A recent post over at HealthcareInfoSecurity.com has an interview with Robert Wah, M.D., of Computer Sciences Corp.  Dr. Wah gives some very insightful tips on what a practice should address when looking at a hosted EHR.  Below are some key points of the interview.

Dr Wah recommends that a practice have multiple paths of connectivity to the hosted EHR datacenter.  In practical terms, you will want at least a primary Internet connection such as a T-1 and a backup Internet connection such as a Cable Modem, FIOS or DSL.

But the other thing one has to think about when looking at remotely hosting an application like this is it is important to have multiple paths to the data center so that you are not reliant on a single point of failure. Because the classic worry that people have, and certainly I had this when I was in the Department of Defense, is…we used to always talk about what happens if a backhoe digs up the cable that runs to our data center…if you have multiple pathways to the data center so you can fail over to another pathway and not lose connectivity.

Dr. Wah recommends that a practice ensure that a contract with the EHR vendor specifically address HIPAA, security and who pays to implement any new regulations.

It is important to have in the contract what is the plan when new regulations come out; whose responsibility is it to comply with those; what is the timeframe for achieving compliance; and who bears the cost of changing the system or adding new layers of security to become compliant.

Dr. Wah goes into detail about ensuring that the EHR data is backed up.

It is important to understand at the beginning…what is the normal schedule for backup, and whether that meets the requirements of your situation…. We have a client that is a major medical center at one of the Ivy League schools. Every month, we drop a tape with the latest full backup so if anything happened to the data and they were not able to get to our system, they would be able to rely on an actual backup and the gap between the time they got it and the time they needed it would be fairly short.

Dr. Wah addresses other security issues that should be considered including; how the hosted datacenter is run, ensuring that the personnel working in the datacenter are well versed with HIPPA, and knowing what the maintenance schedule is and the associated availability of the EHR.

Well I think it is important to remember that when we are talking about healthcare, in most cases we are talking about mission-critical data. So it is important to deal with it just like other industries deal with mission-critical data.

Financial industries obviously have dealt with this issue for a long time, because if they don’t have access to financial data, they are sort of out of business. Lack of access to data in healthcare can actually be detrimental to patient care, which makes it even more mission-critical than financial information.

So I think it is important to have good transparency into how a data center runs. The data center operations must be transparent to the client so that they know and have good reassurance that, as I said before, the highest level of security is being maintained both from a technology standpoint but also from a policy and procedure standpoint. The client also must be assured that the people who are working in that data center are trained, are very complaint with HIPAA guidelines, and understand the importance of electronic personal health information and are very cognizant of the mission criticality of the system that they are running.

Some people actually go visit the data center to actually see the physical plant and meet the people who are going to be involved with handling their systems. Because it is, as I said before, a mission-critical data set that they are dealing with and they want to know that they have put that in the right hands. I would say transparency is a question that you always want to bring up when you are dealing with trying to select someone to handle your mission- critical data. I think it is also important to talk about maintenance. Sometimes it is necessary to shut down the system to do maintenance….So it is important to make sure that everyone understands what the procedure would be when that maintenance occurs.

In some systems, it is possible to do it during the off hours when no patient care is going on. When I was in the Department of Defense, we had a problem where we were operating our system in 12 time zones, so there really was no “middle of the night.” Everybody was accessing the system all of the time, so we had to have backup systems put in place while maintenance was done on the main system. But other systems that are not spread as globally as we were in the Department of Defense may not have that same problem.

Knowing when the system is going to go down and when it will come back up is critical so that people know to prepare and have a contingency plan where they can go to some sort of an alternative format, whether that be paper or another system, while the maintenance is going on.

I think Dr. Wah points are very valid and give a good insight into what should be discussed with any EHR vendor that is offering a hosted product.  I have discussed some of the dangers of cloud computing in the following posts.

