The HITECH Act has been under recent scrutiny for not improving the safety of patient records, according to research from The Ponemon Institute.
For 65 hospitals mostly in the 100- to 600-bed range, 71% of respondents say they have inadequate resources to prevent and quickly detect patient data loss. The same percentage of respondents say federal regulations like HITECH have not improved the safety of patient records, research from the "Benchmark Study on Patient Privacy and Data Security" conveys.
Rick Kam, founder of the study sponsor, ID Experts, says he often hears that hospital leaders do not provide the necessary resources and do not make protecting patients' privacy a priority. "We need to do a better job," Kam adds. "This is a call to action."
Study findings include the following:
The majority of responding organizations have less than two staff dedicated to data protection management (67%)
Hospitals say that protecting patient data is not a top priority (70%)
Most at risk is patient billing information and medical records, which is not being protected
Patients are typically first to detect a significant number of breaches at healthcare organizations (41%)
"This (last) finding suggests that patient data is being unknowingly exposed until the patients themselves detect the breach," the study states. "Healthcare organizations' inability to prevent or detect patient data loss is putting patients at greater risk of medical identity theft, financial identity theft and having their personal health facts disclosed."
The study also finds the cost for data breaches for hospitals as a whole is $6 billion. According to respondents in the study, the economic impact of data breach incidents over a two-year period is approximately $2 million per organization.
Through his research, Dr. Larry Ponemon, data security researcher, has learned that most hospitals are more concerned with "red and black" streams of revenue.
"A lot of organizations are frustrated at the limited number of resources" protecting patient privacy, Ponemon says. "It is an issue."
Other highlights from the study include the following:
60% of organizations had more than two data breaches in the past two years. The average number for each participating organization was 2.4 data breach incidents
The average number of lost or stolen records per breach was 1,769. A significant percentage of organizations either did not notify any patients (38% or notified everyone (34%) that their information was lost or stolen
The top three causes of a data breach are: unintentional employee action, lost or stolen computing devices and third-party snafu
41% discovered the data breach as a result of a patient complaint
More than half (58%) of organizations have little or no confidence that their organization has the ability to detect all patient data loss or theft
63% of organizations say it took them between one to six months to resolve the incident
56% of respondents have either fully implemented or are in the process of implementing an EHR system. The majority (74%) of those who have an EHR system say it has made patient data more secure
Hospitals spend $6 billion annually because of data breaches, and Federal regulations enacted under the HITECH Act have not improved the safety of patient records research from The Ponemon Institute shows.
Among the data security and privacy research firm's findings:
Hospitals are not protecting patient data
Hospitals admit to being vulnerable to a data breach
Breaches of patient information are occurring frequently and often go unreported, putting patients' privacy at risk
A small percentage of healthcare organizations rely on security technologies to prevent and detect data breach incidents
Federal regulations—HITECH—have not improved the safety of patient records
Last year, Ponemon released its fifth annual study on the cost of data breaches—"2009 Annual Study: Cost of a Data Breach: Understanding Financial Impact, Customer Turnover, and Preventative Solutions."
That study found the average cost for a compromised record to be approximately $144 in indirect costs and $60 of direct costs, for a total cost of $204.
It is unclear if next week's research will be the sixth annual study or whether it's independent research. The 2009 study focused on 45 U.S. companies from 15 different industry sectors.
The Health Information Trust Alliance's (HITRUST) analyzes of breaches of unsecured protected health information (PHI) of 500 or more affected individuals on the Office for Civil Rights website.
Covered entities and business associates reporting the breaches on the site together could spend nearly $1 billion because of those breaches, the August 2010 report found.
HITRUST used the 2009 Ponemon Institute study that found the average cost for a compromised record to be approximately $144 in indirect costs and $60 of direct costs, for a total cost of $204.
OCR's breach notification website list has grown since the HITRUST report. As of Thursday, November 4, 189 entities have reported breaches of 500 or more.
