Physician’s offices and small clinics are recent targets of patient data theft creating legal obligation to notify patents of the crime under the new federal HITECH Act as well as providing concurrent notice to HHS Office of Civil Rights (OCR). A recent article in HeathLeaders Media highlighted this growing problem.

According to OCR, 11 private practices, affecting a total of 54,000+ patient records have been reported to them since this legislation to protect patient privacy went into effect in September 2009.

The risk to affected patients is medical identity theft by criminals wanting to use their information to obtain illegal prescriptions and medical services. The risk to private practices is compliance with regulations, state and federal fines for privacy violations, class action litigation, and losing patients who decide to take their business elsewhere.
Unfortunately, a breach of patient data is common. A misdirected fax, stolen laptop, or missing PDA containing patient data is all it takes.

When you suspect you have a breach of patient data, get help. A recent survey by Ponemon Institute, a research organization that studies data breach incidents found that 44% of the organizations they surveyed engaged experts. Ponemon also found those that engaged experts experience 26% lower cost and more positive outcomes including compliance with regulations, minimizing the risk of fines and class action litigation, and protecting patients from medical identity theft.

ID Experts has helped private practices and clinics, large and small effectively mitigate the risks of a data breach. If you think you have an issue, call ID Experts hot line at 866-726-4271 to discuss the case.

While HIPAA’s recently enhanced penalty provisions and newly enacted security breach notification requirements have each received a significant amount of attention, the connection between them and its significant implications for employers and health care providers subject to HIPAA have not. Most significantly, because of the enhanced penalties, it is critical that covered entities conduct a careful and documented risk assessment before deciding not to provide notice of a security incident.

HIPAA’s recently promulgated security breach notification regulations require notice only if (a) there has been access to, or acquisition, use or disclosure of, protected health information (PHI) in violation of the HIPAA Privacy Rule; and (b) that violation “poses a significant risk of financial, reputational or other harm” to the subjects of the PHI.  In the preamble to the security breach regulations, the U.S. Department of Health and Human Services (HHS) takes the position that a covered entity “will need to perform a risk assessment” to determine whether the second element of the notification standard has been satisfied. Besides identifying four factors that covered entities might consider in conducting this risk assessment, HHS provides no other guidance on how to assess risk.[1] HHS does emphasize, however, that “[c]overed entities and business associates must document their risk assessments, so their they can demonstrate, if necessary, that no breach notification was required.” In other words, covered entities should expect that if HHS ever challenges a decision not to provide notice of a security breach, HHS’ first request will be for production of the covered entity’s risk assessment that decision.

The decision whether to provide notice of a security breach could be momentous for a covered entity. Under HIPAA’s security breach notification regulations, if the incident involves more than five hundred individuals in the same state, the covered entity would be required to report the breach to HHS, which will post the report on its Web site and notify “prominent media outlets,” which may choose to publicize the breach. As a result, notification of even a relatively small breach could expose the covered entity to class action litigation, damaging media coverage, and collateral damage to patient or employee relationships, in addition to the cost of providing notice and incident response services to affected individuals. Given these potential adverse consequences, a covered entity often will have an overriding interest in finding that a HIPAA violation did not create a material risk of harm and, therefore, does not require notification.

However, HIPAA’s enhanced penalties substantially increase the potential exposure to a covered entity that decides not to provide notification without first conducting and documenting a credible assessment of the risk to individuals arising from the security incident.  Under the new penalty scheme, HHS must impose a penalty upon finding that a covered entity’s HIPAA violation resulted from “willful neglect.”  “Willful neglect” means “conscious, intentional failure or reckless indifference to the obligation to comply with the regulation that is the target of the complaint.”  HHS likely would find that failing to notify individuals of a security breach without conducting a risk assessment or  basing a decision  on a superficial risk assessment constitutes “willful neglect.”

