The folks over at HIMSS and MGMA have teamed up to produce what they call the HIMSS Privacy & Security Toolkit for Small Provider Organizations.  The toolkit provides medical practices with a wealth of information about HIPAA, HITECH, meaningful use, privacy and security.  Below is the letter from both the HIMSS and MGMA CEOs describing the security toolkit.

Message from the CEOs

As small provider organizations increasingly leverage electronic health records and other information technologies, they face significant challenges in their efforts to secure patient information. This is coupled with their efforts to comply with a myriad of existing and newly revised federal requirements. There is also a renewed emphasis on the importance of maintaining the confidentiality of electronic health information due to patient concern and media attention. Providers also recognize that protecting against a breach of health information will require employee training and the development of effective safeguards and reporting processes.

Targeting the needs of these small providers, HIMSS and the Medical Group Management Association (MGMA) (www.mgma.com) have partnered to create the HIMSS Privacy & Security Toolkit for Small Provider Organizations. This useful and practical toolkit will assist first in understanding the rapidly changing privacy and security environment, and then help providers implement an appropriate set of policies and procedures that best meet the needs of their organization. Since smaller organizations may not typically have the resources or technical expertise found in larger institutions, this toolkit will act as a roadmap and resource for clinical and administrative staff to navigate the complex privacy and security laws and regulations and to understand the security components required to participate in Medicare’s “Meaningful Use” EHR incentive program.

We hope this toolkit proves helpful as providers move forward with their health information privacy and security preparations.

I am a strong believer that the more medical practices understand privacy and security issues, the more they will do to protect patient information. So the HIMSS security toolkit is a welcome addition. The only issue I have with it is that it has too much information. With too much information it makes it hard to digest all of the content. In a rough count I came up with around 50+ links to documents ranging from CMS Security Series paper #7 “Implementation for the Small Provider” (12/10/2007) to Meaningful Use Introduction (2/12/2011).  Each of the links provides great information but the problem is that it is too much information. I am not sure who is going to read all that information and be able to digest it and formulate a plan for protecting patient information. I think this information has to be summarized and put into a form that is easy to understand.

They do offer a method of adding additional tools to the toolkit so maybe someone will put a good summary together.  Maybe they will utilize video to make it easier to understand and make it somewhat entertaining. Reading 50 links and over 500 pages of information is just not that much fun.

A real-life experience occurred on Friday that shows the use of encryption, to protect patient data, is still an afterthought at best.  A conversation between one of our clients and their EMR vendor shows that encryption and data protection is still not at the forefront of concern.  Below is a modified version of the conversation between the client and the EMR vendor which I was copied on.  Everything was changed (to protect the innocent) except for the overall meaning of the conversation.

EMR Vendor: Dear customer – we need a copy of your EMR database so we can test it on the new version of the software we will be rolling out in a couple of months.  We will be sending you a USB disk so your IT vendor can copy the database(s) and send it back to us.

Client: Why do you need the data?

EMR vendor: We want to test functionality of the new system and your database is one of the largest amongst all of our customers

Client: OK we will send you the data

Seems like a very straightforward conversation.  The EMR vendor wants to test a large instance of the database which is good so they can iron out any bugs with the new version of the software.  The client is happy to be part of the testing so they know their database will have no issues when they upgrade.

Everyone but me was happy with the conversation.  Now it is probably because I write about HIPAA security or have launched a HIPAA Security Service but I immediately thought to myself “there is no way we are going to send a disk with over 10 years of patient data to anyone without ensuring that this data is encrypted”.  On the other hand, I am an optimist so I was just waited for the vendor to tell the client that the USB drive will be encrypted or for the client to ask about encryption.  I waited but that dialog never occurred.  I eventually replied to the email with my concerns.

Me: Will the USB drive be encrypted?  There is no way we can send that data without proper protection of the data.

EMR vendor: Yes the drive will contain an encryption utility that you can use to encrypt the data.

Me: Good!

So the good news is that the EMR vendor knew that the data had to be encrypted. The bad news is that the fact that the data had to be protected never came up in conversation until I raised the issue. Encryption was an afterthought during this conversation. We need to move to the point where patient data protection is a primary concern. In this case protecting the data in transit is more important than the testing of the software (in my opinion). A loss of this data could be devastating to the client.

In the end the client thanked me for looking out for the data security. To me patient data protection is one of my primary concerns. Unfortunately it seems that my concerns are not shared by others. We need to get to the point where patient data protection is a primary thought and not an afterthought.

OCR is serious about enforcement!