HIPAA and HITECH final rules could be published by the end of this year or early next year, a top lawyer for the Office for Civil Rights (OCR) says.
Adam H. Greene, JD, MPH, senior health information technology and privacy specialist for OCR, gave that prediction during the Fourth Annual HIPAA Summit West: Healthcare Privacy and Security after HITECH and Health Reform on October 4.
Though Greene would not guarantee that estimate, HIPAA privacy and security officers may be wise to listen to him. This past summer, Greene accurately said he expected a proposed rule on changes to the HIPAA privacy, security and enforcement rules to be released around July 8.
That's exactly when the display copy of the rule hit the streets; it was published in the Federal Register July 14.
Covered entities and business associates also await OCR's final rule on breach notification. The rule was sent to the Office of Management and Budget (OMB) for review but was later withdrawn for further review, OCR announced on its website July 28.
Attendees at the HIPAA Summit earlier this month discussed the breach notification rule and whether or not OCR will lift its "harm threshold" written into the interim final rule. If covered entities determine, after a risk analysis, that a breach would not cause a patient significant financial or reputational harm, breach notification is not mandatory.
Supporters say the harm threshold works because it eliminates endless breach notification reports for "harmless" incidents (i.e., patient information faxed to the wrong department within a hospital).
But opponents, including some members of Congress, want the harm threshold removed because they say it weakens privacy controls and may let entities off the hook for committing breaches.
Also on OCR's plate is its "periodic audit" plan that must be rolled out in accordance with HITECH. There is no timetable or details on the audit plan yet, though OCR did tell HealthLeaders Media in May it hired Booz Allen Hamilton to help build its HITECH-required HIPAA auditing plan.
Then, OCR said it is "presently engaged in a contract to survey and recommend strategies for implementing the HITECH audit requirement."
Asked again this month about the status of the audit plan, OCR essentially said it is not ready to release the plan.
"Pursuant to Section 13411 of HITECH,OCR is in the process of developing a program to conduct periodic audits to ensure that covered entities and business associates comply with HIPAA Privacy and Security Rule requirements," Rachel Seeger, MPA, MA, senior health information privacy outreach specialist for OCR, wrote in an e-mail to HealthLeaders. "At this time, audit report is pre-decisional and not available publicly. OCR does not have a timetable for implementation."
Editor's note: Senior editor Dom Nicastro covers the government health information data regulations for HealthLeaders Media and its parent company, HCPro, Inc. In a guest column this week, he writes about how the HITECH act is impacting state-level HIPAA compliance.
HITECH brings to light how much of a better job the healthcare industry must do to protect the privacy of its patients. Take one look at the Office for Civil Rights (OCR) breach notification website—you'll find 166 reasons why this is true.
That website is great to have: It is a public list where healthcare organizations can share lessons learned, analyze numbers and trends, and get a good look at which facilities are making big mistakes, some of which affect millions of patients.
But what's the real take-home when Congress writes a law like HITECH? A law that revamps the HIPAA privacy rules, calls for increased penalties and public scrutiny for violations, and extends the legal power of state attorneys to pursue cases for violators?
Is the goal to instill fear of non-compliance? Is it nabbing a posterchild such as Rite Aid, which paid $1 million to settle potential HIPAA violations? Is it keeping entities on their toes for the HITECH-required periodic audits?
Those are certainly pluses.
But since HITECH was signed into law in February 17, 2009, the best example of how it's actually worked for the better may be in Connecticut. There, new HITECH powers unleashed a trickle-down effect that ultimately may help that state better comply with HIPAA.
It began back in July, when Connecticut's state attorney general office announced it had reached a settlement with Health Net and its affiliates over the failure last year to secure the private medical records of 1.5 million policyholders and for the insurers' delay in reporting the breach.
The settlement imposed a $250,000 fine on the company for HIPAA and HITECH violations, and requires the insurers to adopt rigorous security and notification measures.
But how does that make other entities better off?
Last month, the Connecticut Insurance Department issued a bulletin that calls for state insurers to notify affected individuals and the state's insurance commissioner of a breach of patient information no later than five calendar days after its discovery.