• The dangers of cloud computing
• More black clouds over cloud computing

A post over at the Sophos Blog lists the top 10 tips for protecting sensitive data in an organization.  The list is not healthcare specific but it is very useful.  Most of the list is required by HIPAA so you should be thinking about or implementing some of them already.

Ten top tips for protecting sensitive data in your organisation from theft or loss

1. Encrypt all confidential info. Keeping sensitive information inaccessible from prying eyes.
2. Use hard-to-guess passwords. Enforcing good password usage is key to stopping hackers crack into your systems.
3. Keep security software up to date. New malware is being released all the time and spreads at alarming rates. Updating your software automatically is key to defending against the latest threats and vulnerabilities.
4. Danger USB! Unauthorised use of USB storage devices could lead to data being lost from your company. Control usage with security software.
5. Knowledge is power. Find out what your local legislative requirements and review your security strategy to ensure you are compliant. They will be able to advise on what type of technologies, processes, and policies are required by law.
6. Prepare for disaster. Create a plan of action to follow if a severe data breach takes place. Swift reaction can make a huge difference to legal ramifications and corporate reputation.
7. Education is key. Find an engaging way to explain to staff the value of data and talk through the technologies, policies and best practice. Have employees be part of the army safeguarding sensitive data rather than keeping them in the dark.
8. Encourage – rather than punish – employees who report potential data loss or breaches. The information can help you mitigate against costly risks.
9. Don’t lock it all down. Employees today need a lot of online freedom to be efficient and effective. Locking everything down will only encourage employees to find nefarious workarounds. Talk to them, find out what they want, and figure out a way to give it them in the safest way possible.
10. Back seat bungles. It’s all too easy to leave a laptop or smartphone, containing sensitive information in a taxi or a public place. Data should always be encrypted, but also use a remote wipe facility if devices are lost.

In a very interesting study by The Ponemon Institute, the costs of data breaches were analyzed.  This is the 5th annual study done by the Institute.  The study showed that companies are spending more money to remediate data breaches. The average cost per compromised record per breach rose from $202 to $204.  The big driver of the cost of a data breach is the lost of customers, customers that switch to another company due to the data breach.  To put that in perspective, if you have a data breach that affects 1,000 patients (records) you are looking at around $204,000 in breach related costs on average.  That is a staggering number!

In addition, breaches from malicious attacks rose to 24% of all attacks.  They also reported for the first time that data-stealing malware caused breaches.  The report that malware is stealing data is very troubling.  This means that some of the spyware and viruses that companies have to deal with are no longer just annoying and disruptive, they are serious issues that may involve stealing of data and potential data breaches.

Another eye opening statistic from the report shows the 36% of all data breaches were due to a lost or stolen laptop or mobile device.  And the cost of a data breach due to a mobile device is more expensive than all other data breaches.  If this isn’t reason to ensure that your laptops are encrypted I don’t know of a better one.

Here are some highlights of the study:

U.S. organizations continue to experience an increased cost of data breaches, which includes activities intended to prevent a loss of customer or consumer trust. This rise in expense occurs despite a decline in major media or press coverage of this topic. Overall cost is not declining despite the perception that data breaches are becoming a more mundane issue. This viewpoint may be tied to stabilizing costs of detection, escalation and notification as well as our first-ever observation of a decrease in lost business. The average organizational cost of a data breach increased nearly 2 percent, from to $6.65 million in our 2008 study to $6.75 million in 2009. The average cost per compromised record per breach rose only $2, from $202 to $204. The most expensive data breach event included in this year’s study cost one organization nearly $31 million to resolve.

Data breaches from malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than those caused by human negligence or IT system glitches. The incidence of malicious attacks rose from 12 percent to 24 percent. In addition, the 2009 cost per compromised record of data breaches involving a malicious or criminal act averaged $215, 40 percent higher than breaches involving a negligent insider ($154) and 30 percent higher than breaches from system glitches ($166). For the first time companies participating in the study reported that data-stealing malware caused their breaches. These findings suggest that organizations must start protecting themselves more proactively from increasingly aggressive malicious outsiders.

