Medical Information at Risk
Content
January 17, 2012
Health Law
Health Information Technology
Information Technology
into a device as agile and portable as a tablet PC. The EHR can vastly improve the coordination of medical care by allowing doctors involved in the patient’s treatment to review each other’s notes and gather similar information from other healthcare locations. However, along with the clinical benefits exists the possibility that unauthorized people might access an individual’s EHR by “snooping,” or through just plain loss of medical data left unprotected by safekeeping or encryption. Hospitals and physicians are taking steps to mitigate the security risks associated with electronic medical information and EHRs as part of federallymandated electronic information governance programs and to protect their business and clinical reputations. The federal government has adopted the following three-step approach to health information security in recognition of the fact that, while electronic medical information can centralize patient data and reduce duplication of effort in creating and searching for information necessary to patient care, security vulnerabilities can reduce patient confidence in electronic medical information systems: • The Security Rule of the Health Information Portability and Accountability Act of 1996 (HIPAA), which comprises numerous requirements for technical, physical, and administrative safeguards for information protected under that statute (that is, data traceable to an individual about treatment or requests for treatment, known as Protected Health Information, or PHI). One of the mandates in the Security Rule is a periodic HIPAA Security Risk Analysis, a documented evaluation of these safeguards with updates and correction of any deficiencies noted. • Incentive Payments under the Health Information for Technical, Economic and Clinical Health Act (HITECH Act), are available to assist healthcare providers in their transition to an interoperable EHR, ranging from $44,000-$65,000 per eligible physician, and a base payment of $2,000,000 to a maximum of $10,000,000
Medical Information at Risk: Digital Security and the Electronic Health Record
Contributed by Fernando M. Pinguelo, Norris McLaughlin & Marcus, P.A.; Kenneth N. Rashbaum, Rashbaum Associates, LLC; and Eric Darbe, HiSoftware Inc.
Electronic medical information is increasingly central to improving the quality of patient care and controlling costs. The electronic health record (EHR) brings together medical examination observations, medication records, prescription information, laboratory results, and even x-ray and CT images,
Originally published by Bloomberg Finance L.P. Reprinted with permission. Bloomberg Law Reports® is a registered trademark and service mark of Bloomberg Finance L.P. This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney‐client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy. © 2012 Fernando M. Pinguelo, Rashbaum Associates, LLC; and HiSoftware Inc.
Health Law
2
per Eligible Hospital. The criteria for application for these payments, set out in the Meaningful Use Rule, require a recent, documented HIPAA Security Risk Analysis. • The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has markedly stepped up enforcement of HIPAA’s security provisions, including high-profile proceedings for fines against such large medical centers as UCLA Health Systems (settled for $865,000 for an alleged pattern of employee improperly viewing the electronic medical records of celebrities), Massachusetts General Hospital ($1,000,000 for leaving records on a train), and Providence Health and Services ($100,000 plus costs of remediation and reporting annually to DHHS on claims of portable devices containing unencrypted patient information left in an unlocked area). As a means of enforcing the mandates, OCR announced in November 2011 the start of an on-site audit “spot” program to assess privacy and security compliance of health care providers, health plans and “Business Associates” (entities that regularly access identifiable patient information in the course of providing such services to providers and plans as medical record quality assurance, consulting, accounting and legal representation). The audits, which will continue through 2012, will include site visits; interviews with covered entities executive leadership; examination of physical features and operations and assessment of the consistency of process to policy; and observation of compliance with regulatory requirements.
a result of the HITECH Act, pursue such HIPAA violations if the federal government does not; and OCR is currently offering HIPAA violation training to staffs of state attorneys general. While many security incidents are not of a technical nature, the remedies that may be required as a result can be complex, costly, and professionally embarrassing.
Healthcare Provider Tip: Leverage the Law to Find the Way Forward
The HIPAA Security Risk analysis – a requirement for healthcare providers to receive federal HITECH incentive payments – can provide the baseline analysis to highlight security deficiencies before a breach of patient information happens. The elements of the risk analysis include: • A data map identifying physical locations where the provider keeps information (for example, servers, “Cloud” repositories, desktop computers, Smartphones, and tablet PCs) and how the information is transmitted. • Identification of potential security breach risks. • Assessment of current security measures and implementation of updates and remediation where necessary. The HIPAA Risk Analysis touches on numerous areas of the hospital, the physician’s office, and the laboratory; and as a result, it requires the skills of people from several disciplines, including: records and information technology, legal (to interpret and advise on the hundreds of pages of security requirements), and technical consultants (to provide software and applications that can assist in security breach prevention).
