There are two very disturbing trends regarding information security that should keep physicians and practice administrators up at night.

The first trend is that is seems like no company is safe from security breaches. Just yesterday Citigroup announced that they experienced a breach that involved more than 200,000 accounts.  Sony has been hacked repeatedly. Epsilon has experience a huge data breach.  These are multi-national companies that have the resources to protect data and yet they have been hacked and data has been breached.

The second trend is that hackers are starting to focus on smaller targets. In the Verizon 2011 Data Breach Investigations Report (PDF) they found that hackers are moving away from larger targets to smaller companies (tell that to the companies mentioned above).  The reason is that smaller companies have less security and are easier to hack.

Medical data has a very high value on the black market and it is only a matter of time until hackers turn their attention to medical practices. Medical practices typically don’t invest a lot of money in security and many are not compliant with HIPAA Security regulations. The chances that hackers are successful when they focus on medical practices is probably pretty high. In addition, the costs of security breaches are increasing and HIPAA enforcement and fines are also increasing.

Physicians and practice administrators need to be aware of these disturbing trends. Security and HIPAA compliance is essential and needs to be focused on now before it is too late.

Image: digitalart / FreeDigitalPhotos.net

There is a great post over at Infosec Island regarding a letter that was received from the Office of Civil Rights (OCR) after a data breach that occurred at a small medical practice. The breach was the result of a burglary. No details were given on what was stolen or what kind of patient information was obtained.

The post lists the following 11 items that were requested in the letter from OCR and states that the practice only had 21 days to respond.

1. Documentation of the covered entity’s admission, denial, or a statement indicating that the covered entity has obtained insufficient evidence to make a determination regarding the allegations.

2. Documentation of an internal investigation conducted by the covered entity in response to the allegations including a copy of the incident report prepared as a result of the laptop and server theft.

3. Documentation of the covered entity’s corrective action taken or plan for actions the covered entity will take to prevent this type of incident from happening in the future, including documentation specifically addressing, if applicable:

a. sanctioning of the workforce member(s) who violated the Privacy and Security Rules, in accordance with the covered entity’s current policies and procedures, and as required by the Privacy Rule.

b. re-training of appropriate workforce members.

c. mitigation of the harm alleged, as required by the Privacy Rule.

4.  A copy of your HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically EPHI.

5.  A copy of the policies and procedures implemented to safeguard the CE’s facility and equipment.

6.  Evidence of physical safeguards implemented for computing devices to restrict access to PHI.

7.  A copy of the most recent risk assessment performed by or for the CE, per Security Rule requirements.

8.  Evidence of security awareness training for involved workforce members including training on workstation security.

9.  Evidence of the implementation of a mechanism to encrypt EPHI stored on the workstations.

10. A copy of the written notification of the breach provided to the affected individuals.

11.  A copy of the written notification given to the media.  This should include a list of all media sources to whom this notification was given and any media reports (news stories or articles) stemming from this notification.

The first take away from this is that OCR is asking for a lot of information in a very short period of time.  21 days to provide this information is not enough time if the practice didn’t have all of this documentation in place already. And maybe that is the point, the short period of time to respond does not give an organization time to scrabble and put this together and say it was in place prior to the breach.

The second take away is that OCR clearly wants to see written documentation that you have a security program in place to protect patient information and are in compliance with the HIPAA regulations.

Items #4 and #5 clearly states that they want to see written policies and procedures on how an organization is protecting patient information. Unless you have gone through the exercise of preparing the policies and procedures, I doubt that telling them you discussed these with your staff but haven’t documented them will carry much weight.

Item #7 clearly states that they want evidence that you have performed a Risk Assessment on how you are protecting patient information. A Risk Assessment is required under the HIPAA Security rule and will identify areas where an organization needs to focus on to better protect patient information. Not having a Risk Assessment will make it very difficult to defend yourself and prove that you have taken HIPAA Security regulations and protecting patient information seriously.