Data breach continues to be a very costly event for organizations. The average organizational cost of a data breach increased from to $6.65 million in our 2008 study to $6.75 million in 2009. The most expensive data breach event included in this year’s study cost a company nearly $31 million to resolve. The least expensive total cost of data breach for a company included in our study was $750,000. The magnitude of the breach event ranged from approximately 5,000 to approximately 101,000 lost or stolen records. As in prior years, data breach cost appears to be linearly related to the size or magnitude of the breach event.

Abnormal churn or turnover of customers resulting directly from the data breach incident appears to the main driver for data breach cost. In this year’s study, average abnormal churn rates across all 45 incidents is slightly higher than last year (from 3.6 percent in 2008 to 3.7 percent in 2009), which was measured by the loss of customers who were directly affected by the data breach event (i.e., typically those receiving notification). The industries with the highest churn rate are pharmaceuticals, communications and healthcare (all at 6 percent), followed by financial services and services (both at 5 percent). The industries with the lowest abnormal churn rates are manufacturing, energy and media (all at or below 1 percent), followed by technology and retail (both at 2 percent).

Thirty-six percent of all cases in this year’s study involved lost or stolen laptop computers or other mobile data-bearing devices. Data breaches concerning lost, missing or stolen laptop computers are more expensive than other incidents. Specifically, in this year’s study the per victim cost for a data breach involving a lost or stolen laptop was $225.

Here are some of the preventative solutions that the report lists:

Preventive Solutions

Especially given the rise in data-stealing malicious attacks, organizations should strongly consider a holistic approach to protecting data wherever it is – at rest, in motion and in use. While manual and policy approaches may come first to mind for many companies, those approaches by themselves are not as effective as a multi-pronged approach that includes automated IT security solutions. Many kinds of automated, cost-effective enterprise data protection solutions are now available to secure data both within an organization and among business partners. Some of the most popular and effective of these technologiescurrently available include:

• Encryption (including whole disk encryption and for mobile devices/smartphones)
• Data loss prevention (DLP) solutions
• Identity and access management solutions
• Endpoint security solutions and other anti-malware tools

Companies should also look for centralized management of IT security solutions so they can automatically enforce IT security best practices throughout their organizations. Such capability also enables enterprises to align information protection with corporate security policies and regulatory or business-partner mandates.

I read an excellent article over at Dark Reading called:  Six Healthcare Data Breaches That Might Make Security Pros Sick. I have mentioned a couple of these data breaches in previous post.  The overall message of the article is that with a little common sense most of these data breaches can be avoided.

Below is the article:

Six Healthcare Data Breaches That Might Make Security Pros Sick

Most of the healthcare industry’s biggest compromises could have been avoided, experts say

Aug 13, 2010 | 01:35 PM

By Ericka Chickowski, Contributing Writer
DarkReading

The number of healthcare breaches in 2010 have outpaced other verticals — including banking and government — by as much as threefold. While not all of these breaches came via databases, the majority of them could have been prevented through better data access and governance policies — policies that must be enforced at the database level, experts say.

Healthcare organizations seem particularly prone to problems on the inside of the organization, including malicious theft and unintentional loss of storage devices containing treasure troves of database information. Let’s take a look at six of the biggest breaches from recent months — and the lessons they might teach about data protection

1. Lincoln Medical and Mental Health Center: More than 130,000 records were exposed this spring when Lincoln Medical’s billing vendor, Siemens Medical Solutions, chose to send out a stash of information on seven CDs sent to Lincoln via FedEx. Completely unencrypted, the data contained on the disks was compromised when the envelope was lost in transit. Though Siemens and Lincoln have stopped the process of transporting sensitive material through overnight shippers, the damage from this incident was already done.

Lessons Learned: With so many methods for securing data in transit available today, this incident was wholly preventable with a little common sense. Information was copied from the database directly onto insecure media, with only flimsy password protection to keep the bad guys from busting into it. At the very least, simple encryption might have made the loss less painful.

