Thanks to HHS, we now know what "unsecured protected health information" means. So where do we go from here?
If you're leading an organization that handles protected health information (PHI), you may be asking that question today.
As HealthLeaders Media reported Tuesday, HHS issued a proposal for security breach notification in a 20-page report that defines acceptable conditions for covered entities and business associates to encrypt or destroy their private patient data to secure PHI and prevent a breach.
The guidance includes the technologies and methods specified by the secretary of HHS that render PHI "unusable, unreadable, or indecipherable to unauthorized individuals."
In other words, if the data does not include these methods and technologies, it could be considered "unsecured PHI."
Time to go out and buy the latest encryption software, right? Not quite.
With its draft guidance, HHS really did no more than point to the NIST standards of data encryption, endorsed by the government regulators long before the release of the draft guidance last week, says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR.
To that end, see if your organization is already in compliance and using government-approved and offered encryption methods for information flowing out of your network.
Further, covered entities and business associates are not required to follow the guidance. HHS says in the guidance it merely creates a "safe harbor" and protects covered entities and business associates from notification requirements when a security breach occurs.
After a public comment period, which ends May 21, the final guidance will be released by August 17, according to the ARRA.
And there will be comments, says Rebecca Herold, CISSP, CIPP, CISM, CISA, FLMI, of Rebecca Herold & Associates, LLC, of Des Moines, IA.
"I think there are going to be changes as far as the way to secure PHI," Herold says. "They provided basically two methods (encryption and destruction), which are both important and good. But I think there may need to be additional methods that go beyond those two."
Here's what else you can take away from the HHS draft guidance:
Consider destruction as well as encryption. "It is important to render disposed PHI, in all forms, irreversibly destroyed as well," Herold says. "The statement, ‘Note that the technologies and methodologies referenced … are intended to be exhaustive and not merely illustrative' is interesting; this makes it important for all information security and privacy folks who see gaps with these methods to submit feedback and comments during this review period."
Covered entities and their business associates must understand that these requirements apply not only to electronic PHI, but also to PHI in other forms, such as paper.
Look for further specifications of encryption. As Apgar points out, HHS did not specify the level of encryption to make data secure. "As an example, if data is encrypted using 128 bit encryption, it is not necessarily ‘unsecured' given 128 bit encryption has been broken."
Consult with your IT specialists. Several of the documents recommended by HHS are "very technical in their contents describing various aspects of information systems to include their architecture and on how data are stored, organized, and transferred within an information system," says Frank Ruelas, MBA, the creator of www.hipaabootcamp.com who is based out of Scottsdale, AZ.
What are the legal implications of the guidance? If the guidance were to be final today, how would covered entities and business associates be legally bound? After all, no one is forced to follow it; HHS merely calls it the "functional equivalent of a safe harbor"–which reminds John R. Christiansen, of Seattle's Christiansen IT Law, of the European Union data protection or anti-kickback safe harbors. "The most important implication of this is that following the guidance should protect against civil penalty actions by HHS, which published the guidance and therefore is bound by it," he says. "The fact that it is not 100% binding on the courts probably shouldn't matter."
So where do you go from here? Backward to look at your encryption methods. And forward to consider commenting on the HHS draft guidance.
Kaiser Permanente has come up with a system that allows its members to store health information on a USB flash drive that can be carried with them on business trips and vacations. For $5, Kaiser members can get a thumb-sized digital memory device that contains an accurate, up-to-date summary of their health information in a format that virtually any doctor with a computer can read. To safeguard patient privacy, the drive is encrypted and password protected with a password. The information can not be changed by either the member or doctor, but patients can get their devices updated for free.
Yesterday's internal Food and Drug Administration meeting was routine and not specifically focused on its troubled device review process as suspected, according to an agency spokesperson.
"[It] was a staff meeting within the Office of Device Evaluation (ODE) at the FDA's Center for Device and Radiological Health," said FDA spokesperson Peper Long. "The director of ODE holds these with her staff as many other staff directors in other agencies and businesses do from time to time."
Premonitions about a more focused meeting are not unfounded. In January, the U.S. Government Accountability Office recommended that the FDA take another look at the safety and effectiveness of a number of already approved class III devices. These devices ranged from pacemaker programmers to a spinal screw system. (A complete list of these devices is available on the FDA's Web site.)
The FDA divides medical devices into three categories; class III categories carry the most risk for patients.
Medical staffs are still waiting to see how the FDA's review process will evolve as a result of the GAO report. Critics say it's too soft, yet hospitals see FDA approval as a safety gold stamp when approving new technologies and granting practitioner privileges to use them.
Despite the current review, hospitals should remain confident that the devices they're using have been well-reviewed by the agency, says one trade group. "The FDA has an unparalleled record in the review of medical technology and that's why it's a model for other governments as they go about their process," said Wanda Moebius, vice president for policy and communication at AdvaMed [www.advamed.org], the trade association for advanced medical technology. "I think that if there are concerns to be addressed, they are concerns of resources and we support a well-resourced FDA."
In the meantime, hospitals and other facilities that use any of the devices under review should continue to report adverse events to the FDA, says Long.
When Deb Howard, 42, of Kingwood, TX was discharged from the military in 1992, she was given eight years' worth of her paper medical records in two tattered and worn out folders. And although the records include valuable health information, including every illness with which she had been diagnosed and every drug for which she had been prescribed during her military career, she says she has no idea where those records are now.