Item #8 addresses providing evidence that each of an organization’s workforce have received HIPAA Security training. Again this seems to be looking for documented proof that each workforce member has been trained. If you do not have a formalized training program, saying you discussed training in staff meetings might not be sufficient especially when they are looking for formal documentation.

Item #9 is very interesting because it is asking for documentation addressing the encryption of information on workstations. Encryption is an addressable implementation specification in the HIPAA Security Rule. OCR wants to see how the organization has implemented this specification. Remember, an addressable implementation specification is not optional and documentation must exist on how an organization has or has not implemented the specification. For example, an organization might require laptops to be encrypted but data at rest on servers or desktops does not need to be encrypted. The take away is that you need to document how you have or have not implemented encryption along with reasons to support your decisions.

Items #10 and #11 address how an organization has prepared itself for a security breach and how it has responded to the current security breach. The Breach Notification Rule as defined in the HITECH Act states that an organization has to issue a notification to affected individuals within 60 days of discovery of a breach. Below is more information from the HHS website:

These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity.  Additionally, for substitute notice provided via web posting or major print or broadcast media, the notification must include a toll-free number for individuals to contact the covered entity to determine if their protected health information was involved in the breach.

All in all this insight into what to expect from OCR if your organization experiences a data breach should make you very apprehensive. If you do not have these items in place prior to a breach it will cast a very negative light on your security program. If you cannot provide the written documentation for the 11 items that they are requesting, there is a chance that OCR will determine that you are in violation of “Willful Neglect” of the HIPAA Regulations.  Fines associated with “Willful Neglect” are substantially more expensive and carry a penalty of $50,000 per violation, with an annual maximum of $1.5 million.

The time to worry about complying with HIPAA security is before a data breach and not after. OCR has made it clear of what they will demand from an organization. If you do not have these items in place, NOW is the time to act!

You have just implementing a new electronic health records (EHR) system, congratulations!  You probably spent anywhere from $75,000 – $500,000+ on hardware, software, licenses,and implementation labor.
Hopefully you qualify for EHR meaningful use incentive funds to offset some of those expenses. While you are looking to stop spending money and to start recouping some of the expense, I am going to tell you 3 additional products and services that you must consider.

The 3 products and services are:

1. Offsite data backup
2. HIPAA Security
3. Disaster Recovery

I realize those 3 items are not sexy and will not help increase your revenue. I think that is one of the reasons that many medical practices don’t sign up for these services. The 3 services are about protecting your EHR, your data, your patient’s information and protecting your practice.

Offsite Data Backup

“Why do I need offsite data backup when we are backing up to a tape drive?”

I can’t tell you how many times I have had this conversation. Backing up your data nightly to a tape drive is a good practice but unfortunately backup tapes are not completely reliable. Every time we have to restore a file, database or other data from a backup tape, I hold my breath and pray that the data is on the tape and we can retrieve it successfully.

If you are backing up to tape the responsibility to switch tapes on a daily basis is usually assigned to an individual in the practice. From experience we have seen that people forget to switch tapes (trust me this happens more then you can imagine). In addition, tapes are used over and over and eventually they lose their ability to successfully read and write data. Hence the praying comment that when we need the data, the tape will not be at the point where we can not successfully retrieve the data.

Offsite data backup is a very straightforward process and very similar to backing data up to tape. On a nightly basis the data is backed up but instead of being backed up to tape it is backed up to a server in a vendor’s data center. Here is how it works.

1. On the system that you are backing up, there is a backup agent (software program) that starts to backup the data.
2. The backup agent makes a secure encrypted connection via the Internet to a server(s) at a vendor’s data center.
3. The data is copied to the servers and is stored on the vendor’s server is a secure encrypted format.

As you can see it is critical to have an Internet connection in order to perform the offsite backup.  The offsite data backup is scheduled and runs automatically so there is no human intervention required. This eliminates the issue with someone forgetting to change the backup tape.

My recommendation to most practices is to use offsite data backup as a supplemental service in addition to doing nightly tape backups.  If you do both then you have your data in 2 different places and you increase your chances that the data will be available if and when you need it.