2. University of Texas Medical Branch: Allegedly using a stolen identity to gain employment at UTMD’s medical biller, MedAssets, for the purpose of perpetrating fraud, Katina Rochelle Candrick is suspected of helping herself to up to 2,400 UTMD patient records. Disclosed earlier this year, the insider breach was ferreted out when MedAssets was notified by law enforcement that a former employee had been picked up for identity theft. Candrick was booked for many more ID theft charges in cases around the country, totaling more than $1 million in losses.

Lessons Learned: Identity theft is big business these days, and as thieves catch on, they’re beginning to devise more elaborate schemes to get their hands on data. Not only do organizations need to ensure they work to better screen those who will use the data, but they also need to ensure their vendors are as discriminating. And, of course, database monitoring keeps tabs on the activity of employees — no matter who they are.

3. South Shore Hospital: A whopping 800,000 records containing sensitive, personal health, and financial information were compromised when South Shore’s data management company, Iron Mountain, lost backup tapes containing copies of the hospital’s most sensitive databases created between 2006 and early 2010. The files were slated for destruction prior to loss. They contained the mother lode for potential identity thieves: names, addresses, phone numbers, dates of birth, Social Security numbers, patient health information, and even bank account data.

Lessons Learned: Unencrypted backup tapes have been a persistent threat to enterprise data for years now. Such media can hold vast stores of information and is small, portable, and regularly transported between multiple locations — often leading to mishaps. Whether the information is due to be destroyed or stored for years, it makes sense to encrypt data prior to transport. It is also critical to understand that using a third party to manage sensitive backup documents never fully transfers risk to that third party.

4. Silicon Valley Eyecare Optometry and Contact Lenses: More than 40,000 patients were informed of a breach that exposed their sensitive health and identifiable information after Silicon Valley Eyecare was hit by burglars. The thieves stole the server containing the firm’s patient database, which included health information and personally identifiable information, such as dates of birth and Social Security Numbers. The burglars broke in through a window, nabbing the server and a plasma TV; they were in and out within 50 seconds, according to the eye-care center, which recorded the theft on video.

Lessons Learned: Though the server did sit inside a locked room, it was likely visible from the window. The database that sat within the server was password protected, but unencrypted. To prevent these types of breaches from occurring, database stewards need to plan better layers of both physical and logical security. This means storing servers in secure, concealed locations and encrypting data in the machines.

5. Affinity Health Plan: This spring, Affinity informed hundreds of thousands of customers that it potentially exposed their personal information through the unlikeliest of devices: the office copier. The health insurance company apparently returned a copying machine to its leasing company without checking the information contained on its hard drive after extended use. All in all, the copier compromised 409,000 records.

Lessons Learned: With so many devices in the office connecting to the database and processing sensitive information, organizations must remain vigilant about how data is used and stored — no matter what the electronic medium. Multipurpose copy machines are a particularly tricky prospect because they can copy and store both digital and paper format files, making it necessary for organizations to develop policies about data retention and to train employees to stick to those mandates.

6. AvMed Health Plans: This year has not been good for AvMed and security. In February, it went public with breach details from a late 2009 stolen laptop incident that it initially said exposed more than 200,000 records. By June, it had upped those figures to 1.2 million records. AvMed claimed in its press releases that the risk of fraudulent use of these records was low, but did not say whether the data was encrypted.

Lessons Learned: Laptops needn’t be out in the field to be juicy targets for theft — they just need to contain enough valuable records to entice thieves. In this case, the two laptops were stolen directly from AvMed’s offices. A very large number of healthcare’s data breach woes can be pinned to lost and stolen laptops.

