There's one message Dena Boggan, CPC, CMC, CCP, a privacy and security officer in Mississippi, wants to get across during her HIPAA training: "I tell my employees if they don't remember anything else about HIPAA, remember this -- only access that information which you need to do your job. Period. I tell them if they follow that one simple rule, they'll do just fine."
Some healthcare employees just can't help themselves lately, especially when high-profile patients occupy their hospital beds.
Two hospitals have fired employees over the past month because they determined they inappropriately accessed patient records. In other words, the employees snooped around – and not for reasons related to treatment, payment, or healthcare operations – the three pillars upon which HIPAA allows healthcare workers to look at patient records.
Last month, University Medical Center in Tucson fired three clinical support staff members and a contracted nurse for "inappropriately accessing confidential medical records," the hospital reported on its website.
The records were related to the shootings at a Tucson supermarket that killed six and wounded 13 -- including U.S. Rep. Gabrielle Giffords (D-AZ).
This month, the University of Iowa Hospitals and Clinics in Iowa City fired three employees and placed another two on unpaid leave after the hospital learned they inappropriately accessed the electronic medical records of 13 University of Iowa football players.
The fallout is simple: People lost jobs, hospitals' reputations took hits, and the healthcare industry as a whole gets another demerit for lack of privacy controls. The best thing hospitals can do in these situations is learn from it. And that's what Boggan does.
The HIPAA compliance officer at St. Dominic Jackson Memorial Hospital in Jackson, MS, calls the latest snooping incidents "great training tools in the form of reminders. It also gets our employees thinking about the consequences of snooping in records, so we roll these out in our weekly HIPAA tips to all employees, as well as our physicians."
Nancy Davis, the privacy/security officer for Ministry Health Care in Sturgeon Bay, WI, feels the same.
"When these types of stories are published, we unofficially circulate (in-house) and privacy and security networking groups," Davis says. "We will also use this as an example in our next quarterly staff update."
The only fight trainers will always lose is the battle to curiosity. People want to nose into other peoples' business, especially when it comes to high-profile cases like the ones in Arizona and Iowa. Sometimes, they even get paid for that information.
The good news is hospitals are beginning to crack down. Last May, Huping Zhou, 47, of Los Angeles became the first person sentenced to prison for misdemeanor HIPAA offenses for accessing confidential records without a valid reason or authorization, according to the U.S. Attorney's Office in the Central District of California.
United States Magistrate Judge Andrew J. Wistrich sentenced Zhou, a former UCLA Healthcare System employee who admitted snooping at patients' records, to four months in prison.
A federal judge on October 26, 2009, sentenced a doctor and two former hospital employees to a year's probation; they admitted to snooping at the records of Little Rock, AK, TV reporter Anne Pressly, who was murdered. Pressly was found severely beaten in her Little Rock home on October 20, 2008, and died five days later.
Back then, U.S. Attorney Jane Duke said in a statement she hoped the Little Rock snooping sentencings "send the message that the HIPAA protections apply to every person in the community, regardless of their position or stature. Likewise, the penalties for violating HIPAA apply equally to every person with access to protected health information."
The bottom line, Boggan says, is HIPAA and HITECH regulations are "serious business, and there for a reason. It amazes me how this continues to be a problem, but it is human nature to be curious about things of which we have no business."
Another state attorney general is using new enforcement powers granted by HITECH – again, at the expense of Health Net, Inc.
Health insurance giant Health Net has been fined by the state of Vermont over the insurer's loss of a portable disk drive that exposed the protected health information (PHI) of 1.5 million people, including 525 Vermonters.
This is the second HIPAA enforcement action of its kind since HITECH in February 2009 granted state attorneys general HIPAA enforcement authority. Connecticut's AG was first.
Health Net discovered the drive was missing May 14 but did not start notifying affected Vermont residents until more than six month later, the state AG's office reported in a press release.
Attorney General William Sorrell's January 14 complaint against Health Net, Inc., and Health Net of the Northeast, Inc. charges the insurer with violations of HIPAA, Vermont's Security Breach Notice Act, and the Consumer Fraud Act.
The settlement also calls for Health Net to submit to a data-security audit and file reports with Vermont regarding its information security programs for the next two years.