If HITECH hadn't granted new powers to state attorneys general to pursue lawsuits regarding HIPAA, Connecticut AG Richard Blumenthal would not have gone after Health Net, and that case may never have come to the forefront. And without it, the state's insurance department may never have tightened its belt regarding breach notification.
Dawn McDaniel, a spokesperson for the Connecticut Insurance Department, told HealthLeaders Media in an e-mail that the bulletin is in response to "some recent data breaches, which were not reported in what we believe to be a timely manner."
Though neither OCR nor Connecticut officials would say that the breach notification change in Connecticut is a direct effect of HITECH, OCR did praise Blumenthal's actions. In an e-mail to HealthLeaders Media, an OCR spokesperson called it an illustration of the strong partnership between federal and state regulators envisioned in the HITECH act.
"The Office for Civil Rights at HHS views the actions of the Connecticut state attorney general in the Health Net matter as demonstrating the effective federal-state partnership to HIPAA compliance as envisioned by the HITECH Act," he wrote. "These actions can provide greater protections for the residents of Connecticut, and serve to stimulate a more robust culture of compliance among organizations responsible for protected health information."
The spokesman called the actual breach notification changes in Connecticut a matter "within state jurisdiction and— independent of new HITECH authorities and HIPAA requirements."
Technically, yes. But it's hard to argue that the changes are not at least a residual effect of a HITECH-granted power.
The Federal Trade Commission has approved a data breach bill requiring entities that hold consumers' sensitive information to create a robust data compliance protection plan. The intention of the plan is to enforce strict breach notification requirements.
The FTC submitted testimony for a Senate hearing on the bill and said it "strongly supports" the bill.
"Notification in appropriate circumstances can be beneficial," the Commission says. "Notification laws that have increased public awareness of the harm breaches can cause. Breach notification at the federal level would extend notification nationwide and accomplish similar goals."
The bill would serve as a complement to several breach notification laws on a state level already in effect, the FTC says.
According to the language in the bill, healthcare entities and their business associates (BAs) would be in the clear so long as they complied with the Health Information Technology for Economic and Clinical Health (HITECH) Act or any other federal laws that satisfy similar or stronger requirements.
It is unclear, however, if compliance with the FTC's Red Flags Rule for identity theft protections would exempt entities from the requirements in the new bill.
No matter to whom the bill applies, healthcare entities should watch the bill's progress in light of new privacy and security laws in HITECH that call for greater patient rights to protected health information (PHI) and greater penalties for breaches of unsecured PHI.
The FTC's testimony this week called for additions to the bill:
The provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form
The proposed requirements should be extended so that they apply to telephone companies
The bill should grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted
The bill extends civil action power to state attorneys general, much like HITECH does. It includes a maximum of $11,000 per day for each day an entity is found not to be in compliance and caps a single violation at:
$5 million for each violation of the security and compliance requirements
$5 million for all violations of the breach notification requirements
Read more about the bill's security and compliance requirements.
The Government Accountability Office (GAO) released a report this month that says the Department of Health and Human Services (HHS), the enforcer of HIPAA privacy and security rules, has safeguards that do not always protect sensitive information it shares with contractors.
Extent to which government guidance and contracts contain safeguards for contractor access to sensitive information
Adequacy of government-wide guidance on how agencies are to safeguard sensitive information to which contractors may have access
The report also reviews practices of the Department of Defense (DOD) and Department of Homeland Security (DHS).
It found that DOD's and HHS' guidance do not always protect "all relevant types of sensitive information contractors may access during contract performance," according to a one-pager of report highlights released by the GAO.
"GAO's analysis of guidance and contract actions at three agencies found areas where sensitive information is not fully safeguarded and thus may remain at risk of unauthorized disclosure or misuse."
The federal agencies operate under the Federal Acquisition Regulation (FAR), which governs federal agencies in the process of acquiring goods and services—in this case, hiring contractors who handle sensitive information.