Dear Research in Motion,

For 10 years I have been and avid and faithful user of your Blackberry devices.  Every day since I started my own business 10 years ago, I have had a Blackberry literally attached to my hip or next to my bed.  Your devices have helped me run my business, stay in touch with clients,  employees, and vendors.  Your devices have also helped me with keeping up with my favorite sport teams while attending my kids’ football, field hockey, soccer, softball and baseball games.  They have even allowed me to sneak away to play golf while I continued to email and communicate without anyone knowing where I really was.  Your Blackberries have been a huge asset to me and my company and I attribute some of our success to your innovative devices.

I have owned 6 or 7 of your Blackberries over the years.  From the pager styled Blackberry to devices with the scroll wheel on the side.  The first Blackberry devices where purely email specific.  But even in that limited capacity they were incredibly useful and productive devices.  When you introduced the Blackberry with the scroll ball and the ability to browse and search the Internet, I couldn’t buy one quick enough.  The innovation of those devices were truly amazing.  And recently the Blackberry 8830 and Tour were good devices with color screens and a high resolution camera.  Each new piece of hardware brought along new features that made it better than the last device.

Not only was I an avid user of your Blackberry devices but I eagerly encouraged my clients to standardize on Blackberries.   I remember having heated discussions about the merits of the Blackberry over the Palm Treo back in the early 2000′s.  And when you introduced the Blackberry Enterprise Server (BES) Express  I showed each client the incredible management capabilities and the ease of deployment that went along with BES.  I truly was a huge supporter of Research in Motion and Blackberry devices.

But over the past couple of years your innovation has slowed down.  Sure the Blackberry 8830 and the recent Tour were good devices.  They offered new features that made them better than the previous model.  But I was truly disappointed that the Tour did not have WiFi.  And each device had a slow and barely usable browser that made browsing the Internet painful and frustrating.  I can’t tell you the amount of web pages that I couldn’t view because they were too big for the browser.  And while I struggled with the inadequate Internet functionality, newer devices by Apple and those using Google’s Andriod software continued to innovate and leapfrog the Blackberry functionality.  Apple and Android devices attracted developers and thousand and thousands of applications were developed for each device.   These newer and sexy devices were being purchased and raved about by my friends and colleagues but I continued to walk the line and insist that the Blackberry had the best email experience, management tools and keyboard that set them apart.

My main complaint was the lack of a good Internet browser on my Blackberry.  And then I heard the rumor that a new Blackberry was coming out that had a full touchscreen and slide out keyboard.  I thought that this would be the device that would solve my issues.  When I heard that the Blackberry Torch was elusively on the AT&T network and was not being offered on Verizon’s network I was more than annoyed.  I have been with Blackberry and Verizon for 10 years and I know the reliability of the Verizon network and would not switch to AT&T.

With no prospects for a better phone on the Verizon network I had no choice but to finally give up on your Blackberry devices.  Last night I purchased a Motorola Droid 2.  I have to admit that I am amazed at how fast it is, how beautiful the screen is, how fast and useful the Internet browser is and how useful and functional the thousands of apps are from the Android App store.  I have to admit that the keyboard is not as good as my Blackberry Tour but it is usable and very functional.

So in conclusion, you have lost a loyal customer of 10 years and one that was an Evangelist for your products.  My employees will follow me and give up their Blackberries for Droids.  I can see my customers making the same decisions over the next few months.  My advice is to make sure you innovate like there is no tomorrow before millions of other customers make the same decision that I made.  The truth is that until people actually use an iPhone or Android phone they really don’t know how much better they are than your Blackberry devices.  I truly hope it is not too late for your company and for the Blackberry devices.  I hope that your new operating system and new devices do a good job at catching up to your competitors.  If you don’t make huge leaps forward, millions of Blackberry users will soon be iPhone or Android users.  It has been a good 10 years and with that I say goodbye.

Sincerely,

Art Gross

In a report published by Identity Theft Resource Center, the number of healthcare data breaches exceeded the number of data breaches by the financial services sector so far in 2010.  According to the report, healthcare had 119 data breaches of 1,636,400 records.  The financial services sector had 39 breaches of 4,451,803 records.  It should be noted that the number of records for the financial services sector data breaches was 3 times the amount for healthcare.