That is a message that 3 officials from the U.S. Department of Health and Human Services’ Office for Civil Rights made clear as they presented at the 19th National HIPAA Summit. The 3 officials who presented (links below take you to their presentations [PDF] ) were:

• Susan McAndrew - Deputy Director for Health Information Privacy
• David S. Holtzman – Health Information Privacy Specialist
• Valerie Morgan-Alston – Deputy Director for Enforcement and Regional Operations

Each of their presentations went into details of how OCR has been working to enforce HIPAA regulations.  I urge you to read each one fully but I will point out some of the more interesting points of their presentations.

Susan McAndrew

Pointed out that there have been 241 reports of security incidents that affected 500 or more individuals and over 29,000 incidents that affected under 500 individuals.  Laptops and portables devices continue to be the main cause of breaches.

Click to enlarge

She went on to state that there have been around 58,000 privacy complaints since 2003 and that 91% of the complaints have been resolved.  Of the 58,000 complaints, around 19,400 have been investigated and 64% have lead to corrective actions (fines I presume).

McAndrew went into details of the latest HIPAA fines that have been handed out including the $4.3 million fine to Cignet Health/Maryland.  She also discussed the training program for the 50 State Attorneys General.

David S. Holtzman

Went into details about some of the security breaches and enforcement activity.  His presentation was very interesting and some of the slides are below.

He said that every complaint that the OCR receives is reviewed and analyzed and an investigation is launched if the facts look like an organization failed to comply with the HIPAA regulations

Compliance reviews include evaluating an organization’s policies and procedures.  All breaches that affect over 500 individuals are reviewed

In a very interesting slide, Holtzman showed the most frequent Security Rule issues.  They included lack of security incident response, lack of security training, lack of access controls and information access controls, and the lack of workstation security.

The next two slides give some good insight into the most common causes of breaches as well as where the information was located in the breach.

He ended with some valuable lessons learned including stressing that encryption should be used on data at rest on desktops as well as portable devices.

Valerie Morgan-Alston

Went into details on some of the fines that have been handed down including Cignet, Massachusetts General Hospital and Rite Aid.

But in the most interesting slide she went on to say:

In light of OCR’s clearly articulated intention to aggressively enforce the HIPAA Privacy and Security Rules, covered entities and business associates should review their current HIPAA compliance programs

A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.

All in all a few clear messages were presented.  OCR is serious about enforcement and used several recent cases as examples.  More enforcement and more fines are coming.  Make sure you have policies and procedures in place. And utilize encryption for data on desktops and portable devices.

Image: Pixomar / FreeDigitalPhotos.net

The Ponemon Institute in combination with Symantec Corp released a report titled 2010 Annual Study: U.S. Cost of a Data Breach. The report looks at the financial impact including lost of customers resulting in data breaches. Some highlights of the report are listed below.

Rapid response to data breaches cost organizations more then slower response. It could be due to inefficiencies of rapid response. Organizations are feeling pressure to respond to breaches quickly due to state and federal data protection laws

More organizations favor rapid response to data breaches, and that is significantly costing them: Forty-three percent of companies notified victims within one month of discovering the data breach, up 7 points from 36 percent last year. That growth marks the largest percent increase among data breach response attributes. For the second year in a row, these “quick responders” paid significantly more per record than companies that moved more slowly. In 2010, quick responders had a per-record cost of $268, up $49 (22 percent) from $219 the year before. Companies that took longer paid $174 per record, down $22 (11 percent) from 2009.

Our results suggest that moving too quickly through the data breach process may cause cost inefficiencies for the organization, especially during the detection, escalation and notification phases. The notable increase in companies responding quickly to breaches, despite the additional cost, may reflect pressure companies feel to comply with commercial regulations and state and federal data protection laws. We will closely watch this issue in future reports.

Costs of data breaches continue to rise and now the average organizational cost is $7.2 million per breach.

For the fifth year in a row, data breach costs have continued to rise: Data breaches continue to cost organizations more every year. The average organizational cost of a data breach this year increased to $7.2 million, up 7 percent from $6.8 million in 2009. Total breach costs have grown every year since 2006.

Data breaches in 2010 cost their companies an average of $214 per compromised record, up $10 (5 percent) from last year. Data breaches are costing more at both ends of the scale, but particularly the top. The most expensive data breach included in this year’s study cost a company $35.3 million to resolve, up $4.8 million (15 percent) from last year. The least expensive data breach was $780,000, up $30,000 (4 percent) from 2009. As in prior years, data breach cost appears to be directly proportional to the number of records compromised. Therefore, larger breaches continue to be a more serious cause for concern than smaller breaches.

