A recent article in American Medical News notes that the greatest risks to healthcare providers in the area of maintaining patient privacy isn’t offshore hackers or rogue employees, but rather simple accidents.

Over six months in 2009, 12,500 mobile devices were left in taxis. And 4,500 USB “thumb” drives were left in pants pockets that were then set to the cleaners. And the vast majority of these devices did not use data encryption.

What makes this so damaging to the organizations that employ these individuals, is that one-third of healthcare professionals maintain patient data on their mobile devices – smartphones, laptops and removable media such as memory sticks.

Now that the data breach provisions of the HITECH Act our open to enforcement, such incidents may cost the healthcare provider up to $1.5 million. Quite a sum for a simple momentary lapse or accident.

This article, and the related study, highlights the importance for healthcare providers to evaluate the risk factors for non-malicious identity data loss. These types of risks are often overlooked, or at least prioritized at a lower level, by security professionals because of the tendency to focus on technology solutions for data security. Or in lieu of technology, to rely on policies.

While I suspect most healthcare providers have policies to inhibit professionals to storing patient data on their laptops, moving it from one location to another with a thumb drive, or viewing it on a smartphone, as a practical matter, these do not appear to stand in the way of progress. And progress of this sort creates risks that organizations must acknowledge as a first step towards understanding how to manage them.

This week, the Connecticut Attorney General, Richard Blumenthal, sued Health Net of Connecticut for a data breach and their subsequent handling of the incident. As he notes, this lawsuit is historic, in that it is the very first enforcement action under HIPAA since the law was extended and enhanced with the HITECH (Healthcare Information Technology for Economic and Clinical Health) Act.

“Sadly, this lawsuit is historic — involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said. “Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months — most likely by thieves — before Health Net notified appropriate authorities and consumers. These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft. The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers. Failing to protect patient privacy blatantly violates federal law and Health Net’s public trust. We are seeking a preliminary order to protect patients and consumers, and will fight for civil penalties.”

It is likely this while this is a first, that it is the beginning of a new era for healthcare organizations and the expectation that they will take the privacy obligations of their patients seriously.  While unfortunate, this situation illustrates that some healthcare organizations require stronger motivation to both protect patient information as well as to follow good sense and legal requirements to promptly notify individuals if there has been a breach of their information that may put them at risk.

One of the panels at the Consumer Electronics Show Digital Health Summit is asking a really interesting question: Who will you trust with your health data? As described in an article in Healthcare IT News on healthcare data privacy and security, there have been numerous data breach incidents over recent years who sensitive patient information has been inappropriately disclosed.

“In 2009, PrivacyRights.org reports that there were 46 breaches of PHI representing nearly 80M records.  Note that 76M of those records were from the VA that inadvertently sent one of its RAID drives out for repair without cleansing it of those 76M records of veterans.  If you can’t trust the government to keep your PHI safe, who can you trust?”

Now I must admit, I would never have suggested that it is reasonable to assume that the government is good at maintaining privacy of personal information that they collect on American citizens. But it is reasonable to assume that as more protected health information (PHI) is collected, stored, shared and manipulated in computer systems at healthcare providers and payors, that the risk of exposure, and the subsequent number of data breach incidents, will rise.

So it really does make for an interesting thought, do I trust my doctor and hospital with my health data? Do I trust my health insurer with my health data? How about my pharmacy? Like it or not, I don’t have much choice but to provide them with or allow them to access my PHI.

But I do have a choice as to whether I should entrust Microsoft or Google with this sensitive information. Both companies have built systems “in the cloud” that allow consumers to centralize their personal health history. Microsoft HealthVault is designed to let us “collect, store, and share health information critical to our family’s well-being” and Google Health allows us to “organize our health information all in one place, gather our medical records from doctors, hospitals, and pharmacies, and share our information securely with a family member, doctors or caregiver.”

Microsoft has made HealthVault quite “open”,enabling organizations such as providers, payors, pharmacies and others to create applications for individuals to import information that they hold on us into our HealthVault account. I setup a HealthVault account, to see how this worked. Unfortunately, neither my national pharmacy chain nor my health insurer were on the list of those who make such information “exportable” to HealthVault.

Assuming that my trusted providers, insurer and pharmacy do provide such export capabilities in the future, it still leaves me with a nagging concern: do I really trust Microsoft to hold my entire medical life history? While I’d love to have all of this information in one place, and to be able to make it available to healthcare providers that I may wantto see in the future, the thought of entrusting this to anyone is daunting, not the least of which a company who’s software is a constant target for viruses, worms and malware of all kinds.