A finding by HHS of “willful neglect” would trigger exposure to substantial penalties. In that case, the penalty would ranger from a minimum of $10,000 per violation to a maximum of $50,000 per violation if the violation (i.e., the failure to notify affected individuals of the security breach) is corrected within 30 days of notice from HHS, and a minimum of $50,000 per violation and a maximum of $1.5 million per violation if the violation is left uncorrected. Moreover, HIPAA’s amended enforcement provisions, and recently proposed regulations construing those amendments, provide HHS with substantial discretion in determining what constitutes a violation. If HHS were to determine, in the context of a security breach, that each person who did not timely receive a notice is one violation, or that one violation is each day that notice to affected individuals was improperly delayed, the potential penalties could run into the millions of dollars. While to date, HHS has not imposed a single civil monetary penalty, the agency’s statutory authority to impose multi-million dollar penalties provides it with substantial leverage in negotiating settlements with alleged violators of HIPAA. HHS recently demonstrated its new-found muscle when it announced, on July 27, 2010, a $1 million settlement with a covered entity that allegedly did not properly dispose of PHI.

By contrast, a covered entity that conducts a credible risk assessment in good faith likely would have no exposure for any penalties. The recently proposed revisions to HIPAA’s Enforcement Rule bar HHS from imposing a penalty if the covered entity demonstrates that the violation did not result from willful neglect and was promptly corrected after the covered entity knew, or should have known, of the violation. This means that if a covered entity based a decision not to provide notice on a credible risk assessment, it likely would have no exposure for a civil monetary penalty, even if HHS were to disagree with the entity’s decision. Thus, HHS would have no leverage to extract a monetary settlement — as long as the covered entity provided notice to affected individuals promptly after being informed of HHS’ disagreement with the results of the covered entity’s risk assessment.

Because security incidents typically are investigated and evaluated under substantial time pressure, covered entities should consider obtaining, and familiarizing themselves with, a risk assessment tool before they are confronted with a security incident. One example of such a risk assessment tool is a software application called RADAR (Risk Assessment, Documentation and Reporting) recently released by ID Experts, a firm specializing in comprehensive data breach solutions for healthcare.  Click to get more information about RADAR.

This entry was written by Philip L. Gordon.

Philip Gordon is a shareholder in the Denver office of Littler Mendelson, P.C., and chairs the firm’s Privacy and Data Protection Practice Group.  He regularly counsels employers and health care providers on HIPAA compliance and security incident response.  He is the principal author of Littler’s Workplace Privacy Counsel blog and Healthcare Employment counsel blog, both of which can be accessed through www.littler.com.  Mr. Gordon He can reached at pgordon@littler.com or 303-362-2858.

---

[1] The four factors identified by HHS are the following:  (a) who impermissibly used the PHI or to whom the PHI was impermissibly disclosed, (b) the steps taken to mitigate potential harm resulting from the unauthorized conduct, (c) whether the PHI has been returned before being used for an improper purpose, (d) the types and amounts of PHI involved in the incident.

ID Experts today announced RADAR (HITECH Risk Assessment, Documentation and Reporting), the industry’s first expert software tool to measure a data breach incident’s risk index (IRI) by combining the severity of the episode and the sensitivity of the exposed data to quantify the incident’s overall harm threshold.  Designed for healthcare providers, HIPAA covered entities, and their business associates, RADAR was developed to efficiently and consistently meet all of the requirements for complying with the HITECH Act data breach notification provisions for security and privacy breach incident harm threshold assessment, documentation and reporting.

Security breaches are now remarkably commonplace in healthcare; more than 55 were reported to the Department of Health and Human Services (HHS) in the first six months of 2010.  In fact, healthcare is the second most breached industry, according to the Identity Theft Resource Center.  And security breaches, whether digital- or paper-based, can happen at any given moment—physical theft of a laptop from an employee’s car, deliberate abuse of system access, misdirected faxes and emails, malware attacks, unintentional human error, unauthorized access, a lost backup drive.  Additionally, the future of healthcare dictates the use of electronic medical records, raising fresh concerns of protecting patient privacy, PHI threats and medical identity theft.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, a leading researcher and voice in addressing data breach risks and issues, noted about RADAR that:

“Organizations may need guidance, especially when dealing with PHI breaches, so they cover their bases to protect individuals and follow all of the rules and laws. ID Experts’s RADAR new tool offers consistency and efficiency for evaluating and reporting a security breach, and provides the analysis and documentation required of a mandated risk assessment.”