"Consumers expect—and the law requires—that personal information be treated with the utmost care," Sorrell said in a statement. "Identity theft remains one of the fastest growing crimes in America. Companies must be careful to prevent Vermonters' sensitive information, especially their medical records, from falling into the wrong hands."
Health Net told HealthLeaders Media in a statement that "protecting the privacy of our members is extremely important to us."
"Health Net has worked closely and cooperatively with the Vermont Attorney General," according to the statement, "and we have agreed to the terms contained in the agreement filed with the court to resolve this matter, which occurred in 2009."
To date, Health Net has no evidence that there has been any attempt to access or misuse the data, the company said in the statement.
The lawsuit is Vermont's first enforcement action under the Security Breach Notice Act. Included in the portable hard drive were PHI, social security numbers and financial information.
The complaint filed January 14 says Health Net's six-month delay in notifying Vermont residents violates the Security Breach Notice Act. That law requires data collectors to notify affected individuals of security breaches "in the most expedient time possible and without unreasonable delay."
Health Net violated HIPAA by failing to secure PHI and breached the Consumer Fraud Act by misrepresenting the risk posed to affected individuals in the company's notice letters.
The complaint and proposed consent decree were filed in the U.S. District Court for the District of Vermont. The consent decree must be approved by a judge before it takes effect.
"Health Net has taken significant steps to assure that our members are protected," Health Net says. "We have offered two years of free credit monitoring services for all impacted members who elect this service. This service also includes $1 million of identity theft insurance coverage, as well as fraud resolution and credit and identity restoration services at no cost to the members."
Health Net not only settled with the Connecticut state attorney general's office (for $250,000) but also with the Connecticut Insurance Commission, which reached a settlement with Health Net in which the insurer had to pay the state $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties.
The number of entities reporting breaches of unsecured protected health information (PHI) affecting 500 or more individuals has hit 225. The web site was born out of HITECH and has been live since February 2010.
OCR says the breach reports date back to September 2009. Hence, it's been about 17 months since OCR has accepted the reports. It amounts to about 13 reports filed per month, or 0.44 per day.
The OCR breach notification website also reports the following numbers:
10 -- Number of reports affecting more than 100,000 individuals, or 4.4 percent of the total number of breaches.
4 – Number of reports affecting between 50,000 and 99,999 individuals
6 – Number of reports affecting between 25,000 and 49,999 individuals
27 – Number of reports affecting between 10,000 and 24,999 individuals
61 – Number of reports that involve a laptop, or 27.1 percent.
HITECH’s breach notification interim final rule is still in effect. OCR has been close to signing off on a final rule before it pulled it out of the hands of the Office of Management and Budget (OMB) for further review.
The interim final rule requires:
Notice to patients alerting them to breaches “without unreasonable delay,” but no later than 60 days after discovery of the breach
Notice to covered entities (CE) by business associates (BA) when BAs discover a breach
Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
Notice to next of kin about breaches involving patients who are deceased
Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE’s response
Annual notice to the secretary of HHS 60 days after the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records
University Medical Center in Tucson has fired three clinical support staff members and a contracted nurse for "inappropriately accessing confidential medical records," the hospital reported on its website Wednesday.
The records were related to Saturday's shootings at a Tucson supermarket that killed six and wounded 13 -- including U.S. Rep. Gabrielle Giffords (D- AZ).
"We are not aware of any confidential patient information being released publicly," the hospital said in a statement.
This isn't the first snooper fired in the past year.
Mayo Clinic fired an employee who worked in a business center in Arizona for accessing nearly 2,000 patient medical and financial records over a four-year period, the Post-Bulletin of Rochester, MN, reported in September. The employee's access rights covered all Mayo Clinic patient records at all Mayo sites.
Officials discovered the breach in mid-July. They did not release the name of the healthcare worker.
"This activity took place between 2006 and 2010. An internal investigation was immediately launched. Following a thorough review of the facts, the person was fired," according to a Mayo statement.
Some facilities use "honeypots" as bait to catch snooping staff members who are in violation of HIPAA. "Honeypots," also referred to as "honeynuts," are fictitious medical records that IT monitors to determine if anyone is accessing them.
The terms honeypots and honeynuts derive from the notion that if you want to catch birds, you scatter birdseed. Use these tips regarding honeypots to catch snoopers and respond accordingly:
Gain executive sponsorship. "Using a honeypot implicitly communicates we don't trust our staff, even though we know that insider snooping is by far the most common cause of privacy or security breaches," John R. Christiansen, founder of Christiansen IT Law in Seattle, says. You need to have executive sponsorship willing to back you in the event that the use of honeypots results in controversy.