Upon retirement, Howard's husband, a 24-year military veteran, was also given his paper medical record, much of which was illegible and incomplete, Howard says. She says she has watched him carry those records from appointment to appointment ever since.
That's because currently there is no comprehensive system in place that allows for a streamlined transition of healthcare records between the Department of Defense (DoD) and the Department of Veterans Affairs (VA).
Like many other veterans, Howard and her husband must recall in detail their medical histories or simply carry paper medical records to their civilian doctors.
Sounds a bit archaic, right? This process seems especially ineffective, given the often long-term effects of diseases and injuries that veterans acquire or sustain during the course of their careers.
And it's also inefficient. "It's about avoiding unnecessary duplication and wasting valuable time," says Margret Amatayakul, RHIA, CHPS, CPEHR, CPHIT, FHIMSS, president of Margret A. Consulting, LLC, in Schaumburg, IL. "If one provider asks a patient about his or her condition and treatment to date, why shouldn't the next provider have that information?"
When patients must verbally repeat information about their own medical health, providers run the risk of receiving incomplete or inaccurate information on which they could base a potentially harmful decision.
But all of this may soon change as the DoD and VA begin to work together to create a new joint virtual lifetime electronic record that will track veterans' health information from the day they enter the military, throughout their military career, and even after retirement.
The project is a step in the right direction, given the national push for EHRs and interoperability under the American Recovery and Reinvestment Act of 2009. Securely sharing information is the wave of the future, and it will most likely foster more efficient, effective, and personalized patient care than we could ever begin to imagine would be possible today.
"When a member of the armed forces separates from the military, he or she will no longer have to walk paperwork from a [Defense Department] duty station to a local VA health center," President Barack Obama said in the article. "Their electronic records will transition along with them and remain with them forever."
The need for a more streamlined process is critical in terms of patient care and research into new ways to afford active protection and treatment, says Amatayakul. "Hopefully, it should go a long way to solving the problem, although some veterans are treated in private hospitals, which may be more challenging to integrate."
However, universal integration is what will truly make a difference in veterans' lives and healthcare, says Joe Cruz, healthcare technology consultant in Chesterfield, MO. "Unless you enable universal exchange of data, then you will still be missing critical pieces of that military members' chart from when they were seen or provided care at a commercially contracted hospital or private physician," he says.
The DoD contracts out much of its healthcare to private hospitals when its own facilities are either too remote or when the patient volumes do not justify providing certain services, Cruz says. The ideal goal of the project should be to devise a truly interoperable longitudinal record that can accept data from and send data to disparate systems, including a DoD facility, VA hospital, contracted commercial hospital, or TRICARE contracted private physician's office, he adds.
Howard admits that having a centralized record would ease the burden of having to carry paper information to appointments or recall years' worth of personal health information. "The bottom line is that if all your information was located in one place at the touch of your finger tips in any doctor's office across the country, I think your individual care would be better," she says.
The joint virtual lifetime electronic record will hopefully serve as a model for a national EHR system, Amatayakul says. For now, the DoD and VA are logical agencies with which to begin the process because they are both under the federal government's jurisdiction and are mandated to adopt electronic records, she adds.
The White House has not yet released details of how the DoD and VA will achieve lifetime electronic record; however, the administration has stated that the project is part of an overall increase in funding for the VA that includes $25 billion over the next five years to honor the nation's veterans and expand the services they receive.
Lisa Eramo, CPC is a senior managing editor in the health information management division of HCPro, Inc. She is located in Rhode Island and writes content for the company's flagship newsletter, Medical Records Briefing. Contact her at leramo@hcpro.com.
As part of an ongoing investigation, the U.S. Defense Department is currently searching the Siemens Medical Solutions office near Philadelphia. The nature of the investigation has not been made public. It is known, however, that in recent weeks, Siemens received a $267 million contract with the Defense Department to sell medical imaging equipment to the military.
Quest Diagnostics Inc., and its subsidiary Nichols Institute Diagnostics (NID), entered into a global settlement with the U.S. government that includes a $40 million criminal fine and a $262 million fine to resolve False Claims Act allegations.
NID pleaded guilty to charges of felony misbranding of one of its products, a test called Nichols Advantage Chemiluminescence Intact Parathyroid Hormone Immunoassay. Laboratories use the test to measure parathyroid hormone (PTH) levels in patients. According to the U.S. Department of Justice (DOJ) press release, the tests provided elevated results that lead to unnecessary medical treatments for patient who were thought to have high levels of PTH.
The DOJ asserts NID manufactured, marketed, and sold the test kits despite knowing they produced inaccurate and unreliable results. Along with the settlement, Quest also entered into a corporate integrity agreement (CIA) with the OIG.
The April 15 settlement comes nearly five years after whistleblower Thomas Cantor filed a qui tam suit. Cantor will receive a $45 million share of the settlement.
Cantor's determination was key in bringing this False Claims Act case to a settlement, says Norm Werner, FACHE, corporate compliance director for Continuum Health Partners in New York.
"This was years in the making," he says. "Cantor really persevered."
It all started when Cantor found a dramatic increase in parathyroidectomies after laboratories began using NID's test kits. Physicians performed the surgeries because the test kits lead them to believe they were necessary, Werner says.
With the government consistently cracking down on healthcare fraud and abuse, this large settlement is a significant victory, he says.
"This will definitely be a deterrent going forward," he says.
The CIA should also help in preventing future similar cases. "Now they have to be that much more compliant by having to adhere to the CIA," Werner says.