New Study Says Hospital Data Breaches Are Frequent and Expensive

Posted on November 10, 2010 by Erin McAlpin Eiselein

How secure is patient data at hospitals?  Not as secure as it should be says a new study released yesterday by the Ponemon Institute, an independent research organization dedicated to privacy, data protection and information security policy.  Despite HITECH's mandates and the move toward EMR, the study found that "data breaches remain a frequent occurrence at healthcare organizations - threatening patient privacy and leaving healthcare organizations with a heavy financial burden." 

Not only is data not as secure as it should be, but data breaches are costing hospitals an estimate of $1 million per year.  With 5,815 registered hospitals in the United States, data breach incidents are costing the health care industry almost $6 billion per year.

Among the study's more interesting findings are the following:

  • Only 29% of hospitals surveyed responded that they have sufficient resources to prevent or quickly detect patient data loss or theft.  
  • Employees are the best line of defense in detecting data breaches, underscoring the importance and value of training data handlers.
  • Of the hospitals that have implemented EMR, 74% believe EMR's have made their data more secure.

Notably, the study was sponsored by ID Experts, a self-described "leading provider of comprehensive data breach solutions."  The results, however, are hardly surprising considering that as of September 20, 2010, almost 5 million patients have had their PHI exposed through the largest 166 data breaches. 

Investment in secure data storage coupled with vigilant training should be on on every health care provider's agenda for 2011.       

Tags: , , ,

HHS Withdraws HIPAA Breach Notification Final Rule

Posted on August 2, 2010 by Lisa Rothrock

The HHS final rule on breach notification was submitted to the OMB on May 14, 2010, which is typically the final step before the final rule is published. HHS, however, “withdrew” the final rule from the OMB to “allow for further consideration, given the Department’s experience to date in administering the regulations,” as it stated in a notice posted on the HHS website. HHS failed to explain the reason for withdrawing the final rule for further consideration except to note that the breach notification issue is “complex.” 

The breach notification interim final rule issued pursuant to the HITECH Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009. According to HHS, during the 60-day public comment period on the interim final rule, HHS received approximately 120 comments.

Many in the industry have speculated that this withdrawal may be related to the controversial “harm” threshold set forth in the rule. Under the harm threshold, a provider only needs to notify patients about a data breach if the provider determines that the breach presents a significant risk of harm to the patients. Critics of the harm threshold contend that all breaches should be disclosed and providers should not have the discretion to make such a risk assessment.

A final rule is expected in the coming months. This withdrawal does not have an impact on the interim final rule.

Tags: , , , , ,

New OCR Rule Strengthens HIPAA Requirements

Posted on July 9, 2010 by Lisa Rothrock

Yesterday the Office for Civil Rights (“OCR”) released a Proposed Rule modifying the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requirements. OCR issued this Proposed Rule pursuant to the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The Proposed Rule will not be published in the Federal Register until July 14, 2010, and there will be 60 days from that date to comment.

More specifically, this Proposed Rule modifies and strengthens the HIPAA Privacy Rule, Security Rule, and Enforcement Rule as well as the penalties and investigation provisions. The most notable changes include the following:

  • The requirements of the Privacy Rule and Security Rule will apply to business associates in the same manner they currently apply to covered entities.
  • Subcontractors of business associates will be considered business associates, and the business associate must obtain “satisfactory assurances” through a contract or other arrangement that the subcontractor will comply with the applicable privacy and security requirements. 
  • There will be new limitations on the use and disclosure of protected health information (“PHI”) in marketing and fundraising, including a requirement that individuals be given opportunities to opt out of receiving marketing or fundraising materials without any impact on their future treatment.
  • Covered entities and business associates will be prohibited from selling an individual’s PHI without that individual’s authorization, and covered entities will not be allowed to coerce patients into authorization by conditioning treatment, payment, enrollment, or eligibility for benefits on authorization.
  • The Proposed Rule expands patients’ rights by allowing patients to request that a covered entity restrict uses or disclosures of their PHI, and by giving patients greater access to copies of their electronic health records.
  • Covered entities’ Notice of Privacy Practices given to patients must include additional information, such as the authorization requirements described above.
  • Penalties for violations of HIPAA privacy and security requirements will be increased to $1.5 million per calendar year for violations of the same requirement or prohibition.
  • The Proposed Rule defines the terms “reasonable cause,” “reasonable diligence,” and "willful neglect,” which provide the basis for the various categories of liability under the Enforcement Rule.
  • Covered entities will have certain identified responsibilities during complaint investigations and compliance reviews.
Tags: , , , , , ,

OCR Still Working On HITECH Rulemaking, Delays Enforcement of Certain Provisions

Posted on March 25, 2010 by Heather L. Kenney

On March 18, 2010, the Office of Civil Rights (OCR) published an update on its rulemaking and enforcement efforts under the HITECH Act. OCR made clear that the increased civil monetary penalties for HIPAA violations and enforcement of the breach notification rule have been effective since February 17, 2010 and February 22, 2010, respectively.