So for now, I probably won’t start trusting my medical history to either Microsoft or Google.  My health data will be remain somewhat safe with doctors, an insurer and a pharmacy, and numerous business associates of their that I don’t even know by name, that I hope I can trust. But given the number and scope of data breaches the last year or so in healthcare, I’m not really feeling very confident about my healthcare data privacy at this moment.

In a recent post, I was wondering about why there have yet to be any healthcare data breaches posted on the Health and Human Services(HHS) Office of Civil Rights (OCR) website. Because there have been a number of substantial incidents reported in the press since the notification requirement under the HITECH Act went into effect, it was unclear as to whether the covered entities were remiss in reporting or whether the hold up was at OCR.

Based on some encouragement, I was given the name of the responsible person at OCR and emailed to ask about this seeming discrepancy. She was nice enough to provide the following reply from Hannah Stahle, JD, Health Information Privacy Specialist:

“In response to your question regarding the posting of breaches on the OCR website, we have been receiving reports from covered entities of breaches affecting 500 or more individuals since the effective date of the regulation.  We are now in the process of working to establish our web page for posting information regarding such breaches.  Because the breach notification regulation imposed a new reporting requirement on covered entities, which has been in effect for less than three months, we are taking extra care to ensure that all breach notifications we receive are accurate before we post any information on our website.”

It is wonderful to know that covered entities are in fact reporting breach incidents as required, and that HHS is working to ensure that their reporting site is accurate given the sensitive nature of the incidents being reported.

I had also asked about whether there were likely to be changes to the “harm threshold” guidance between now and the issuance of the Final Rule. She again commented that:

“With respect to your question concerning the harm threshold, we are in the process of analyzing the comments we received in response to the interim final regulation and will be developing a final breach regulation in the near future.  The harm threshold generated many comments on both sides of the issue, and we will consider all comments as we begin to develop the policy for the final rule.”

I do believe that there are two issues at play here. One, that it is difficult to expect that a covered entity can make a completely impartial determination as to the level of harm that is represented by a data breach incident, if in fact they have a lot to lose by acknowledging that such an incident did in fact create a threat of harm to those affected individuals. The second, though, is that it would be desirable for the Rules  to be as unambiguous as possible, so that oragnizations do not need to be involved in making “judgment calls” on level of harm caused by incidents.

HIMSS Analytics this past week released a study titled “Evaluating HITECH’s Impact on Healthcare Privacy and Security” that looks at healthcare providers and their business associates, relative to their awareness of the HITECH Act’s data breach provisions, as well as their experience with data breach incidents and concerns about preparedness and compliance with HITECH Act provisions.

This study, co-sponsored by ID Experts, the leader in identity breach protection, exposes some significant concerns.  It concludes that healthcare business associates, those organizations that provide services such as billing, credit bureaus, benefits management, legal services, claims processing, insurance brokers, data processing firms, pharmacy chains, accounting firms, temporary office personnel, and offshore transcription, are “unprepared for data breach”.

Further it notes that  “68 Percent of Provider Respondents Indicated that the HITECH Act’s Expanded Breach Notification Requirements will Result in More Discovery and Reporting of Incidents”.

This implies that healthcare organization are experiencing data breach incidents that in the past have either gone unrecognized or unreported. And that the new law is likely to “expose” more incidents because of the compliance requirements and the potentially large penalties for non-compliance.It also notes that a lack of preparedness and concern on the part of healthcare providers’ business associates creates a very significant risk to the privacy of their patients.

September 23, 2009 marked a major milestone for patient rights.  That is when the new Health Information Technology for Economic and Clinical Health (HITECH) Act took effect, requiring healthcare organizations to take more responsibility for protecting patient records and health information.

The HITECH Act seeks to streamline healthcare and reduce costs through the use of health information technology, including the adoption of electronic health records.  To ensure technology and security go hand-in-hand, the HITECH Act also includes strict new rules for notification in the case of a data breach incident where protected health information (PHI) is improperly exposed.

Healthcare organizations and their business partners are now required to notify individuals affected by a data breach and the federal government, who will post the information publicly.  The HITECH Act also stiffens penalties for non-compliance—up to $1.5 million.

It is too soon to see the full impact of the HITECH Act.  Certainly, government agencies are fine-tuning—and debating—the details.  But whatever happens in Washington, healthcare organizations would be smart to ask:

-          Will the federal and state governments impose even stricter privacy initiatives over the next six months as a result?

-          Will the move toward electronic health records increase healthcare breaches?

-          Regulatory penalties aside, what are the consequences of a data breach, such as loss of credibility for my organization, and medical and financial risks to people whose data was lost?

Tighter Privacy Laws. More Data Breaches.