Get HR buy-in. HR must be looped in to ensure that it will take appropriate action if you catch someone accessing records inappropriately, Christiansen says, adding that "legal counsel should vet the whole program to make sure legal risks are avoided."
Conduct a risk assessment of your systems and equipment. Then create records for five media-centric personalities, making them as real as possible. Don't be too obvious. For instance, Madonna would probably not end up in a central Montana facility.
Beware of entrapment. Honeypots are analogous to entrapment; they're bait that wouldn't work if someone wasn't predisposed to snooping, Christiansen says, because, as W.C. Fields said, "You can't cheat an honest man." Organizations should be certain that staff members know about policies that prohibit snooping and that system configuration prevents accidental access.
The deadline for the final rule on modifications to HIPAA privacy, security, and enforcement rules is March, The Department of Health and Human Services (HHS) writes in its semi-annual regulatory update—published last month in the Federal Register.
This is the most specific timeline federal officials have given regarding HIPAA and HITECH rules in limbo.
In December, a senior official with the Office for Civil Rights (OCR) said the HIPAA privacy and security rule enforcer plans to release final rules regarding HITECH and HIPAA "in 2011."
Adam H. Greene, senior health information technology and privacy specialist at OCR, told an audience at the "2010 ONC Update" that he did not know a specific time of 2011 the rules would be released but added they would be published "contemporaneously." OCR's intention is to avoid staggering compliance dates.
The rules to which Greene alluded are:
Breach notification
Enforcement
HIPAA HITECH (modifications to privacy and security rules)
Greene also said a proposed rule on accounting of disclosures of EHRs will be released in 2011. HITECH calls for OCR to expand the HIPAA accounting disclosures provision to add treatment, payment, and healthcare operations disclosures when they're through an EHR. HITECH calls on the HHS secretary to balance the interest of individuals who want to learn the information versus the burden on covered entities.
What is on the holiday wish list for privacy and security officers?
A recent Ponemon Institute study on data security, it's more staff, more time, and more resources to protect patient privacy.
Of the 65 hospitals surveyed, most in the 100- to 600-bed range, 71% said they have inadequate resources to prevent and quickly detect patient data loss. We caught up with some privacy and security officers ourselves to see what they're hoping for this holiday season:
1.No breaches. "[I want] to have no breach incidents so I don't have to face an OCR audit," says Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer at St. Dominic Jackson Memorial Hospital in Jackson, MS.
Too bad wishes aren't retroactive. 2010 saw a few data breach whoppers. In September, Lucile Salter Packard Children's Hospital at Stanford University was fined $250,000 by California health officials for failing to report within five days a breach of 532 patient medical records in connection with the apparent theft of a hospital computer by an employee.
In October, a computer flash drive containing the names, addresses, and personal health information of 280,000 people is missing - one of the largest recent security breaches of personal health data in the nation.
And in November the Connecticut Insurance Commission announced a settlement with Health Net in which the insurer agreed to pay the state $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties.
2.More time. "I wish for more time to study the regulations in depth so that I am at my 'knowledgeable best' when discussing and training [on HIPAA issues],"says Boggan.
3.More staff. Boggan says she would like more staff, which she hopes would translate to fewer work hours. "An elf to help me magically finish all of my work in a goodly timeframe would be a Christmas miracle!" says Brandon Ho, CIPP, HIPAA compliance specialist for the Pacific Regional Medical Command based at Tripler Medical Center in Honolulu.
4.Employees who follow the HIPAA rules. Boggan says she wishes for employees to access only that information they need to do their jobs. "It's a no-brainer, but you'd be amazed at what hits the audit reports," she says. She hopes to never receive another e-mail notification stating that a user has triggered an exception in the hospital's auditing system.
A former UCLA Healthcare System employee who admitted to illegally reading private andconfidential medical records, mostly from celebrities and other high-profile patients, was sentenced to prison in April.
Debra A. Mikels, OTR/L, says she wishes for the day when safeguarding confidential information becomes embedded in staff members' daily work and is not something that is thought of as something "extra."