On an average, offsite data backup costs around $2/GB.  So if you are backing up your EHR and you have 20GB of data it will cost you around $40/mo. I think that is a very reasonable amount to help ensure that your data is protected. To help convince you that offsite backup is worth the additional expense let’s look at a scenario that I have seen happen multiple times.

There is a really bad storm with heavy rain and lightning. The storm knocks out power to your office and although your EHR server is on a uninterrupted power supply (UPS) the server does not shut down cleanly (immediately loses power) and in the process it corrupts the EHR database. When power is eventually restored and the server comes back online the EHR program generates errors stating that it can not read the EHR database (it is corrupt). Imagine that you have been using the EHR for 1 month and every patient that you have seen is in your EHR (go ahead and imagine you have been using it for over a year and the amount of records would be even scarier). Your IT company comes in to help restore the EHR database from tape and get you back up and running.  When the IT company inserts the backup tape they can not locate the EHR database.   It turns out that the person who was responsible for changing the tape forgot to do it the last 2 evenings. They are able to restore the database from 2 days ago but all the data that was entered for the past 2 days is lost.  Think about having to recreate that data. You are using an EHR so do you have notes on each patient? Probably not. The amount of time and effort you and your staff will have to use to recover from the lost data makes the $40 look cheap.

HIPAA Security

The second service I urge you to consider is HIPAA Security. You are using an EHR and all of your patient information moving forward will be electronically stored. You may also have interfaces with vendors for electronic lab results, digital x-rays, ultrasounds, etc. For each patient there is a lot of electronic information that has to be protected.

Most EHR vendors do not address HIPAA security when they are training employees on the new EHR. If they do it is not in depth and there is a good chance that your employees will not understand what is required by HIPAA to protect patient information.

HIPAA security is about protecting patient data in electronic format. I am recommending you sign up for a HIPAA security service not only to comply with the HIPAA regulations but to ensure that your entire staff is educated on what exactly is required to protect patient data and to understand the best practices for protecting data. More importantly HIPAA security is a defensive measure to help protect your patients and your practice against a data breach. A lost laptop or USB drive with patient information could have serious financial impact on an organization.  Imagine a data breach that costs your practice $1,500,000. If you think that number too high consider the regulatory fines, patient breach notification expenses, lost revenue from patients leaving the practice, IT related expenses to re-mediate the breach, etc.  Even if the expense is half of that at $750,000 it can have a significant impact to an organization. And if you are thinking that your general liability insurance policy will cover most of those expenses you should check your coverage. Most policies do not cover HIPAA related expenses (although there are supplemental insurance policies that do cover HIPAA and cyber expenses).

There are many HIPAA security services on the market but on a whole you should look to accomplish the following:

1. Implement policies and procedures to ensure that patient information is properly protected
2. Perform a risk assessment to understand where you are at risk in protecting patient information and what additional security measures you should implement to better protect the information.
3. Train your entire staff on exactly what is HIPAA security, what they should be doing to protect patient data and what they should not be doing that could put patient data at risk.

HIPAA security will range in costs but for some real numbers this service will cost $1,750 to provide the 3 items above. (Full disclosure, HIPAA Secure Now! is a service of Entegration, Inc.).

As with the justification for offsite data backup, spending $1,750 to help protected you from fines and expenses that could be up to 100 times more expensive seems like a good investment.

Disaster Recovery

The third and final service I will urge you to consider is disaster recovery for your EHR and network.

I will start off by acknowledging that the odds of a disaster are slim but yet we have seen the affects of earthquakes and tornadoes in the past few months. And disasters are not only confined to natural disasters.  Fires and floods occur all the time.  Broken water pipes and sprinkler systems can destroy servers and computing equipment.

What exactly is disaster recovery?  Simply stated it is the ability to continue to utilize your applications in the event that your primary servers, network and applications are either destroyed or made unavailable by some event. Disaster recovery is ensuring that you can run your EHR on another server and access that server in the event of a disaster.