The GAO recommends additional safeguards to FAR, including:
Address the use of nondisclosure agreements with contractors
Prompt notification of unauthorized disclosure or misuse of sensitive information
DHS agreed with the recommendations, the GAO said, but DOD and HHS did not respond.
HHS did not immediately answer an e-mail from HealthLeaders Media Monday.
Senator Tom Carper (D-Del.), chairman of the U.S. Senate Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security, said in a statement that "there have been an unacceptably high number of data breaches that have left individuals, at times, the victim of serious financial crime or, more often, fearful that their personal information will be compromised."
He cited a 2008 incident in which a payment processing company was hacked, exposing more than 100 million Americans' sensitive information; and the Department of Veterans Affairs lost laptop that held more than 25 million veterans' health and personal information.
"These types of breaches are not only scary, but unacceptable," Carper said.
"This report from the Government Accountability Office shows that, despite increased awareness and progress in addressing this issue, sensitive information retained by federal agencies remains vulnerable to unauthorized disclosure and abuse by outside contractors working for those agencies," Carper said. "The federal government needs to do a better job of protecting sensitive information to prevent disclosure as well as ensuring that, if an improper disclosure takes place, contractors immediately notify the affected agency."
L.A. County Sheriff's Department officials discovered last week that a janitor in the Martin Luther King, Jr. Multi-Service Ambulatory Care Center in Willowbrook, CA, sold boxes containing 33,000 patient records to a recycling center.
The Los Angeles Times broke the story Friday that Robert Sanders, 55, took 14 boxes containing addresses, phone numbers and other demographic patient information and sold them for $40 for their paper value. He was charged with felony commercial burglary.
The hospital discovered the missing files in July.
Reached Monday by phone, a spokesperson at the Los Angeles County Department of Health Services said the hospital regrets the incident but ensures the boxes were in a "secure place."
"These records were not just out in a hallway," the spokesperson said.
The spokesperson also told HealthLeaders Media that the information contained no Social Security numbers or medical records numbers and rather demographic information on patients from 2008.
The hospital is "re-doubling" its efforts to ensure its records stay confidential and within the facility, the spokesperson said. It has complied with all notification requirements, established a toll-free number and is notifying the affected patients.
One HIPAA privacy and security expert said hospitals can avoid records falling in the wrong hands by having an officer account for them at all times.
"One theme the incident does touch on is that of prevention," says Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ. "This incident is a bit of a head scratcher because this incident involved the movement of 14 boxes from the facility. So either this person was in a situation where his actions were not noticed by others (for example he may have been the only person in the area) or if others noticed him, they didn't think to perhaps intervene or perhaps didn't perceive anything wrong with what he did."
Ruelas says the incident raises questions regarding boxes of personal health information (PHI):
Are boxes containing documents clearly labeled to identify that their contents are confidential?
If boxes and their contents are identified, are they being destroyed in a manner consistent with a hospital's policy on the destruction of confidential documents?
A "good rule of thumb," Ruelas says, is to dispose of confidential documents in accordance with policy during business hours when possible.
"This enables those who are knowledgeable about the documents and how they are to be disposed of to be involved," Ruelas said. "To leave documents staged such that they can be removed by unauthorized personnel or in a manner inconsistent with the organization's policy can result in an incident such as this one."
Also, restrict janitorial services in areas containing confidential documents during business hours; only allow them to work when someone can supervise access to and from such locations.
"In some hospitals, if janitorial services are needed in restricted-access areas after hours, security or other staff [should] remain in the area until the janitorial services are completed," Ruelas said.
The Connecticut Insurance Department issued a bulletin last month that calls for state insurers to notify affected individuals and the state's insurance commissioner of a breach of patient information no later than five calendar days after its discovery.
This makes the requirement even more strict than California, whose five "business days" requirement is known to be one of the toughest in the country.
Connecticut's insurance officials made the move "in order to assure that Connecticut consumers are fully protected and informed in the event of any information security incident ... that could pose a potential risk to the privacy of an individual's personal health and/or financial information," according to the bulletin.