As I mentioned in this post, I believe the number of data breaches for the healthcare sector will increase as more and more practices start to implement EMRs.  Now is the time to take HIPAA Security seriously.  If you haven’t performed a Risk Assessment or implemented basic steps of security, such as laptop encryption, you are just asking to be included in the reported number of healthcare data breaches.

Dr. Kathy Corby, an emergency room doctor, treated an 8 year old patient using her iPhone and 7 separate apps.  The 8 year old girl was having seizures and was not breathing.  Dr. Corby reached for her iPhone and used the following applications to save the girl:

The child has a rare hereditary disease, and Corby needed to become an instant expert. So she began scanning a number of medical apps loaded onto her iPhone to access “everything you can’t remember on your own in the midst of something like this.”

The power of smartphone and medical apps is truly amazing.  I think stories like this will be told again and again. Scanning through large text books or even going to a computer to do research will be replaced by reaching for a smartphone and instantly accessing information.  And in an emergency situation the use of a smartphone could be even more important.  As Dr. Corby said:

“I did all of this,” she said, “without taking my eyes off the child.”

I have used this blog to talk a lot about data security and how to prevent data breaches.  Several times I have referenced studies by Kroll’s Fraud Solutions division.  I was contacted by Brain Lapidus, chief operating officer for Kroll’s Fraud Solutions division, who has offered to share some very insightful information about how healthcare organizations can improve their data security measures.

As the healthcare industry prepares for a major shift to EHRs over the next several years, providers must take important steps to make sure their data security practices are in good health.

Protect outsourced data. Your organization must know exactly where and how your data is stored with all of your third party vendors. This includes service providers, like labs, as well as internal service arrangements like remote hosting or backup storage facilities. If the organization is considered a Covered Entity (CE) under HITECH, your Business Associates (BAs) are required to notify you if they have a breach. However, it is the CE’s responsibility to notify the individuals and the appropriate federal entities. Specifically:

• Know where data stored by BAs is physically located, particularly if it is going to an offshore facility – depending upon the laws of that country, the BA may be under no obligation to notify you in the event of a breach or to turn over evidence in legal discovery.
• If you haven’t already done so, make sure all of your BA contracts contain strong provisions regarding data privacy and security and detailed guidelines on what to do in the event of a breach. This should include proof of employee training and background checks – two fundamental aspects of a good security plan. Respondents to the HIMSS survey indicated that half did not require proof of employee background checks from third party vendors, and 40 percent didn’t require proof of employee training.

Make sure all portable media devices are fully encrypted. HITECH specifies notification in situations where the PHI that has been lost or stolen is “unsecure” – that is, PHI that has not been rendered unusable or unreadable through some means, generally through encryption. Full disk encryption, especially of portable media devices, is a valuable means of securing any and all sensitive information, and regulators are increasingly looking to encryption as a means to ensure compliance with privacy and security laws. For instance, Nevada has legislation that went into effect at the first of the year that, in general terms, requires the encryption of all personal data transmitted electronically, except via fax. In making the case for encryption, make sure organizational decision makers understand that “password protection” does not equate to encryption.  Kroll has had clients who thought they were covered when a laptop was stolen because it was password protected, but this is still considered unsecured data under HITECH provisions.

Train your staff. Employee training is the most important thing an organization can do to assure that its privacy and security policies are correctly implemented. The most successful organizations make training part of the culture as compared to those organizations who limit training to reviewing a manual and signing an agreement. Employees of healthcare organizations often have widely varying responsibilities and points of touch with patient data, so it’s important to construct a training program that is relevant to job function and level of sensitive data handling. We see many organizations make the mistake of not training employees on relevant new legal requirements, new security threats and other current topics. Simply learning how to detect a breach of information can be invaluable, given the notification requirements timelines under HITECH.