Following any security breach, RADAR will guide the privacy or security officer to analyze the incident and exposed data to quantify the incident, determine whether the exposed information includes PHI, whether any exceptions apply, and the likelihood that the information could be misused.  The results will help companies determine the potential risk of harm to the individuals affected by each data breach incident and take appropriate steps to mitigate the potential harm to those affected, while fulfilling all of the HITECH requirements enforced by the HHS, including determining if notification is required.

RADAR is current in beta test with several leading US healthcare providers and will be generally available in August, 2010. RADAR is available as software-as-a-service on a subscription basis with pricing starting at $1,500 per user per year.

A recently published article in Healthcare IT News  highlights aspects of the Health Information Technology for Economic and Clinical Health (HITECH) Act that may have escaped your attention.

Titled “Three things you may not know about the HITECH Act…but should“, the article hones in on aspects of the rulemaking from the US Department of Health and Human Services that healthcare organizations must follow in determining whether a privacy breach incident meets the requirements to notification.

HITECH is known primarily for the manner in which it motivates healthcare providers to implement electronic health records (EHR) systems. But as more and more of our medical information is going online, the Act also wisely enhanced the privacy and security provisions that are required of healthcare providers and added penalties and enforcement mechanisms for the breach of private healthcare information.

One of the three things you may not know, per this article, is that when your organization experiences a potential privacy incident, that you are required to carry out a “risk assessment” in order to determine the nature of the protected health information (PHI) that was disclosed, and whether it poses a risk of harm to the affected patients.Based on the results of this risk assessment, your organization may or may not be obligated to notify the affected individuals, along with HHS and the media. So this assessment process is very important.

Unfortunately, the risk assessment process is not at as well defined or straightforward as might be hoped. And this gets to one of the 2nd items that you may not know about in HITECH. In carrying out a risk assessment, the goal is to determine whether there is a risk of financial, reputational or other harm to the patients affected. And in this process, not all PHI is created equally, and in fact, you must consider the nature of the information disclosed in a manner that is situationally aware.

For instance, disclosure of a persons name and their medical procedure may not be cause for any risk of harm if the procedure was having a bunion removed. However, if the procedure was for the diagnosis of AIDS, disclosure of this information could result in substantial harm. As a result, it is not just the data types that need to be considered, but the nature of the data and the environment of their release. Not at all straightforward.

And then the 3rd thing that you may not know about HITECH from this article is that its data breach notification provisions don’t “preempt” those of each of the states. In fact, if your organization experiences a data breach, you need to assess the requirement to notify and how to notify not just using not just the requirements of HITECH, but also the requirements as stated in state data breach notification laws.

For example, you may find that based on your risk assessment, that HITECH requires notification. But you may also find that in some states, the timeframe for notification is shorter than the 60 days from discovery of incident that is required by HITECH. In other words, you must look at your breach notification requirements both under HITECH as well as under each state law where you have patients that were affected by the incident.

Needless to say, this is a complex process and you would be well advised to document your processes and decisions very carefully. You really don’t want to be the target of one of those $1.5MM fines that are beginning to surface.

A recent article in American Medical News notes that the greatest risks to healthcare providers in the area of maintaining patient privacy isn’t offshore hackers or rogue employees, but rather simple accidents.

Over six months in 2009, 12,500 mobile devices were left in taxis. And 4,500 USB “thumb” drives were left in pants pockets that were then set to the cleaners. And the vast majority of these devices did not use data encryption.

What makes this so damaging to the organizations that employ these individuals, is that one-third of healthcare professionals maintain patient data on their mobile devices – smartphones, laptops and removable media such as memory sticks.

