus far has mostly impacted the healthcare insurers, the implications for all of us are getting more and more serious.

This segment describes a situation where a young woman’s social security number at the Red Cross became associated with a patient who visited a clinic in another state, years ago, who had AIDS. It illustrates the difficulty that one has in correcting such issues with our medical identities.

Since the HITECH Act data breach notification provisions became effective this past September 23, 2009, I’d recently become curious about the number and nature of data breaches that would start to appear on the website at the Department of Health and Human Services (HHS).

The HHS Rules require healthcare organizations (specifically HIPAA covered entities) to report to HHS any data breach incidents that have affected over 500 individuals, shortly after the breach is discovered.  I noticed that the Identity Theft Resource Center (ITRC) 2009 ITRC Breach Report, a terrific compendium of public information from numerous sources on data breach incidents, had captured numerous healthcare data breaches since the September 23rd effective date. And of course there have been several very high profile healthcare data breaches recently including the Blue Cross Blue Shield Assocation breach that affected over 850,000 of their medical providers, as well as the recent Health Net data breach affecting over 1.5MM individuals.

So with great anticipation I visited the HHS website where there is a section on the Breach Notification Rule and clicked on the following link:

HIMSS Analytics this past week released a study titled “Evaluating HITECH’s Impact on Healthcare Privacy and Security” that looks at healthcare providers and their business associates, relative to their awareness of the HITECH Act’s data breach provisions, as well as their experience with data breach incidents and concerns about preparedness and compliance with HITECH Act provisions.

This study, co-sponsored by ID Experts, the leader in identity breach protection, exposes some significant concerns.  It concludes that healthcare business associates, those organizations that provide services such as billing, credit bureaus, benefits management, legal services, claims processing, insurance brokers, data processing firms, pharmacy chains, accounting firms, temporary office personnel, and offshore transcription, are “unprepared for data breach”.

Further it notes that  “68 Percent of Provider Respondents Indicated that the HITECH Act’s Expanded Breach Notification Requirements will Result in More Discovery and Reporting of Incidents”.

This implies that healthcare organization are experiencing data breach incidents that in the past have either gone unrecognized or unreported. And that the new law is likely to “expose” more incidents because of the compliance requirements and the potentially large penalties for non-compliance.It also notes that a lack of preparedness and concern on the part of healthcare providers’ business associates creates a very significant risk to the privacy of their patients.

September 23, 2009 marked a major milestone for patient rights.  That is when the new Health Information Technology for Economic and Clinical Health (HITECH) Act took effect, requiring healthcare organizations to take more responsibility for protecting patient records and health information.

The HITECH Act seeks to streamline healthcare and reduce costs through the use of health information technology, including the adoption of electronic health records.  To ensure technology and security go hand-in-hand, the HITECH Act also includes strict new rules for notification in the case of a data breach incident where protected health information (PHI) is improperly exposed.

Healthcare organizations and their business partners are now required to notify individuals affected by a data breach and the federal government, who will post the information publicly.  The HITECH Act also stiffens penalties for non-compliance—up to $1.5 million.

It is too soon to see the full impact of the HITECH Act.  Certainly, government agencies are fine-tuning—and debating—the details.  But whatever happens in Washington, healthcare organizations would be smart to ask:

-          Will the federal and state governments impose even stricter privacy initiatives over the next six months as a result?

-          Will the move toward electronic health records increase healthcare breaches?

-          Regulatory penalties aside, what are the consequences of a data breach, such as loss of credibility for my organization, and medical and financial risks to people whose data was lost?

Tighter Privacy Laws. More Data Breaches.

These new regulations come at a time when healthcare breaches are on the rise; according to the 2009 ITRC Breach Stats Report healthcare breaches account for over 66 percent of all records breached this year (up from 20 percent in 2008).  In fact, some of the largest names in healthcare suffered data breaches.  In one incident, an employee at a high-profile medical center allegedly stole the personal information of 1,000 patients with the intent to defraud insurance companies.  Another case involved the theft of a laptop that may have contained PHI such as medical record numbers, names, and Social Security numbers.  And at a New York City hospital, an admissions employee was suspected of selling 2,000 patients’ data as part of an identity theft scheme and illegally accessing nearly 50,000 records.

Data Breaches Don’t Have to Spell Disaster.

With these new regulations in place, healthcare organizations are scrambling to understand the requirements and how to adapt and comply.  Unfortunately, we have learned firsthand through managing hundreds of data breaches that few organizations actually have breach response plans in place, despite the laws.

For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to data breach preparedness, as one customer did:

Thieves broke into a prominent healthcare facility and took, among other items, a desktop computer containing patients’ personal information.  Approximately 4,000 medical records were at risk.

The breach team at ID Experts provided a risk assessment for the hospital, communication with the affected population, and protection and recovery services for those affected.  In the end, ID Experts handled more than 1,500 calls; only a handful of callers required assistance directly from the hospital.  We delivered notifications to more than 5,000 people and provided membership in our protection and recovery services program to more than 1,200 people.

An excellent tool for establishing procedures in advance of a data breach is the incident response plan.  ID Experts offers services that provide guidelines for establishing an incident response team and outlines responsibilities and actions.  The plan contains instructions, worksheets and materials that can be used to streamline the response process.

The new HITECH Act requirements will likely affect every aspect of your operations: business and healthcare processes; IT data security, retention, and monitoring; contracts and business relationships.  With increasing risks, having a response plan in place will benefit your patients, your employees and your business.