Many clinicians who have now completed their 2011 EHR Incentive Program attestation may now, feeling a sigh of relief, believe that keeping track of privacy and security is done – that it was a one-time effort needed in order to comply with one of the core Meaningful Use requirements.
Of course, that is not true. HIPAA, which obligates clinicians (“Covered Entities,” or CEs) to safeguard their patient’s personally-identifiable health data and only disclose it to others based on permission, is an ongoing obligation that we all shoulder. If anything, Meaningful Use merely drew our attention to maintaining our Electronic Health Record data is a secure fashion. But keeping this data safe is an ongoing task.
When unsecured Protected Health Information (PHI) is lost or stolen, HIPAA obligates the clinician (the CE) to inform the affected patients of the security breach. Failure to do so carries stiff penalties. If more than 500 records are lost at a time, then the CE also has the obligation to inform the federal government (HIPAA enforcement is carried out by the Office of Civil Rights) of the incident.
How can a clinician best protect her/himself from such risk? Having a web-based EHR shifts much of the risk out of the individual’s office – if there is no PHI on any machine in the clinician practice, then the HIPAA risk is reduced greatly. The web-based EHR platform bears that responsibility, and (if done right) can ensure security of the data beyond what is likely to be achieved by any local security measures.
Most of the large-scale instances of data breach involve the theft or loss of a computer with many records on it. One of the most egregious recent breaches involved Sutter Health, where about 3.3 million records, unencrypted and resident on a single desktop workstation, were lost – this recent incident is the focus of a $1 billion class action lawsuit. Granted that the privacy and security risk-assessment and surveillance required for Meaningful Use might have mitigated this breach, it is still disconcerting that an institution of this scale would have such a vulnerability.
What about the small office? Can a small-group or solo practitioner avoid such risk, given that very-large institutions have been vulnerable? Actually, yes.
For starters, using a web-based EHR reduces risk dramatically. There are no machines on anybody’s desktop that contain this kind of PHI. The risk, however, is not zero, and there are things which everyone – small practices and large ones alike – should carry out.
Here is a list of some things that practices of every size can do, and can help reduce HIPAA breach risk:
1. Identify a person in the practice who is the “security officer”, and takes on the responsibility of conducting routine audits.
2. Identify any place where PHI might exist. In a web-based system, this is minimal. However, there are some places where PHI might exist, even in a web-based environment:
a). Any machines that have scanned image files (which contain PHI) should have those files deleted once they are uploaded, so no residual PHI is left or stored locally.
b). Any reports that are generated and downloaded (to an Excel file, or any other local format) contain PHI. Once the use of such reports are completed, the downloaded file should be deleted. If such reports need to be saved, then they should be encrypted. Numerous free file-encryption software products are available for download from the Internet
3. Conduct periodic reviews of the Access Logs in the EHR and identify any suspicious activity. Document these reviews – you can use the form in the Privacy and Security Toolkit (appendix D), if desired.
4. Educate all new staff members about HIPAA privacy and security (something the “security officer” can do). Use a HIPAA Sanction Policy as part of employee contracts – you can use the sample policy found in the Privacy and Security Toolkit (appendix C), if desired.
HIPAA Breach Insurance
As the very-large HIPAA breach incidents have come to light, and (given the litigious environment we live in) as we see large class action lawsuits over such breaches, the question arises as to whether insurance against such risk makes sense.
There is a new type of insurance for such contingencies, not unlike medical malpractice or general liability insurance. In fact, we may well see such insurance be rolled under medical malpractice policies, much like general liability insurance often is. HIPAA breach insurance, by taking on such risk, may be able to provide individual CEs (medical practices) with the kinds of assistance that might be helpful in reducing such risk exposure. Hopefully, as such a new field of insurance matures, the premiums will depend on the kind of risk involved – users of web-based EHRs, having a different and much lower risk, may well be candidates for lower insurance premiums than those that have higher exposure (e.g. local machines that potentially could contain thousands, or even millions, of unsecured PHI records).
Embedding ongoing processes that review, assess, and mitigate the risk of HIPAA breach is a fact of modern professional life in the era of EHRs. Besides doing a review for Meaningful Use, continual monitoring is something we all need to build into our ordinary work habits. The risks and consequences of a security breach can be very significant, especially if there are local machines with large amounts of PHI on them. These risks are reduced dramatically with web-based EHRs – but the risk is still not zero. Several steps can be carried out by everyone to minimize HIPAA breach risks. A new type of liability insurance is now appearing on the market, which may be of use to clinicians, and may even become rolled into a package under general malpractice and liability insurance, and may become a fact of life in the near future.