Plan for an event, and then test your plan. The HITECH act specifies that notification must occur “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach.” Let’s face it – from the moment you uncover a breach, every second counts. That’s why all healthcare organizations are under pressure to develop and implement a breach preparedness and actionable incident response plan. But having the plan is not enough; in light of the rigorous requirements, it’s best to make sure the plan is thoroughly tested and frequently reviewed for updates in the event of changes within the organization. Testing may include a tabletop drill, in which all stakeholders are brought together for a “dry run” of the response plan in the face of a mock breach scenario. Additionally, don’t be afraid to study other organizations’ breach events and learn from the experiences of others, as these real-life cases can be great teachers.

Understand the complexity of breach response and notification requirements. Even though the new requirements are federal, your organization will still be required to comply with state laws that govern the breach of PII and PHI. Depending upon the number of affected individuals, among other variables, your notification requirements under HITECH (and other applicable state laws) could include notifying Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), local media, state attorneys general offices, as well as affected businesses. Missing deadlines could result in hefty penalties or fines. Clearly, notification is about far more than mailing a letter. Perform a little due diligence and prepare a list of possible vendors that can assist in coordinating breach response, crisis communication, and notification responsibilities. Depending upon the size and scope of the breach, sometimes bringing in outside help is essential to maintaining the day-to-day operations of the organization.

It is important to remember that, although the provisions that appear in the legislative text of HITECH are aimed at expanding the use of electronic records, most of the privacy and security provisions apply to both electronic and paper records. Whether an organization plans to go electronic or not, the pre-breach checkup will be essential in being compliant with federal and state regulations.

For more information on data security issues, visit www.krollfraudsolutions.com or check out the new Kroll blog “A Dialogue on Data Security.”

HHS has withdrawn the Interim Final Rule for Breach Notification for Unsecured Protected Health Information.  On the HHS website there is a notice that states:

The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009.  During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.

HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget (OMB) for Executive Order 12866 regulatory review on May 14, 2010.  At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department’s experience to date in administering the regulations.  This is a complex issue and the Administration is committed to ensuring that individuals’ health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur.  We intend to publish a final rule in the Federal Register in the coming months.

Consumer advocates have criticized the HITECH breach reporting rules and point specifically to the “harm standard”.  The “harm standard” allows for healthcare organizations to determine if a breach of patient information presents a significant risk of harm to the individual(s).  Healthcare organizations would most likely perform a risk assessment to determine if the breach would presents a significant risk  in terms of financial, reputation or other harm to an individual.  Critics of the proposed rule say that allowing the healthcare organization to determine if the risk is significant and whether there is a need to disclose the breach would result in many breaches that will go undisclosed. Critics argue that the “harm standard” should be removed from the final rule and that all breaches should be disclosed.

I have mixed feelings on the “harm standard” and whether it should be included in the rule or removed from the rule.  On one hand I think the “harm standard” makes a lot of sense.  Assume a laptop is lost and it contains patient information (assuming the laptop was not encrypted) and then the laptop is returned 10 days later and it is also determined that the laptop information had not be accessed.  Under the “harm standard” most likely a healthcare organization will determine that there was no risk to the patients, who’s information was on the laptop, and therefore no breach notification would be required.  I would tend to agree with the determination to not disclose the breach because no patient information was accessed and no harm was done to the patient.

On the other hand, if a laptop is lost and it contained patient information and was not recovered then I believe that the breach should be disclosed.  Under the “harm standard”, a healthcare organization could perform a risk assessment and determine that the cost of reporting the breach was more then the risk to the patient and decide not to disclose the breach.  In this example I disagree with the “harm standard” and think it would be wrong for a healthcare organization to make the determination that the breach should not be disclosed.

As you can see the “harm standard” is not black and white.  In some cases it makes sense  and in others it does not make sense.  HHS will have a  challenge to revised the rule so that patients are properly protected but at the same time not every incident leads to a breach notification.