I wrote a detailed blog article on cheap disaster recovery which you should read.  But from a high level view, disaster recovery is:

1. Ensuring that you have another server(s) in another physical location that you can use in the event your primary server is unavailable
2. Data needs to be copied and kept up to date on the server(s) that you will use for disaster recovery
3. A method of accessing the disaster recovery server must be established
4. A detailed procedure must be in place that defines exactly what is needed to utilize the disaster recovery server(s) and what your employees need to do to operate in disaster recovery mode.

If you go back to the blog article that I wrote on cloud based disaster recovery the prices range from around $100/month/server.  So if you need to ensure that have your EHR server and your Domain Controller available in the event of a disaster then it will cost you around $200/mo.

Again let me define a scenario that helps justify the expense.

Let’s assume a water pipe bursts in the office above you and overnight hundreds of gallons of water leak onto your servers, destroying them.  Everything else in your office is wet but usable. After a couple of days of clean up you are ready to see patients but you no longer have functional servers and no functional EHR. You can order new servers from Dell or HP but even with overnight shipping there is a chance you will not receive them for 10-14 days.  Can you go without your EHR for that long? With the cloud based disaster recovery you can be up and running in as little as 4 hours. You can even access the EHR if you need to see patients in another practices’ office while you repair your office. Again I argue that $200/month is worth the expense to provide the safety net and flexibility to recover in the event of a disaster.

Summary

The 3 services that I described will protect your medical practice. Each of the services can be considered a safety net and operational insurance to protect you and to avoid events that can have significant financial impact to your organization. Take a step back and think of how much money you just spent on your EHR. The services that I recommend will cost you under $5,000 the first year (and half of that moving forward) and will help protect your investment in your EHR.

I would love to hear your thoughts and help with any questions you may have. Use the comments section below to give feedback.

I read an article over at KevinMD.com called Business reasons to get compliant with HIPAA that had me nodding my head in agreement throughout the whole article. The author, Rosemarie Nelson, discusses the HIPAA Security Rule and gives some good insight.  I suggest you read the full article but some highlights include:

Most covered entities had two full years — until April 21, 2005 — to comply with these standards.

The reality is, though, that most covered entities, especially providers (read medical practices), did not comply by that date and are still not HIPAA compliant today.

From what I have seen this statement is very true.  Medical providers have done a lot to implement the HIPAA Privacy Rule but not the HIPAA Security Rule.  And maybe this is the reason why:

Most experts originally agreed that the HIPAA Security Rule requirements were much more extensive than the HIPAA Privacy Rule — and you know how much your practice has done to accommodate that!

To make matters worse, most medical practices covered by the Rule continue to have limited staff resources to comply with the Security Rule. And available information security consulting expertise in many communities has been and remains limited.

The combination of all of these forces has produced a very clear result: very poor information security in the healthcare industry.

Rosemarie goes on to give the hard cold facts:

HIPAA requires all healthcare CEs — that’s you! — and their BAs — that’s me, for instance! — to safeguard the privacy of patient health information. The HIPAA law also requires CEs and BAs to implement required security measures to protect patient health information.

And HHS’s Office of Civil Rights (OCR) is coming to audit that compliance. The security audits will check that organizations have completed a risk assessment and implemented appropriate administrative, technical, and physical safeguards.

When OCR starts doing HIPAA compliance audits on medical provides you can’t say you haven’t been warned. It is coming and I suspect we will see some high profile audits in the beginning of 2011.

Her advice, which I 100% agree with, is:

What do you do? Start by doing that risk assessment first. That will let you establish a baseline scorecard against which you can begin to track your progress on compliance with the privacy and security regulations.

She goes on to give more insight into the Risk Assessment process and some of the fines for not complying with the HIPAA Security Rule.  Very good article and a must read for all medical practices.

South Shore Hospital in Massachusetts announced yesterday that personal records of 800,000 individuals may be missing.  The hospital sent backup tapes to a contractor for destruction.   The contractor has informed the hospital that only a portion of the tapes have been received and destroyed, the rest of the tapes are missing.