And how to make that happen? Mikels, corporate manager, confidentiality, at Partners HealthCare, the Boston-area healthcare system, is also wishing for the continued promotion of best practices and lessons learned with respect to safeguarding that confidential information.
5.A smooth road to reach the era of the total EHR. "I wish that the meaningful use journey to total EHR becomes less cumbersome as time goes on," says Boggan.
Nancy Davis, MS, RHIA, director of privacy/security officer at Ministry Health Care in Sturgeon Bay, WI, says technology can provide better patient access to their medical records. She wishes for patient portals interfaced with patient personal health records (PHR), giving patients access to the information they need to manage their health.
6.Full-proof encryption processes. "I wish we would just go ahead and effectively implement a data encryption program that meets the HITECH Act criteria," says Frank Ruelas, director of compliance and risk management at Maryvale Hospital in Phoenix and principal, HIPAA College, in Casa Grande, AZ.
That would eliminate worries for privacy and security officers about seeing their facility's name on the OCR website for breaches, on the front page of the local paper, or as a lead story on the local television news report, he says.
Encrypted portable devices would also save headaches, says Davis, "so when they are lost or stolen there is no threat of PHI disclosure."
7.Safe use of social networking websites. "I wish all social networking sites were equipped with tools that prevented anyone from posting any patient-related information," says Ruelas. That would help mitigate people being surprised by "stuff" that originates from these sites, he says.
8.More safeguards to protect PHI. "I hope that technology continues to be enhanced to support patient privacy," says Mikels. "This should be meaningful and non-burdensome to the user, and should support patient care and safety."
Ruelas says he would deactivate any and all USB port functions which allow data to be downloaded and subsequently taken offsite in an unauthorized manner.
"These handy little devices, with all their storage capability, can create big issues," Ruelas says.
Ponemon's "Benchmark Study on Patient Privacy and Data Security" may be viewed here.
President Obama on Saturday signed the bill that changes the Red Flags Rule's definition of "creditor" and relieves some physicians of having to comply with the Federal Trade Commission's identity theft prevention law.
Earlier in the month, the House and Senate passed the billofficially titled "Red Flag Program Clarification Act of 2010."
The enforcement date for the Red Flags Rule is Dec. 31, 2010. The FTC said earlier this year on its website that it delayed enforcement at the request of Congress as it "considers legislation that would affect the scope of entities covered by the rule." Compliance date was November 1, 2008.
Red Flags calls for "creditors" to establish a program to protect patients from medical identity theft.
The bill calls for changes to the FTC's definition of "creditor." Smaller entities such as physician practices and doctor's offices have long debated they should be let off the hook from complying. Some have filed lawsuits.
Jeff Drummond, health law partner in the Dallas office of Jackson Walker LLP, says the law doesn't actually "remove physicians from the Red Flags Rule." It clarifies in a reasonable way, he says, what a "creditor" is.
"I think the FTC went way overboard with their definition of 'creditor' including anyone who takes payment after providing the service," Drummond says. "Taken to its logical extreme, McDonald's and Burger King are not creditors, but Chili's is. So, it's a good change to rein in an overbroad regulatory agency."
Some physicians will still be creditors; plastic surgeons and lasik surgeons, for example, if they take payments over time from their patients.
Drummond adds it's not that hard to establish an identity theft prevention program, as the Red Flags Rule require; doctors have to have HIPAA programs in place anyway.
"It's just good practice, and good customer service, to have an ID theft prevention program in place," Drummond says. "So, even if you don't have to, you ought to."
The Senate and House have each passed a bill that changes the Red Flags Rule's definition of "creditor" and relieves doctors of complying with the Federal Trade Commission's identity theft prevention law.
The House Tuesday passed the bill—"Red Flag Program Clarification Act of 2010"—less than a week after the Senate approved the bill.
The enforcement date for the rule is Dec. 31, 2010. The FTC said earlier this year on its website that it delayed enforcement at the request of Congress as it "considers legislation that would affect the scope of entities covered by the rule." Compliance date was November 1, 2008.
And now, that very legislation passed this week only awaits a signature from President Obama before becoming law.
The bill calls for changes to the FTC's definition of "creditor." Smaller entities such as physician practices and doctor's offices have long debated they should be let off the hook from complying. Some have filed lawsuits.
Representative John Adler, D-NJ, said in the House debate Tuesday that the purpose of the Red Flag Program Clarification Act "is to limit the type of creditor that must be covered by the FTC's Red Flags Rule."