Dawn McDaniel, a spokesperson for the Connecticut Insurance Department, told HealthLeaders Media in an e-mail the bulletin is in response to “some recent data breaches which were not reported in what we believe to be a timely manner.”
Though McDaniel did not cite it specifically, Connecticut’s state attorney general office July 6 announced it had reached a settlement with Health Net and its affiliates over the failure last year to secure the private medical records of 1.5 million policyholders and for the insurers' delay in reporting the breach.
The settlement imposed a $250,000 fine on the company for HIPAA and HITECH violations, and requires the insurers to adopt rigorous security and notification measures.
The settlement involved Health Net of the Northeast, Inc., Health Net of Connecticut Inc., and parent companies UnitedHealth Group Inc. and Oxford Health Plans.
On May 14, 2009, the loss or theft of a portable computer disk drive at the company's Shelton, CT office impacted about 446,000 Connecticut policy and 1 million other policy holders across the nation. The breached data included personal health records, bank account numbers, and social security numbers. Health Net waited until Nov. 30 to provide notice of the breach.
E-mails to the Office for Civil Rights (OCR), the HIPAA privacy and security enforcer, and the Connecticut Attorney General's office were not immediately returned Thursday afternoon.
"There will be at times information security incidents which are beyond the control of the best management practices," according to the Connecticut Insurance Department bulletin. "The Department's concern is to make certain that in addition to minimizing these incidents, licensees and registrants react quickly and affirmatively to let affected Connecticut consumers know that they may be at risk and what is being done to protect sensitive and confidential information. The department also wants to make sure that there is an opportunity for the department to actively monitor the situation and guarantee those consumer protections throughout the process."
Insurers have accounted for the largest breaches on the OCR breach notification website.
A report from the Health Information Trust Alliance in Frisco, Texas, last month found that when looking at the number of individuals affected by the breaches on the website, insurance plans accounted for 58% or 2.8 million records.
Of the top 10 largest breaches reported on the OCR list based on the number of individuals affected, insurance plans were responsible for four.
The website list is required by HITECH and includes entities who report breaches of unsecured PHI affecting 500 or more individuals.
The largest of the 157 breaches reported since February 2010 is still AvMed, Inc., a Florida insure provider whose stolen laptop case from December 10, 2009, affected 1.22 million individuals.
Mayo Clinic has fired an employee at a business center in Arizona because they accessed nearly 2,000 patient medical and financial records over a four-year period—just to take a peek, the Post-Bulletin of Rochester, MN, reports.
The employee accessed an estimated 1,700 patient records, Mayo spokesman Chris Gade told the Post-Bulletin. The employee's access rights covered all Mayo Clinic patient records at all Mayo sites.
Officials discovered the breach in mid-July. They did not release the name of the healthcare worker.
"This activity took place between 2006 and 2010. An internal investigation was immediately launched. Following a thorough review of the facts, the person was fired," Mayo said in a statement.
This isn't the first hospital to deal with a worker snooping at patient records.
Kaiser Permanente Bellflower Hospital in Los Angeles in May 2009 was assessed a $250,000 fine because 23 employees at a number of Kaiser facilities with access to electronic medical records unlawfully breached the privacy of a patient who gave birth to octuplets earlier in the year.
Snooping landed another in jail earlier this year. United States Magistrate Judge Andrew J. Wistrich sentenced a former UCLA Healthcare System employee who admitted snooping at patients' records to four months in prison April 27, according to the U.S. Attorney's Office in the Central District of California.
Huping Zhou, 47, of Los Angeles, admitted to illegally reading private and confidential medical records, mostly from celebrities and other high-profile patients, the federal California attorney's office said in a release.
Wistrich condemned Zhou for his lack of respect for patient privacy, according to the release.
Zhou was the first person in the nation to be convicted and incarcerated for misdemeanor HIPAA offenses for merely accessing confidential records without a valid reason or authorization, according to the attorney's office.