According to the Boston Globe:

The hospital said the files contained information on patients, employees, physicians, volunteers, donors, and other business partners associated with South Shore between Jan. 1, 1996, and Jan. 6 of this year.

The files may have included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits, and other personal information.

My first reaction to this story is to ask “why weren’t the backup tapes encrypted”?  On the South Shore Hospital FAQ website they answer the question:

These particular back-up computer files were scheduled for destruction because they were in a format the hospital no longer uses and because the back-up process did not allow for these files to be encrypted. However, specialized software, hardware, and technical knowledge and skill would be required for someone to access and decipher the information.

You have to admit that now is a very interesting time to be in the healthcare field.  This year we saw a $1 Trillion healthcare reform bill get passed.  I don’t believe that anyone has a real understanding of the impact of the bill or its affects on medical practices.  It seems every day more details are revealed of the bill.  It will take years before we see the total impact.

Then you have the ARRA stimulus package which provides $19 Billion in Medicare incentives to doctors that embrace the use of certified EHRs.  This is a huge opportunity for medical practices to implement technology and move from paper charts to EHRs.  But along with the incentives come some significant obstacles.  Medical practices have to use a certified EHR but there is no definition of what that means or who the exact certifying bodies are.  As of today you can not purchase an EHR that is certified and will qualify for the stimulus funds.  Practices not only have to implement certified EHRs but they have to use them in a way that shows “meaningful use”.  Of course the exact rules for meaningful use are not known and many argue that the rules that are being proposed are too rigid and the bar is too high for practices to actually show meaningful use.  Taken altogether, you  have a lot of medical practices that want to cash in on the ARRA stimulus incentives and to implement an EHR but you have uncertainty and obstacles that are keeping them on the sideline.  They are taking the wait and see approach.  Some are even thinking that it may not be worth the effort to attempt to participate in the ARRA stimulus incentives.

One thing for certain is that the medical practices that are moving forward with an EHR implementation are spending a lot of money.  There is no way around it, EHRs are expensive.  The cost of the software, hardware, network, training, staff disruption and all of the other components that go into an EHR implementation all add up.  Of course the hope would be that the costs would be offset by the ARRA stimulus incentives but that is not a guarantee as I mentioned before.

At the same time you have all this uncertainty around healthcare reform and ARRA stimulus, medical practices have to contend with two major economic issues.  The first is the severe recession that we have been in since 2008.  There is no way around it, when the economy is suffering all business including medical practices suffer as well.  I hear from my clients that patient visits are down and that waiting rooms are less filled.  This has a significant and real impact on a medical practice’s cash flow and financial health.  The second economic issue is the proposed cut of 21% in Medicare payments to physicians.  For at least 6 months the looming threat of a 21% cut in Medicare payments have darkened the economic sky for medical practices.  Congress has postponed the cuts several times but have not permanently addressed the situation.  As of today, the 21% cut has been pushed back until November 30, 2010.  Along with postponing the Medicare cut, Congress has given doctors a 2.2% increase until November.  Very few medical practices are rejoicing because in December 2010 they are looking at a 23% cut in Medicare payments followed up by a 30% cut in January 2011.  No one really knows what or when the final outcome will be.

On top of major financial outlays to implement EHRs and the uncertainty surrounding the economy and Medicare reimbursements, medical practices have to deal with many government regulations.  As I have written about often, the looming threat of HIPAA Security Audits are a real concern for medical practices.  Implementing HIPAA Security usually require skill sets that medical practices don’t have.  IT security companies are needed to help with policies and procedures, vulnerability and risk assessments along with implementing new technologies such as email and laptop encryption.  On top of HIPAA Security, medical practices face the “Red Flags Rule”  requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft.  The Red Flags Rule has been postponed several times and was to go into affect June 1, 2010.  As of now the FTC has agreed to keep physicians exempt from the rule until the outcome of a lawsuit by the American Bar Association.  Once again, the outcome of this regulation is unknown.