I found the next point to be very interesting. It shows that losing customers due to a data breach is the most expensive component of the total data breach expenses. Pharmaceutical and healthcare had the highest customer churn. This should be a wakeup call to healthcare organizations

Customer turnover in direct response to breaches remains the main driver of data breach costs: For the second straight year, abnormal churn or turnover of customers after data breaches appears to be the dominant factor in data breach cost. Regulatory compliance contributes to lower churn rates by boosting customer confidence in organizations’ IT security practices. Average abnormal churn rates across all 51 incidents stayed level at 4 percent. The industries with the highest 2010 churn rate remained pharmaceuticals and healthcare (both up a point to 7 percent). The industries with the lowest abnormal churn rates were public sector (less than 1 percent) and retail (1 percent). Sectors with the highest 2010 average per-record costs were communications ($380), financial ($353) and pharmaceutical ($345). Those with the lowest costs were media ($131), education ($112), and public sector ($81).

The use of encryption is increasing as a post data breach solution. Now if organizations would use more encryption prior to data breaches they would have a lot less headaches and expenses.

Training and awareness programs barely stayed in first place with nearly two-thirds (63 percent, down 4 points) of respondents using them. Expanded use of encryption stayed the most popular technology solution and, with 61 percent (up 3 points), took sole possession of second place this year. Interestingly, since 2008, technological solutions have seen the strongest growth while personnel and policy solutions have grown more slowly.

Laptops and mobile devices are expensive liabilities.

The prevalence of breaches concerning mobile devices holding sensitive data stayed roughly the same at 35 percent this year, down a point. Per-record costs rose $33 (15 percent) to $258 per record. Our research suggests that device-oriented breaches have consistently cost more than many other breach types. This may be because investigations and forensics into lost or stolen devices are more difficult and costly.

The report offers some sound advice for next steps

Take as slow and thoughtful an approach to data breach response as possible, given federal and state legal requirements applicable to location, industry and circumstances of the breach. Prepare in advance as much as possible to enable quick and cost-effective response.

Ensure that portable data-bearing devices – such as laptops, smart phones and USB memory sticks – are encrypted, especially for extensive business travelers. Also, consider implementing inventory control, anti-theft devices and data loss prevention (DLP) policies, practices and technologies.

Vet and evaluate the security posture of third parties before sharing confidential or sensitive information. Pick responsible vendors that can guarantee data protection through encryption and appropriate procedures and controls. Also, ensure that third parties protect data on their employees’ mobile devices.

In two recent surveys a clear message is being sent. The message is that patients want doctors and health organizations to use electronic health records (EHRs) but the patients are very concerned with the privacy and security of their records.

A survey by Dell called The Dell Executive and Patient Survey (PDF) reported an overwhelming amount of patients wanted the following:

EHRs (69%)

Making it possible for EHRs to be shared between physicians, hospitals, and ancillary providers (74%)

Email access to their doctor so they can ask questions and discuss their health via electronic mail (71%)

Electronic prescription processing to allow health care providers and pharmacies to communicate without paper (76%)

But the patients also worried about the security of their electronic patient records.  They are concerned with:

Their health data being safely and securely stored (69%)

Their health data being transmitted over the internet (66%)

Hospitals and providers adhering to privacy laws (such as HIPAA) (66%)

It is interesting that 69% of patients wanted EHRs but 69% also worried about their records being safely and securely stored.

A second survey sponsored by the National Opinion Research Center (NORC) at the University of Chicago shows similar desires and concerns:

Despite the fact that 48% of Americans are concerned about the privacy of medical records, fully 64% said that the benefits of EMRs outweigh privacy concerns

So it is clear that patients want doctors to use EHRs but they are also very concerned with the privacy and security of their records. Many medical practices and health organizations are pushing forward with the use of EHRs so understanding and realizing patient’s concerns is really important. But what if medical practices and health organizations were to use patient’s concerns as a competitive advantage over other health organizations?

What if instead of looking at HIPAA Security regulations as something that is mandatory and required by the government, a medical practice sees HIPAA and patient security as a way of addressing patient concerns? Savvy medical practices can use the fact that they have implemented the HIPAA Security Policies and Procedures, performed a Risk Assessment on all systems that contain patient information and have trained their entire staff on how to protect patient information. Medical practices that have embraced patient record security can differentiate themselves from their competition.  A clear message they can send to their patients is:

Come to our medical practice because we care about patient record security and will do everything we can to protect and  make your records secure!

Medical practices can address patient’s concerns and use HIPAA Security as a competitive advantage. Something to think about.

Cross-posted at HIPAA Secure Now!

Image: hinnamsaisuy / FreeDigitalPhotos.net