However, OCR stated that it continues to work on a Notice of Proposed Rulemaking (NPRM) regarding the following HITECH provisions: business associate liability; new limitations on the sale of protected health information, marketing and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.

OCR noted that although the effective date for many of these provisions has passed (February 17, 2010), the NPRM and subsequent final rule will provide specific information regarding the expected date of compliance and enforcement for the new requirements.

Of particular interest in this rulemaking will be whether the OCR will require parties to affirmatively amend their business associate agreements to reflect the new privacy and security requirements with which business associates must directly comply, or whether the new provisions are already incorporated into the agreements by operation of law.

DGS will continue to monitor OCR’s HITECH rulemaking progress and will post updates as they are available.

Tags: , , , , ,

First Lawsuit By State AG Under HITECH

Posted on January 14, 2010 by Erin McAlpin Eiselein

Let the age of HIPAA lawsuits begin.  Yesterday, the Connecticut Attorney General sued Health Net of Connecticut, Inc. for a security breach involving patient medical and financial records.  This is the first state enforcement action against a covered entity for a HIPAA violation since HITECH extended enforcement ability to the state attorneys general.  It serves as a good reminder that covered entities and business associates need to have breach notification policies in place and comply with those policies in the event of a security breach. 

Tags: , , ,

Meaningful Use and EHR Technology Regulations

Posted on January 3, 2010 by Erin McAlpin Eiselein

The good news is that the government has released the proposed regulations on meaningful use and interim final rule setting forth the standards and certification criteria for EHR technology.  The bad news is that these tomes combined are 692 pages.  CMS has issued fact sheets summarizing the regulations, including an overview of the phased-in approach to the criteria that will be applied to define "meaningful use."  Dr. David Blumethal, the National Coordinator for Health Information Technology at the U.S. Department of Health & Human Services, wrote a guest column for the Wisconsin Technology Network stating that "Great care was taken in the development of these criteria."  Nevertheless, one can't help but to wonder - if it takes over 500 pages to explain meaningful use . . . where are we headed?  The public comment period will last for 60 days, that is, if you can finish reading the proposed regulations by then!

Tags: , , , ,

Clarification of HITECH's Amendments to HIPAA's Civil Monetary Penalties

Posted on November 2, 2009 by Erin McAlpin Eiselein

Recognizing the confusion surrounding HITECH's significant amendments to HIPAA's Enforcement Rule, the Department of Health and Human Services ("HHS") published the Interim Final Rule on HIPAA Enforcement ("Interim Final Rule") on October 30th.  The Interim Final Rule seeks to clarify the revised civil monetary penalty scheme established in HITECH, noting that many covered entities "may be unaware they are currently subject to significantly greater penalties for violations of the HIPAA rules."  Indeed - the increase in the maximum aggregate penalties from $25,000 to $1,500,000 is big news for all covered entities (and now business associates too).  HHS felt that this information was so important, it waived the notice and comment period and proceeded straight to the interim final rule, which becomes effective on November 30, 2009.     

 

 

Tags: , , , ,

Congress Calls on HHS to Strengthen Breach Notification Rules

Posted on October 8, 2009 by Heather L. Kenney

In a letter issued on October 1st, Congressional House leaders of the Energy and Commerce and Ways and Means committees oppose “the high bar” that the Department of Health and Human Services (HHS) has set for breach notification.

The breach notification regulations were enacted pursuant to the American Recovery and Reinvestment Act of 2009 (ARRA).  Published as interim final regulations in the Federal Register on August 24, 2009, they require health care entities to notify individuals and HHS if there has been an unauthorized use or disclosure (‘breach”) of electronic personal health data. 
These regulations, however, include a “substantial harm” standard, which does not require breach notification to individuals or HHS if the breaching entity believes there is no significant risk of financial, reputational or other harm to the individual.

According to the letter, the substantial harm standard is not consistent with Congressional intent. “In drafting [the enacting statute], Committee members specifically considered and rejected such a standard due to concerns over the breadth of discretion that would be given to breaching entities, particularly with regard to determining something as subjective as harm from the release of sensitive and personal health information.”

The letter urges HHS to revise or repeal the harm standard provision and calls for greater transparency through a “black and white standard,” which would allow individuals to assess the level of harm caused by a breach of their health information, and permit them to judge the quality of an entity’s privacy protection based on the true number of breach occurrences.