When you look at each of the issues a medical practice has to address from healthcare reform to Medicare reimbursement cuts they don’t seem to bad.  Each one taken separately allows a medical practice to address the issue and to make modifications to they way they run their business.  But unfortunately all of the issues are happening at the same time.  A medical practice has to address all of the issues together including major financial outlays, cuts in revenue caused by several factors,  and staying abreast and implementing the latest government regulations.  All the time spent addressing these issues is time not spent on seeing and treating patients.

Have other  industries gone through such dramatic change in such a short period of time?  The changes provide opportunities along with real negative affects.  Medical practices need to be flexible and to adjust to all of these changes.  Some of the changes such as the Red Flags Rule may never occur.  But either way a medical practice needs to be prepared, need to be informed and need to be ready to change their business model to adjust to such dramatic changes.  Strange days indeed.

In this article, I posted about the U.S. Department of Health & Human Services’ (HHS) HITECH breach website.  The website list all privacy breaches affecting 500 or more individuals.  I recently went to the website to take another look at the amount of breaches.  I was interested in the total number of individuals that have been affected due to privacy breaches.   I exported the information into Microsoft Excel and added up each of the individual privacy breaches to come up with a shocking 3,459,108 individuals that have been affected.

It should be noted that most of the breaches were due to electronic data security issues but some also involved improper disposal of paper records and theft of paper records.

As I mentioned in this post – we are seeing a lot of security breaches even before the majority of health organizations make the switch from paper records to EHR.  In order for HITECH to succeed, we need a strong emphasis on patient security right now!

I have been thinking and posting a lot about HIPAA security lately.   In the meantime Entegration has been involved in a large scale EHR implementation for one of our clients.  The combination of the two activities has allowed me to come up with a theory that is downright scary.  I don’t claim to be Nostradamus and I can’t see the future but I will throw out my theory anyway.  I believe that the ongoing EHR gold rush will put a lot of patient information in electronic form and place it in the hands of inexperienced employees that have not been trained on proper security precautions.  In addition, health organizations will think about security after the EHR implementation and not properly plan security prior to an EHR implementation.  Together these events will lead to a huge amount of security breaches that will compromise patient information and could potentially derail the effort to modernize our health information systems.

As part of the ARRA stimulus package many health organizations from hospitals to solo practices are pushing to implement EHRs to receive the full Medicare reimbursement per doctor.  There will be a big up-tick in the amount of health organizations that go from paper charts to electronic health records.  There will also be a big push to start using existing EHRs to comply with the “meaningful use” standards which will require more functions and modules to be turned on within existing EHRs.  In addition, more employees at health organizations will be required to utilize computers, tablets, laptops and other computing devices to perform their jobs.  Taking all of these events together will mean a lot more patient information will be in electronic form and a lot more people will have access to the electronic information.

Over the years Entegration has been involved in many EHR implementations.  There seems to be a common theme that I have noticed throughout all of these implementations and it is pretty consistent no matter who the EHR vendor is.  Employee training of the EHR is usually a quickly thrown together process where the EHR vendor sends a trainer onsite to teach a series of group classes on how to use the EHR.  These classes range from 1 hour to half of a day depending on the employee job function and responsibility.  After the class is over the employee is sent on their way to start using the EHR.  The training the employee receives is usually focused specifically on how to use the EHR, how to navigate screens, perform functions, etc.  Rarely have I seen training that includes a security overview that discusses protecting patient information on laptops, sending patient information via email or addresses password complexity, etc.

Furthermore, many health organizations that go from paper charts to EHRs also go from simple computer networks to much more complex networks that are required for the EHR.  In the process of implementing the EHR a large amount of computer equipment has to be purchased and installed including servers, desktops, tablets, printers, upgraded Internet connections and various other equipment.  Unfortunately most health organizations that go from paper charts to EHRs do not go through a formal security review prior to the implementation.  These organizations most likely will not concern themselves with the HIPAA Security Rule because before the EHR they don’t have a lot of electronic protected health information (EPHI).  So most likely the organization will have very few if any security policies and procedures. They will probably not go through a formal risk assessment and will not perform vulnerability scans on the newly created complex network.  Employees will not go through training sessions that discuss protecting newly formed EPHI.

