Home > EHR Adoption > HIPAA Compliance > The feds get more serious about HIPAA data breaches

The feds get more serious about HIPAA data breaches

by Robert Rowley, MD on February 23, 2010

Health information privacy and security is a central focus of HIPAA, and is one of the non-negotiable pieces of Meaningful Use and Certification for Electronic Health Records (EHRs). Breaches of Protected Health Information (PHI) – the theft or unauthorized access to such data – needs to be disclosed to those affected, per HIPAA Privacy Rules.

The feds get more serious about HIPAA data breachesToday, the Office of Civil Rights, which is a part of the Department of Health and Human Services (HHS), dropped the hammer and did what they said they would do all along – publish the names of covered entities and business associates who are involved in data breaches.

Part of the American Recovery and Reinvestment Act (ARRA) of 2009, the HITECH section (specifically section 13402) specifically requires a covered entity (i.e. a physician, clinic, hospital, dentist, insurance company) or a business associate (like an EHR vendor, billing agency, IT consultant, etc.) to notify the HHS and mass media of breaches of unprotected PHI involving more than 500 records.

PHI that is encrypted is considered protected and, therefore, provides a safe harbor against breach notification.

The new listing of breaches not only includes providers, it also lists business associates – generally, IT service providers to covered entities – and these providers are not only listed, but are named.

Is there any pattern to the kinds of data breaches that are in this list? Almost all of them involve the theft of a computer, backup records, server, hard drive or other device onto which is loaded un-encrypted PHI. Some of the breaches are of paper charts, postcards and mailings, or emails.

Hospitals, private practices, universities and health plans are all included in the list. Size of organization is no protection against such missteps. What can a practitioner do to minimize this risk?

Every practice, hospital, or any other covered entity should have a specific plan for protecting PHI. Data encryption needs to be implemented for any “data at rest” wherever practical. Databases and other file systems that contain PHI need to be identified. In particular, data backup devices – tape, CDs, and the like – need to be encrypted, to guard against data breaches in the event of theft.

Practice Fusion, being a web-based EHR, has paid particular attention to data privacy and security. While being a web-based service reduces many of the vulnerabilities that are present with locally-held data – backup devices, laptops with local PHI, and local server hardware are not needed, and therefore not exposed to theft – there are different challenges faced in the cloud. Practice Fusion has undertaken an extensive security audit in order to identify vulnerabilities internally and externally, and has devoted extensive resources to implementing its security plan.

Besides ensuring that the databases are secure and compliant with safe harbor provisions of the HIPAA Privacy Rule, and ensuring that 3-key logon results in highly encrypted transmission of data, Practice Fusion offers a level of security that would be difficult to achieve with a locally-installed system in a small practice setting.

The main areas of vulnerability worth pointing out, however are these: (1) make sure than no unsecured email containing PHI is exchanged with patients. Though not yet built and deployed, secure messaging using the Patient Fusion PHR is a way of communicating with patients in a way that avoids PHI data breaches. (2) Make sure that any files that are intended for upload to Practice Fusion – scanned documents, Word files, etc. – are deleted from the local computer once they have been uploaded. That way no PHI remains on the machine used for upload.

PHI breaches and HIPAA security are significant, and the HHS has demonstrated it intends to add teeth to its enforcement of these. Providers can protect themselves, but it involves addressing privacy and security, having a specific plan, and implementing it. Practice Fusion can help, and can work with you if you have questions.

Robert Rowley, MD
Chief Medical Officer, Practice Fusion, Inc.

Robert Rowley, MD

Robert Rowley, MD

Dr. Rowley brings together three areas of expertise, and helps shape Practice Fusion in a unique way. He has been a practicing primary care physician for over 30 years, and as an early EHR adopter, has been practicing without paper charts since 2002. He has been involved in governance and directorship of health care delivery in a managed care setting in California for over 20 years. He also has a strong technology background and helped develop the very first version of Practice Fusion based on tools created for his own practice. As Medical Director of Practice Fusion, Dr. Rowley helps guide the development of the EHR as an essential tool for our doctors, and as a valuable resource for healthcare overall. Follow Dr. Rowley:   

This entry was posted in EHR Adoption, HIPAA Compliance and tagged , , . Bookmark the permalink.
Related Articles