Simple Security Breaches Are Multiplying
A recent survey conducted by a developer of software that uses algorithms to screen for patterns potentially indicating unauthorized access to electronic medical records noted that over 70 percent of the hospitals in its survey pool had experienced a breach of security within the past twelve months. A 2011 HHS Report to Congress, issued pursuant to the HITECH Act, was perhaps more dire – information of more than 30,000 patients was compromised in the twelve-month period of the study. Contrary to the belief of many patients, these breaches were not CSI-type hacking operations. Most of the intrusions were the result of “snooping” by medical staff and physicians. Close behind were such relatively mundane, but serious, occurrences such as loss of laptops on which patient information was not encrypted as required by HIPAA. For example, St. Francis Health Systems of Tulsa experienced the loss of information on 84,000 patients, Mid-State Medical Center in Connecticut experienced the loss of 93,500 patients’ information stored on hard drives, and Brigham and Women’s Hospital lost data on 600 patients that was stored on a portable external backup drive a physician took on vacation. These incidents and others publicized in mainstream and new media outlets can have a severely deleterious effect on patient confidence in the medical institution, and thereby lead to the loss of patient base. They also can lead to monetary penalty proceedings by OCR and large fines. State governments may, as
Common Applications
Some computer programs use algorithms to screen for possible improper disclosures of medical information in electronic communications such as email, and in enterprise content management and collaboration platforms like SharePoint. Others assist hospital staffs, thinned by budget cuts due to reductions in federal and state funding, to keep track of and protect patient information. Ideally, such systems will do more than simply identify the information that is currently at risk. Hospitals would benefit greatly from employing a system that also ensures PHI is encrypted in storage as well as transmission. Encryption can prevent people outside the organization from accessing the PHI; and in the event of a breach of appropriately encrypted health information, the HITECH requirements that compel health organizations to report certain breaches to HHS and the media will not apply. Losses of this most sensitive personal information will continue as medical information technology advances. Most of these losses, as studies and government reports have shown, occur through human error and negligence in the form of failure to abide by
Health Law
3
simple rules to protect the information and the devices on which it resides. Hospitals, doctors, and other caregivers must, in the face of increasing government scrutiny, step up their vigilance through ongoing risk analysis, or be exposed to fines and adverse publicity – which they cannot afford in the current environment. Fernando M. Pinguelo, a Partner at Norris McLaughlin & Marcus, P.A. and co-Chair of its Response to Electronic Discovery & Information Group, is a trial lawyer who devotes his practice to complex business lawsuits with an emphasis on how technology impacts them. Fernando founded and contributes to the ABA Journal award-winning blog, eLessons Learned – Where Law, Technology, & Human Error Collide (www.eLLblog.com). To learn more about Fernando, visit www.NJLocalLaw.com or email him at info@ NJLocalLaw.com. In his thirty years of experience as a litigator, trial lawyer and counselor Kenneth N. Rashbaum, Principal of Rashbaum Associates, LLC, in New York, has been the trusted advisor to healthcare providers, health plans and multinational corporations on information governance and its compliance with federal, state, and international law. He has served as partner and Co-Chair of the E-Discovery Practice Group of Sedgwick, Detert, Moran & Arnold, LLP, Pnd Director of Consulting of Fios, Inc., where he founded and supervised the Health Care and Cross-Border divisions. To learn more about Ken, visit http://rashbaumassociates.com/ attorney-bios/kenneth-n-rashbaum/ or email him at krashbaum@ rashbaumassociates.com Eric Darbeis the vice president of marketing for HiSoftware, a provider of content-aware compliance and security solutions. In his role, Eric works with HiSoftware’s customers as well as industry leaders to ensure that HiSoftware’s solutions are meeting the business challenges which HIPAA and other regulatory mandates place on industries like Healthcare. To learn more about HiSoftware, visit: http://hisoftware.com/industries/healthcare.aspx.