Now that the data breach provisions of the HITECH Act our open to enforcement, such incidents may cost the healthcare provider up to $1.5 million. Quite a sum for a simple momentary lapse or accident.

This article, and the related study, highlights the importance for healthcare providers to evaluate the risk factors for non-malicious identity data loss. These types of risks are often overlooked, or at least prioritized at a lower level, by security professionals because of the tendency to focus on technology solutions for data security. Or in lieu of technology, to rely on policies.

While I suspect most healthcare providers have policies to inhibit professionals to storing patient data on their laptops, moving it from one location to another with a thumb drive, or viewing it on a smartphone, as a practical matter, these do not appear to stand in the way of progress. And progress of this sort creates risks that organizations must acknowledge as a first step towards understanding how to manage them.

There appears to be some level of controversy that has been stirred up in a less followed area of the healthcare debate than single payer, that associated with the privacy of health information. The Department of Health and Human Services just released its rules for healthcare organizations to follow the data breach notification provisions of the HITECH Act.

In the rules, they have established a “harm threshold” which is self-assessed by the healthcare organization, and directed that in the case of a data breach incident, that notification of the individuals, the public and their agency ONLY needs to occur if they have determined that their is significant risk of  financial, reputational or other harm to those affected by the data loss.

This past week, the House Committee on Energy and Commerce voiced concern over the addition of this provision. They indicated that it was not the intent of the legislation to provide for notification in the case of a data breach incident only in cases where harm can be proved, but rather for all data breach incidents. Presumably to act as a deterrent to organizations with lax practices, as well as to ensure that individuals can practice due care, even in cases where there may be little chance of real harm.

Network World reported in their article titled “House members seek stronger health care data breach notifications, ‘Harm threshold’ runs counter to Congress’ intent” that:

“In a letter dated Oct. 1, members of the House committee asked HHS Secretary Kathleen Sebelius to revise or repeal the new provision at the ‘soonest appropriate opportunity’. The letter, signed by the chairman of the committee, Rep. Henry Waxman (D-Calif.) and others, noted that the new harm threshold provision runs counter to Congress’ intent in passing the breach notification bill. The bill’s statutory language does not imply a harm standard, Waxman wrote. In fact, in drafting the bill, Congress had explicitly rejected the idea of including such a provision because of the ‘breadth of discretion’ it would have given a breached entity, the letter said.”

It is terrific to see Congress trying to do the right thing, when it comes to the privacy of protected health information (PHI). I’m hopeful that HHS will see the wisdom in revising their rules for the benefit of all of us that rely on the American healthcare system.

The Department of Health and Human Services issued its Interim Final Rule on August 19, 2009 outlining the obligations of healthcare organizations regarding data breach incident notification as directed by the HITECH Act passed earlier this year.

This rule clarifies the defintion of data breach as the “unauthorized acquisition, access, use or disclosure of  protected health information (PHI)” where it “compromises the security of the PHI” this occuring if there is a “significant risk of financial, reputational, or other harm to the individual whose PHI has been compromised.

As a result of this interpretation of the HITECH Act, HHS has established a harm threshold for determining whether a data security incident is in fact a “breach”. Because of this, something that needs to be noted by privacy and information security officers in healthcare, is that HHS requires that a “risk assessment” be carried out for every incident in order to determine whether it is a breach or not.

Healthcare organizations must determine the practices for carrying out such risk assessments and carefully document the process and conclusions for every incident. Something to consider is to have risk assessments carried out by third parties in order to remove any perceptual issues as to the independence of the risk assessment results.

Since all breach incidents must be reported to Health and Human Services, and become public information, it will be essential to maintain documentation on incidents that were assessed to be breaches as well as incidents where the assessment concluded that it did not exceed the harm threshold. Unfortunately, their is substantial room for interpretation as to what constitutes risk of financial, reputational, or other harm to individuals whose PHI has been exposed.