What you will have is a lot of health organizations that start putting patient information into EHRs that are used by employees without proper security training.  You will have health organizations that have newly created complex networks without proper security policies and procedures.  These complex networks will not have the proper vulnerability assessments.  Employees will not be trained on best security practices that discuss protecting patient information on laptops and portable devices, they will not have training on sending EPHI via email, or the use of complex passwords.  The networks will not have the proper auditing in place that monitor the event logs to determine if there has been access to information by unauthorized personnel which could be internal employees or threats from external entities.  Data will most likely be backed up but full Disaster Recovery technologies and procedures will probably not be in place.

We have seen a large number of security breaches so far in 2010.  It seems like every week we hear about more and more patient information that has been compromised.  This is happening already even before the big push by a majority of health organizations to implement EHRs.  When all the forces come together will we see the flood gates open and patient information be compromised and data breaches occuring at an alarming rate?  If this does occur will patients lose trust in their doctors and the use of EHRs?  I don’t know the answers to these questions but if my theory is correct we will see a major occurrence of patient information data breaches that will put patient’s information in jeopardy and could potentially damage the effort to modernize our health information systems.

In this article I discussed that the Office for Civil Rights (OCR) is getting ready to begin HIPAA Security Audits. The audits should begin by the end of this year.  In an interview with Susan McAndrew, OCR’s deputy director for privacy, she mentions the importance of performing a Risk Assessment.

OCR has published a paper called:

HIPAA Security Standards: Guidance on Risk Analysis

Below are some highlights from the paper.

We begin the series with the risk analysis requirement in § 164.308(a)(1)(ii)(A). Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.

All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.

The following questions adapted from NIST Special Publication (SP) 800-665 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:

• Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.
• What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?
• What are the human, natural, and environmental threats to information systems that contain e-PHI?

Organizations should use the information gleaned from their risk analysis as they, for example:

• Design appropriate personnel screening processes. (45 C.F.R. §164.308(a)(3)(ii)(B).)
• Identify what data to backup and how. (45 C.F.R. § 164.308(a)(7)(ii)(A).)
• Decide whether and how to use encryption. (45 C.F.R. §§ 164.312(a)(2)(iv) and (e)(2)(ii).)
• Address what data must be authenticated in particular situations to protect data integrity. (45 C.F.R. § 164.312(c)(2).)
• Determine the appropriate manner of protecting health information transmissions. (45 C.F.R. § 164.312(e)(1).)

I encourage you to read the full paper to get a good overview of how OCR believes a Risk Assessment should be conducted.

There are many things that you can do to protect patient information.  You can put in place security policies and procedures, ensure that you do a thorough risk assessment, implement data encryption, educate your staff, etc.  But sometimes nothing you can do can prevent a data breach from occurring.

As reported here, a laptop used by a hospice employee was stolen while in use at a patients house.  The laptop was encrypted which normally would be a safe harbor and would exclude the need to notify patients of the data breach.  In this case the laptop was already turned on and in use so that the data encryption key/password had already been entered and thus the information on the laptop could be accessed.  In other words, because the employee logged in with the correct password all the data on the laptop was unencrypted.  As long as the laptop remained powered on and in use, the data could be accessed without the need for the encryption password.  Once powered off, the laptop would then require the correct encryption password to access the information.

Rainbow Hospice and Palliative Care notified patients because the laptop contained  patient names, addresses, social security numbers, insurance information, medications, treatments and diagnoses. 

I would guess that Rainbow Hospice and Palliative Care had security policies and procedures in place.  They had already gone through the effort of ensuring that the laptop was encrypted.  They had to have trained the employee on how to access the encrypted information and probably went over best security practices to protect their patient’s information.  With all these efforts they still face a data breach. 

In no way should anyone read this and think that implementing security is a waste of time and effort.  Taking the steps to protect patient information is the right thing to do and it will go a long way to protect and prevent you from facing a data breach.  But sometimes no matter what you do, you could still face the negative consequences of a data breach.