Health Law
Health Information Technology
Information Technology
into a device as agile and portable as a tablet PC. The EHR can vastly improve the coordination of medical care by allowing doctors involved in the patient’s treatment to review each other’s notes and gather similar information from other healthcare locations. However, along with the clinical benefits exists the possibility that unauthorized people might access an individual’s EHR by “snooping,” or through just plain loss of medical data left unprotected by safekeeping or encryption. Hospitals and physicians are taking steps to mitigate the security risks associated with electronic medical information and EHRs as part of federallymandated electronic information governance programs and to protect their business and clinical reputations. The federal government has adopted the following three-step approach to health information security in recognition of the fact that, while electronic medical information can centralize patient data and reduce duplication of effort in creating and searching for information necessary to patient care, security vulnerabilities can reduce patient confidence in electronic medical information systems: • The Security Rule of the Health Information Portability and Accountability Act of 1996 (HIPAA), which comprises numerous requirements for technical, physical, and administrative safeguards for information protected under that statute (that is, data traceable to an individual about treatment or requests for treatment, known as Protected Health Information, or PHI). One of the mandates in the Security Rule is a periodic HIPAA Security Risk Analysis, a documented evaluation of these safeguards with updates and correction of any deficiencies noted. • Incentive Payments under the Health Information for Technical, Economic and Clinical Health Act (HITECH Act), are available to assist healthcare providers in their transition to an interoperable EHR, ranging from $44,000-$65,000 per eligible physician, and a base payment of $2,000,000 to a maximum of $10,000,000
Medical Information at Risk: Digital Security and the Electronic Health Record
Contributed by Fernando M. Pinguelo, Norris McLaughlin & Marcus, P.A.; Kenneth N. Rashbaum, Rashbaum Associates, LLC; and Eric Darbe, HiSoftware Inc.
Electronic medical information is increasingly central to improving the quality of patient care and controlling costs. The electronic health record (EHR) brings together medical examination observations, medication records, prescription information, laboratory results, and even x-ray and CT images,
Originally published by Bloomberg Finance L.P. Reprinted with permission. Bloomberg Law Reports® is a registered trademark and service mark of Bloomberg Finance L.P. This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney‐client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy. © 2012 Fernando M. Pinguelo, Rashbaum Associates, LLC; and HiSoftware Inc.
Health Law
2
per Eligible Hospital. The criteria for application for these payments, set out in the Meaningful Use Rule, require a recent, documented HIPAA Security Risk Analysis. • The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) has markedly stepped up enforcement of HIPAA’s security provisions, including high-profile proceedings for fines against such large medical centers as UCLA Health Systems (settled for $865,000 for an alleged pattern of employee improperly viewing the electronic medical records of celebrities), Massachusetts General Hospital ($1,000,000 for leaving records on a train), and Providence Health and Services ($100,000 plus costs of remediation and reporting annually to DHHS on claims of portable devices containing unencrypted patient information left in an unlocked area). As a means of enforcing the mandates, OCR announced in November 2011 the start of an on-site audit “spot” program to assess privacy and security compliance of health care providers, health plans and “Business Associates” (entities that regularly access identifiable patient information in the course of providing such services to providers and plans as medical record quality assurance, consulting, accounting and legal representation). The audits, which will continue through 2012, will include site visits; interviews with covered entities executive leadership; examination of physical features and operations and assessment of the consistency of process to policy; and observation of compliance with regulatory requirements.
a result of the HITECH Act, pursue such HIPAA violations if the federal government does not; and OCR is currently offering HIPAA violation training to staffs of state attorneys general. While many security incidents are not of a technical nature, the remedies that may be required as a result can be complex, costly, and professionally embarrassing.
Healthcare Provider Tip: Leverage the Law to Find the Way Forward
The HIPAA Security Risk analysis – a requirement for healthcare providers to receive federal HITECH incentive payments – can provide the baseline analysis to highlight security deficiencies before a breach of patient information happens. The elements of the risk analysis include: • A data map identifying physical locations where the provider keeps information (for example, servers, “Cloud” repositories, desktop computers, Smartphones, and tablet PCs) and how the information is transmitted. • Identification of potential security breach risks. • Assessment of current security measures and implementation of updates and remediation where necessary. The HIPAA Risk Analysis touches on numerous areas of the hospital, the physician’s office, and the laboratory; and as a result, it requires the skills of people from several disciplines, including: records and information technology, legal (to interpret and advise on the hundreds of pages of security requirements), and technical consultants (to provide software and applications that can assist in security breach prevention).