Tags: , , , , , , , ,

FTC and HHS Issue Breach Notification Rules for Electronic Health Information

Posted on August 21, 2009 by Heather L. Kenney

As part of the American Recovery and Reinvestment Act of 2009 (the “Recovery Act”), Congress directed the Federal Trade Commission (“FTC”) and the Department of Health and Human Services (“HHS”) to issue rules requiring certain entities to notify consumers if there has been a breach in the security of their personal health information. 

The FTC rule applies to vendors of personal health records, which provide online repositories for storage and tracking of health information, and entities that offer third-party applications for personal health records. These applications could include, for example, a blood pressure cuff whose readings consumers can upload to their personal health record. 

The HHS rule, developed by the Office for Civil Rights (OCR), applies to healthcare providers and other HIPAA covered entities.

Under the rules, those entities subject to either rule must notify consumers if there is a “breach” involving their “unsecured” health information. Additionally, if a service provider or business associate of one of the entities has a breach of its own, it must notify the entity, which in turn must notify consumers.

A “breach” is defined as the unauthorized acquisition, access, use, or disclosure of protected health information, which results in the compromise of the security or privacy of such information.

Entities that secure their electronic health records through encryption or destruction are not required to provide notification in the event of a breach, as long as they follow HHS guidance on the proper methods of securing information. As an accompaniment to its rule, HHS issued an update to its current guidance (PDF) on acceptable encryption and destruction methodologies, which would render sensitive information unusable to unauthorized individuals. The policy on encryption is technical in nature and entities would be well-advised to have their IT consultants carefully review, and as deemed necessary, implement the HHS guidance.

Notification Requirements:  

In the event that a breach is discovered, an entity subject to either the FTC or HHS rule must comply with certain notification requirements, including the timing, method, and content of notification.

    • Timing: A consumer must be notified of a breach to the security of their information “without unreasonable delay” and in no case later than 60 days after the discovery of a breach.
    • Method: Written notification must be provided to the individual via first-class mail at the individual’s last known address, or if the individual agrees, by electronic mail. Where the entity lacks sufficient contact information, a substitute form of  notice “reasonably calculated” to reach the individual must be issued. If the insufficient information involves less than 10 individuals, notice may be made by an alternative form of written information or by telephone. If the entity lacks adequate information for more than 10 individuals, the substitute notice must be placed in a conspicuous posting for a 90-day period, either on the home page of the website of the entity involved, or in major print or broadcast media in areas where the affected individuals are likely to reside.
    • Content: Notice must include, to the extent possible:

1. A description of the types of information that were involved in the breach (e.g., social security number, date of birth, diagnosis);

2. Any steps individuals should take to protect themselves from potential harm that could result from the breach;

3. A brief description of the steps that the entity is taking to investigate the breach, mitigate harm caused by the breach, and to protect against any additional breaches; and

4. Contact information for individuals to ask questions or obtain additional information. This contact information must contain a toll-free telephone number, email address, website, or postal address.

In addition to the above requirements, breaches involving 500 or more people must provide notice to prominent media outlets serving the state or jurisdiction where the breach occurred. 

Finally, entities subject to either rule must provide notification to the FTC (for non-HIPAA covered entities) or HHS (entities covered by HIPAA). The FTC has provided a standard form(PDF) which can be used to report an incident. This form requests information on the type of breach, the manner in which the breach occurred, the information involved, and what steps the entity is taking to investigate the breach.

The FTC final rule(PDF) will be published in the Federal Register shortly, and will be effective 30 days after publication. The FTC will begin enforcement 180 days after publication.

The HHS interim final rule (PDF) is effective 30 days after publication in the Federal Register (which should be sometime in mid-late September) and includes a 60-day comment period.
Tags: , , , , , , , , , , ,

OCR Will Now Enforce the HIPAA Security Rule

Posted on August 6, 2009 by Erin McAlpin Eiselein

In an effort to consolidate HIPAA administration and enforcement within the Office of Civil Rights ("OCR"), the Secretary of the Department of Health and Human Services ("HHS"), Kathleen Sebelius, has moved the administration and enforcement of the HIPAA Security Rule away from the Centers for Medicare & Medicaid Services and has delegated that authority to the OCR, the office that administers and enforces the Privacy Rule.  According to Secretary Sebelius, “Privacy and security are naturally intertwined, because they both address protected health information.  Combining the enforcement authority in one agency within HHS will facilitate improvements by eliminating duplication and increasing efficiency.”  This reconfiguration provides further evidence that HHS is gearing up to increase HIPAA enforcement in light of the changes set forth in the HITECH Act.

Tags: , , , ,