"When I think of the word 'creditor,' dentists, accounting firms, and law firms do not come to mind," Adler said.
However, he said, the Red Flags Rule as written now requires these types of professions and others to comply.
The FTC "broadly interpreted" creditors to include any business that allows clients to establish a payment plan in exchange for their services rendered, said Rep Paul Broun, R-GA. This swept in "many businesses that do not operate as a creditor in the general understanding of the term, such as dentists, doctors, veterinarians, lawyers, accountants, and many other health care providers that offer their clients payment plans."
Added Adler: "It is clear when Congress wrote the law, they never contemplated including these types of businesses within the broad scope of that law. ... We need to be careful that the laws we pass address the problem and do so in a way that doesn't adversely and unfairly impact small businesses."
This week's Clarification Act includes the following language regarding the definition of a creditor as one that regularly and in the ordinary course of business:
Obtains or uses consumer reports, directly or indirectly, in connection with a credit transaction
Furnishes information to consumer reporting agencies in connection with a credit transaction
Advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person
Creditors do not include those that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person
The current language in the FTC's Red Flags Rule regarding the definition of a creditor includes:
A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit.
Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.
The number of entities reporting breaches of unsecured protected health information (PHI) affecting 500 or more individuals is close to reaching the 200 mark.
As of Tuesday, November 30, the number of entities reporting breaches to the government's HIPAA privacy and security enforcer hit 197. The number of entities—listed on the Office for Civil Rights (OCR) breach notification website--has almost doubled since July, when the number hit 107.
In the past five months, 90 new reports have surfaced, or an average of 18 per month, a higher pace than the 15-per-month the first five months after OCR launched the website.
The list is required by HITECH, the American Recovery and Reinvestment Act of 2009 privacy subpart that includes greater breach notification requirements, more public scrutiny and increased fines for HIPAA violations.
The reporting requirement is included in the interim final rule on breach notification, which became effective on September 23, 2009.
The breach affecting the most individuals is still AvMed, Inc. of Florida, whose Dec. 10, 2009, breach involving a laptop affected 1.22 million individuals.
Laptops are still the number one location of breach information on the list, accounting for 55 of the 197 reports (27.9%). Paper records (41 reports), desktop computers (32) and portable electronic devices (29) follow.
The top five breaches with the largest number of affected individuals are:
AvMed, Inc.
State: Florida
Approximate number of individuals affected: 1,220,000
Date of breach: Dec. 10, 2009
Type of breach: Theft
Location of beached information: Laptop
Blue Cross Blue Shield of Tennessee
State: Tennessee
Approximate number of individuals affected: 1,023,209
Date of breach: Oct. 2, 2009
Type of breach: Theft
Location of breached information: Hard drives
South Shore Hospital (MA)
State: Massachusetts
Approximate number of individuals affected: 800,000
Date of breach: Feb. 26, 2010
Type of Breach: Loss
Location of Breached Information: Portable Electronic Device, Electronic Medical Record, Other
Puerto Rico Department of Health
State: Puerto Rico
Approximate number of individuals affected: 400,000
Date of breach: Sept. 21, 2010
Type of Breach: Unauthorized access/disclosure, hacking/IT incident
Location of Breached Information: Network Server
Affinity Health Plan, Inc.
State: New York
Approximate number of individuals affected: 344,579
Date of breach: Nov. 24, 2009
Type of breach: Other
Location of breached information: Other
The Office of the National Coordinator for Health Information Technology (ONC) has sent a final rule to establish a permanent certification program for EHR technology to the Office for Management and Budget (OMB). Review by the OMB is a required step in the process to publish a final rule.
While there is no legislative deadline for the release of the rule, at the time the temporary certification program was finalized in June, ONC indicated it expected to publish the final rule for the permanent program this fall.
The rule, "Establishment of the Permanent Certification Program for Health Information Technology," outlines the permanent certification program for health information technology. Using certified (EHR) technology(s) is required for providers hoping to qualify for the meaningful use incentive dollars under the HITECH legislation.
In March, HHS sent a proposed rule for the establishment of two certification programs for purposes of testing and certifying EHRs---one temporary and one permanent.
Certification is used to provide assurance and confidence that an EHR technology or module will work as expected and have the capabilities necessary to meet meaningful use standards, according to ONC.