Simple Security Breaches Are Multiplying
A recent survey conducted by a developer of software that uses algorithms to screen for patterns potentially indicating unauthorized access to electronic medical records noted that over 70 percent of the hospitals in its survey pool had experienced a breach of security within the past twelve months. A 2011 HHS Report to Congress, issued pursuant to the HITECH Act, was perhaps more dire – information of more than 30,000 patients was compromised in the twelve-month period of the study. Contrary to the belief of many patients, these breaches were not CSI-type hacking operations. Most of the intrusions were the result of “snooping” by medical staff and physicians. Close behind were such relatively mundane, but serious, occurrences such as loss of laptops on which patient information was not encrypted as required by HIPAA. For example, St. Francis Health Systems of Tulsa experienced the loss of information on 84,000 patients, Mid-State Medical Center in Connecticut experienced the loss of 93,500 patients’ information stored on hard drives, and Brigham and Women’s Hospital lost data on 600 patients that was stored on a portable external backup drive a physician took on vacation. These incidents and others publicized in mainstream and new media outlets can have a severely deleterious effect on patient confidence in the medical institution, and thereby lead to the loss of patient base. They also can lead to monetary penalty proceedings by OCR and large fines. State governments may, as
Common Applications
Some computer programs use algorithms to screen for possible improper disclosures of medical information in electronic communications such as email, and in enterprise content management and collaboration platforms like SharePoint. Others assist hospital staffs, thinned by budget cuts due to reductions in federal and state funding, to keep track of and protect patient information. Ideally, such systems will do more than simply identify the information that is currently at risk. Hospitals would benefit greatly from employing a system that also ensures PHI is encrypted in storage as well as transmission. Encryption can prevent people outside the organization from accessing the PHI; and in the event of a breach of appropriately encrypted health information, the HITECH requirements that compel health organizations to report certain breaches to HHS and the media will not apply. Losses of this most sensitive personal information will continue as medical information technology advances. Most of these losses, as studies and government reports have shown, occur through human error and negligence in the form of failure to abide by
Health Law
3
simple rules to protect the information and the devices on which it resides. Hospitals, doctors, and other caregivers must, in the face of increasing government scrutiny, step up their vigilance through ongoing risk analysis, or be exposed to fines and adverse publicity – which they cannot afford in the current environment. Fernando M. Pinguelo, a Partner at Norris McLaughlin & Marcus, P.A. and co-Chair of its Response to Electronic Discovery & Information Group, is a trial lawyer who devotes his practice to complex business lawsuits with an emphasis on how technology impacts them. Fernando founded and contributes to the ABA Journal award-winning blog, eLessons Learned – Where Law, Technology, & Human Error Collide (www.eLLblog.com). To learn more about Fernando, visit www.NJLocalLaw.com or email him at info@ NJLocalLaw.com. In his thirty years of experience as a litigator, trial lawyer and counselor Kenneth N. Rashbaum, Principal of Rashbaum Associates, LLC, in New York, has been the trusted advisor to healthcare providers, health plans and multinational corporations on information governance and its compliance with federal, state, and international law. He has served as partner and Co-Chair of the E-Discovery Practice Group of Sedgwick, Detert, Moran & Arnold, LLP, Pnd Director of Consulting of Fios, Inc., where he founded and supervised the Health Care and Cross-Border divisions. To learn more about Ken, visit http://rashbaumassociates.com/ attorney-bios/kenneth-n-rashbaum/ or email him at krashbaum@ rashbaumassociates.com Eric Darbeis the vice president of marketing for HiSoftware, a provider of content-aware compliance and security solutions. In his role, Eric works with HiSoftware’s customers as well as industry leaders to ensure that HiSoftware’s solutions are meeting the business challenges which HIPAA and other regulatory mandates place on industries like Healthcare. To learn more about HiSoftware, visit: http://hisoftware.com/industries/healthcare.aspx.