These new regulations come at a time when healthcare breaches are on the rise; according to the 2009 ITRC Breach Stats Report healthcare breaches account for over 66 percent of all records breached this year (up from 20 percent in 2008).  In fact, some of the largest names in healthcare suffered data breaches.  In one incident, an employee at a high-profile medical center allegedly stole the personal information of 1,000 patients with the intent to defraud insurance companies.  Another case involved the theft of a laptop that may have contained PHI such as medical record numbers, names, and Social Security numbers.  And at a New York City hospital, an admissions employee was suspected of selling 2,000 patients’ data as part of an identity theft scheme and illegally accessing nearly 50,000 records.

Data Breaches Don’t Have to Spell Disaster.

With these new regulations in place, healthcare organizations are scrambling to understand the requirements and how to adapt and comply.  Unfortunately, we have learned firsthand through managing hundreds of data breaches that few organizations actually have breach response plans in place, despite the laws.

For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to data breach preparedness, as one customer did:

Thieves broke into a prominent healthcare facility and took, among other items, a desktop computer containing patients’ personal information.  Approximately 4,000 medical records were at risk.

The breach team at ID Experts provided a risk assessment for the hospital, communication with the affected population, and protection and recovery services for those affected.  In the end, ID Experts handled more than 1,500 calls; only a handful of callers required assistance directly from the hospital.  We delivered notifications to more than 5,000 people and provided membership in our protection and recovery services program to more than 1,200 people.

An excellent tool for establishing procedures in advance of a data breach is the incident response plan.  ID Experts offers services that provide guidelines for establishing an incident response team and outlines responsibilities and actions.  The plan contains instructions, worksheets and materials that can be used to streamline the response process.

The new HITECH Act requirements will likely affect every aspect of your operations: business and healthcare processes; IT data security, retention, and monitoring; contracts and business relationships.  With increasing risks, having a response plan in place will benefit your patients, your employees and your business.

There appears to be some level of controversy that has been stirred up in a less followed area of the healthcare debate than single payer, that associated with the privacy of health information. The Department of Health and Human Services just released its rules for healthcare organizations to follow the data breach notification provisions of the HITECH Act.

In the rules, they have established a “harm threshold” which is self-assessed by the healthcare organization, and directed that in the case of a data breach incident, that notification of the individuals, the public and their agency ONLY needs to occur if they have determined that their is significant risk of  financial, reputational or other harm to those affected by the data loss.

This past week, the House Committee on Energy and Commerce voiced concern over the addition of this provision. They indicated that it was not the intent of the legislation to provide for notification in the case of a data breach incident only in cases where harm can be proved, but rather for all data breach incidents. Presumably to act as a deterrent to organizations with lax practices, as well as to ensure that individuals can practice due care, even in cases where there may be little chance of real harm.

Network World reported in their article titled “House members seek stronger health care data breach notifications, ‘Harm threshold’ runs counter to Congress’ intent” that:

“In a letter dated Oct. 1, members of the House committee asked HHS Secretary Kathleen Sebelius to revise or repeal the new provision at the ’soonest appropriate opportunity’. The letter, signed by the chairman of the committee, Rep. Henry Waxman (D-Calif.) and others, noted that the new harm threshold provision runs counter to Congress’ intent in passing the breach notification bill. The bill’s statutory language does not imply a harm standard, Waxman wrote. In fact, in drafting the bill, Congress had explicitly rejected the idea of including such a provision because of the ‘breadth of discretion’ it would have given a breached entity, the letter said.”

It is terrific to see Congress trying to do the right thing, when it comes to the privacy of protected health information (PHI). I’m hopeful that HHS will see the wisdom in revising their rules for the benefit of all of us that rely on the American healthcare system.

In recent months, with the continued growth in highly public data breach incidents, we began looking at how organizations assess their level of exposure to data breach risk. I suspect if you ask the CEO of most public companies or public sector organizations about their level of risk, that they would tell you that they are “highly secure” and maintain excellent practices to prevent the misappropriation of personal information of their customers, patients, employees, students and other affiliates.

For many firms, they have to meet security and compliance requirements that are necessities in their industry, such as PCI for those that handle credit card information and HIPAA for healthcare organizations. Historically I think that they felt such rigorous compliance requirements could ensure their safety from the risks of data breach.

However, the recent past demonstrates that no organization is really immune to a potential data breach incident. The very visible Heartland Payment Systems breach affected many millions of Americans who’s credit cards were processed by Heartland, an organization that had to adhere to very strict security standards set for the financial industry and their payment processors.  This seeming inconsistency between a perception of being immune from data breach risks with the rapid growth in data breach incidents, led us to think about whether organizations can “quantify” their level of data breach risk.

