HIPAA Breaches: Small-scale snooping is most common

Privacy and security of Electronic Health Records (EHRs) are pivotal to widespread acceptance and adoption of these technologies. The federal government as well as many other sources are encouraging the uptake of EHRs, yet concern over the security of such records remains an issue for physicians as well as consumers.

How safe are these records? Are EHRs safer than paper records? Where are the main risks to unintended disclosure of protected health information (PHI)? These are questions we hear frequently.

Federal law – the Health Insurance Portability and Accountability Act of 1996 (HIPAA) – protects PHI from unauthorized disclosure (breaches), and requires custodians of PHI (clinicians who keep records about patients) to notify patients in the event of HIPAA breaches.

When medical records are kept in electronic format, rather than paper, better monitoring of access to those records is possible. In a paper-based environment, it is very difficult to tell if someone has looked at a patient’s chart who had no business doing so. But in an e-environment, such access logs can be kept and intrusion can be detected better.

The main down-side, however, is that when paper charts are mistakenly disclosed, it generally happens one-at-a-time. Electronic charts, on the other hand, can be breached en-masse (theoretically). For example, theft or loss of equipment that contains unencrypted PHI is the main source of large-scale HIPAA breaches, and such events have certainly made headlines. However, most breaches are smaller scale, and protection against these need scrutiny as well.

Web-based vs. locally-housed EHRs
When a traditional EHR is purchased and installed locally in a hospital, medical practice, or group practice setting, the data generally sits on a server within a local protected environment. The onus is on the practice (or the hospital) to secure that local protected environment – firewalls, network security, encryption of data where possible (this is often a function of the EHR system that is used) all need to be in place, and need to be monitored and updated continually. It usually requires hiring IT staff (or consultants) to carry this out. Smaller practices, not surprisingly, may have fairly weak security barriers and less-than-ideal ongoing monitoring – such things, after all, are costly.

A web-based system – like the one we have built at Practice Fusion – is able to centralize the data in a commercial high-end web environment, and can put into place a level of security not generally achievable (or affordable) by local small practices. This is not an easy thing to do, but with sufficient attention to security a very-secure hosting environment can be done.

Part of Certification for Meaningful Use involves meeting a certain level of security of data and of transport of that data to meet guidelines. These security requirements are the same for locally-installed enterprise EHRs as they are for web-based EHRs. And, once in place, the ongoing monitoring, updating, and security-scrutiny needed for HIPAA protection are part of what the web-based vendor can carry out – again at a level very difficult for a small practice to do on its own.

Where are most HIPAA breaches found?
A recent survey of hospitals and clinics was published which notes that employee “snooping” into records is the main threat to HIPAA privacy. Yes, large-scale theft or loss of PHI-containing equipment (or data backup material) catches the headlines, but these smaller-scale breaches are more commonplace. Of survey respondents – about ½ of them were large systems (more than 1,000 employees) and about ½ were hospitals and clinics less than 1,000 employees – about 70% stated they had experienced a HIPAA breach of some level or another.

Among these respondents (again, heavily weighted to large institutions), the following was found as the top breaches in the previous 12 months:
1) Snooping into medical records of fellow employees (35%)
2) Snooping into records of friends and relatives (27%)
3) Loss /theft of physical records (25%)
4) Loss/theft of equipment holding PHI (20%)

When a breach occurred, it was generally detected in 1-3 days (30%), but took 1 week in 12% of cases, and 2-4 weeks in 17% of cases. And once the breach was detected, it often took a long time to resolve (notify those affected): 1-3 days (16%), 1 week (18%), and 2-4 weeks (25%).

What can a small practice do?
Granted, that the survey results published were mainly reflective of the experience of large institutions with many employees and therefore many opportunities for employee “snooping” into records of fellow employees, friends or relatives. But small practices are not immune to this either.

In a paper environment, such “snooping” into charts by employees is virtually impossible to detect. In an EHR-using practice, there are access logs that can reveal such activity. The access logs generated by the systems often in place in hospitals and large environments, however, are often impossible to interpret (not human readable), which explains the often-found lag in detection of such breaches.

The access log in Practice Fusion, however, was specifically designed to be human-readable, and is visible to the practice on-demand. It is also automatic, and cannot be altered by members of the practice (no “hiding one’s trail”).

One of the requirements for Meaningful Use is to conduct a Privacy and Security audit. This is composed of 4 parts: (1) conducting a Risk Assessment, (2) reviewing Risk Management processes, (3) implementing an employee sanction policy relating to actions to be taken in the event of a HIPAA breach, and (4) carrying out regular monitoring of the access log to identify any irregularities if they are found.

We have made materials available (free of charge) which address all 4 elements of the Meaningful Use Privacy and Security Audit requirement. A checklist for all the questions surrounding each element in the Risk Assessment and Risk Management sections is included, as well as a sample employee sanction policy. There is also a checklist for reviewing the audit log on a periodic basis, and documenting such review.

Getting familiar with privacy and security, recognizing where the risks exist, and conducting regular review of access log activity is an essential part of responsible EHR usage. A web-based EHR, such as Practice Fusion, removes many of the technical risks from the practice (data hosting, local network security, etc.) – but monitoring in-practice activity to educate and ensure against the more common small-scale PHI breaches still need to be done. By using the materials furnished, such privacy and security practices will allow clinicians to assure that PHI resides in a safe environment (certainly safer than on paper), and can help build public confidence in the value of EHRs.