Zhou in January of this year pleaded guilty to four misdemeanor counts of violating the HIPAA Privacy Rule. He is a licensed cardiothoracic surgeon in China who was employed in 2003 at UCLA Healthcare System as a researcher with the UCLA School of Medicine.
Worried about snoopers at your facility? Some facilities use "honeypots" as bait to catch snooping staff members who are in violation of HIPAA. "Honeypots," also referred to as "honeynuts," are fictitious medical records that IT monitors to determine if anyone is accessing them.
The terms honeypots and honeynuts derive from the notion that if you want to catch birds, you scatter birdseed.
Use these tips regarding honeypots to catch snoopers and respond accordingly:
Gain executive sponsorship. "Using a honeypot implicitly communicates we don't trust our staff, even though we know that insider snooping is by far the most common cause of privacy or security breaches," John R. Christiansen, founder of Christiansen IT Law in Seattle, says. You need to have executive sponsorship willing to back you in the event that the use of honeypots results in controversy.
Get HR buy-in. HR must be looped in to ensure that it will take appropriate action if you catch someone accessing records inappropriately, Christiansen says, adding that "legal counsel should vet the whole program to make sure legal risks are avoided."
Conduct a risk assessment of your systems and equipment. Then create records for five media-centric personalities, making them as real as possible. Don't be too obvious. For instance, Madonna would probably not end up in a central Montana facility.
Beware of entrapment. Honeypots are analogous to entrapment; they're bait that wouldn't work if someone wasn't predisposed to snooping, Christiansen says, because, as W.C. Fields said, "You can't cheat an honest man." Organizations should be certain that staff members know about policies that prohibit snooping and that system configuration prevents accidental access, says Christiansen.
The number of healthcare entities reporting breaches of unsecured PHI affecting 500 or more individuals has crossed the 150 mark, nearly one year after the first such breach was reported.
The Office for Civil Rights (OCR) breach notification website lists 153 entities as of Thursday, Sept. 2. The HIPAA privacy and security rule enforcer began publishing the breaches in February of this year, per the HITECH, but breaches date back to September 22, 2009.
The list is required in the breach notification interim final rule, which is in effect but under review by OCR before a final rule is submitted to the Office of Management Budget (OMB).
Hospitals and provider networks account for the highest number of breaches on the list, according to numbers recorded in August by Christopher Hourihan, manager of common security framework (CSF) development and operations at HITRUST, the Health Information Trust Alliance in Frisco, Texas.
Hourihan’s latest update reports that hospitals and provider networks account for 50 breaches, followed by physician practices at 35. Insurance plans experienced the third highest number of breaches with 26 or 18%.
However, when looking at the number of individuals affected by the breaches, insurance plans accounted for 58% or 2.8 million records.
Of the top 10 largest breaches reported on the OCR list based on the number of individuals affected, insurance plans were responsible for four.
Hospitals/provider networks were responsible for only 27% of the total records affected by breaches or 1.3 million records. Physician practices accounted for only 8% of the total number of records compromised by breaches.
That’s not such a surprise when you consider the large number of patient records that insurance plans deal with, says Hourihan. Physician practices may have patients’ PHI in the form of paper records or stored electronically on a computer. If a laptop computer is lost or stolen, it may contain only a few hundred patient records.
On the other hand, a breach by an insurance plan is likely to involve thousands, if not hundreds of thousands, of records.
So, although physician practices are responsible for the second highest number of breaches, the relative damages for physician practices in terms of the number of records is fairly low, Hourihan says.
Insurers do not have many breaches, but when a breach occurs, it can be of a huge magnitude, he says.
For instance, the largest breach reported so far is by AvMed, Inc. of Florida and involved 1,222,000 patient records from the theft of a laptop computer in December, 2009. The second largest breach was reported by Blue Cross Blue Shield of Tennessee, resulting from the theft of hard drives in October 2009; it affected 998,442 patients.
Correspondent Joanne Finnegan contributed to this report.