We were somewhat surprised that there isn’t much available to organizations to help them in measuring and scoring their level of data breach risk. Given this situation, we began to look at how we could model and quantify risks specific to the breach of personally identifiable information (PII) and personal health information (PHI), since it is the unauthorized release of this information that is regulated by state and now federal laws.

To this end, we created what we call the Breach Healthcheck(tm),  tool that uses a proprietary model to assists organizations in quantifying two dimensions of measurement into a Breach Protection Index(tm) — measuring both an organizations level of data breach exposure as well as their level of data breach protection.  Breach Healthcheck then maps this index onto a two dimensional risk map that allows organizations to get a visual indicator as to their level of data breach risk.

Our sense is that organizations that are trusted to hold PII and PHI will find it useful to be able to measure their level of data breach risk, and to understand the primary areas where their practices may lead to unanticipated levels of risk. To get complimentary access to the Breach Healthcheck tool, qualified organizations can contact ID Experts at www.idexpertscorp.com or 866-726-4271.

Starting September 23, 2009, healthcare organizations covered by HIPAA and the HITECH Act will be required, in the case of data breach incidents where personal health information (PHI) is improperly exposed, to notify both the individuals affected by the breach as well as the federal government, who will post this information publicly.

The data breach notification provision was an important element of the HITECH Act which is the first federal legislation, in this case targeted at healthcare organiations, that specifies what constitutes as data breach and what notification is required for such incidents. In this case, “breach” is defined as the “unauthorized acquisition, access, use or disclosure of protected health information (PHI).”

An interesting controversy has recently surfaced in the way the Office of Health and Human Services has “interpreted” the HITECH Act breach notification provisions. The Interim Final Rule issued by HHS on August 24, 2009 has specified that a data breach incident of PHI only requires notification if the breach represents a “signficant risk of financial, reputational or other harm to the individual whose PHI has been compromised.”

In the making of this Rule, many in the industry believe that HHS has transcended congressional intent, by adding a “harm threshold” that is to be self-assessed by the organization that has caused the data breach incident.

A recent article in Computerworld titled “HHS guts health-care breach notification law, groups warn” illustrates this disconnect. It quotes Dr. Deborah Peel, founder and chairwoman of Patient Privacy Rights as saying:

“This harm requirement actually violates Congress’ intent in the stimulus bill. This is essentially an industry rewrite of the law. Given the way the law is worded, health-care organizations will have little incentive to own up to a breach involving protected health care data. This is totally for the protection of the industry. It eliminates the consumer protection that Congress intended to be built into it.” She added that her organization will be part of a “giant response” to the proposed change by national consumer protection and privacy organizations.

While the over-notification of individuals for totally benign incidents is not a positive thing, because of the level of concern and anguish that can accompany such situations, what HHS has done in terms of setting a harm threshold allowing self-assessed determination as to whether a data breach incident shoudl be reported seems to give healthcare providers more of a  “get out of jail free card” when incidents occur than what was intended by those who wrote the law.

Independent of how this controvery resolves itself, there is no question that healthcare organizations, starting on September 23rd, must carry out a “risk assessment” whenever an incident occurs that could possibly breach the security and privacy of PHI that they hold. It would be advisable that such organizations have clear policies and processes for such events, and document the analysis and conclusions clearly.

The Department of Health and Human Services issued its Interim Final Rule on August 19, 2009 outlining the obligations of healthcare organizations regarding data breach incident notification as directed by the HITECH Act passed earlier this year.

This rule clarifies the defintion of data breach as the “unauthorized acquisition, access, use or disclosure of  protected health information (PHI)” where it “compromises the security of the PHI” this occuring if there is a “significant risk of financial, reputational, or other harm to the individual whose PHI has been compromised.

As a result of this interpretation of the HITECH Act, HHS has established a harm threshold for determining whether a data security incident is in fact a “breach”. Because of this, something that needs to be noted by privacy and information security officers in healthcare, is that HHS requires that a “risk assessment” be carried out for every incident in order to determine whether it is a breach or not.

Healthcare organizations must determine the practices for carrying out such risk assessments and carefully document the process and conclusions for every incident. Something to consider is to have risk assessments carried out by third parties in order to remove any perceptual issues as to the independence of the risk assessment results.

Since all breach incidents must be reported to Health and Human Services, and become public information, it will be essential to maintain documentation on incidents that were assessed to be breaches as well as incidents where the assessment concluded that it did not exceed the harm threshold. Unfortunately, their is substantial room for interpretation as to what constitutes risk of financial, reputational, or other harm to individuals whose PHI has been exposed.