Utah Getting Act Together on Healthcare IT Security

Healthcare IT security has been a sensitive subject for the past 12 months in Utah’s health care community with two major healthcare security breaches.

The Future of EHR Security: Good and Bad News

The future of Electronic Health Records (EHR) security will be impacted by the findings of several studies conducted in the past year. From what I can tell, these studies bring with them both good and bad news.

New Security Rules for the Electronic Health Care Record Incentive Program

In 2009, the Ways and Means committee put forth the Health Information Technology for Economic and Clinical Health Act or HITECH Act. The bill states that Health information technology helps save lives and lower costs. One of the four major goals of the legislation is to “Strengthening Federal privacy and security law to protect identifiable health information from misuse as the health care”.

Stage  1 of the program required hospitals and eligible professionals (physicians) to conduct or review a risk analysis and implement security updates as necessary to correct identified security deficiencies.

The proposed Stage 2 rule includes the identical requirement. But it adds that the assessment must include “addressing the encryption/security of data at rest.”

The proposed rule specifically states: “We do not propose to change the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule requirements or require any more than would be required under HIPAA. We only emphasize the importance of an eligible professional or hospital including in its security risk analysis an assessment of the reasonableness and appropriateness of encrypting electronic protected health information as a means of securing it, and where it is not reasonable and appropriate, the adoption of an equivalent alternative measure.”

Recommended Security Changes

The proposed rule would not alter the HIPAA Security Rule’s requirements on encryption. Under that rule, encryption is “addressable,” which means it must be implemented if doing so is reasonable and appropriate – which stops short of an outright mandate.
Office of the National Coordinator for Health IT, proposes ” that Electronic Health Record [EHR] vendors … by default enable encryption of data on end-user devices if any data is kept on user devices after the session ends”.
That Secure Messaging is used when doctors communicate with […]

Medical Records Access Report Too Burdensome

On May 31, 2011, the Department of Health and Human Services’ (HHS) Office for Civil Rights proposed a new rule recommending that patients have the right to ask for a report on who has accessed their medical records. The recommendation has been out for public comment since that time.

A number of healthcare organizations including the Medical Group Management Association (MGMA), the College of Healthcare Information Management Executives and the American Health Information Management Association are asking the Department of Health and Human Services’ Office for Civil Rights to reconsider the access report requirement.

The reasons given give are:

Few patients request such information and it would cost too much to add that feature to every system. 55% of 1,400 physicians surveyed stated that they had not received such a request in the past year.
MGMA contends the access report proposal could do more harm than good. There is concern that the proposed rule could serve as a “disincentive” for adoption of Electronic Health Records.
There was also concern about compromising the privacy of the health care professionals,  particularly Mental Health care providers who sometimes use pseudonyms “to avoid patients stalking or contacting them outside the workplace.”

The recommended solution is for the patient to provide a list of specific names to determine whether those individuals have or have not accessed the patient’s information.

The HHS is accepting comments on the proposed rule till August 1st.  Apparently, they will have a number of positions to reconsider before they find the right balance of cost effectiveness and protecting the privacy rights of both patients and clinicians.

HealthCare Providers Need IT Security Training

It appears that the health care industry lacks understanding of basic information technology security. Dr David Lee Scher, MD, just wrote an article for the Healthcare IT and Technology blog outlining five things healthcare providers should know about electronic health care record security. From his article, it is obvious that health care workers could use some IT security training.

Here are some of the problems he described.

30% of physicians did not use antivirus on their office computers.
34% of physicians offices did not have network firewalls.
The Inspector General of the HHS Office for Civil Right inspected 7 hospitals for HIPPA compliance and found that although ALL of them had implemented some policy and rules to protect EHRs, None had implemented sufficient controls to adequately protect patient privacy. Common violations were improper disposal of printed records and leaving computer screen on and unattended.
Most EHR systems date and time stamp all entries, these entries are permanent records and cannot be deleted, just corrected so healthcare providers should be careful about what they put in the record. The entry log may be audited by the practice or IT manager , as well as attorneys during discovery.
Most breaches of privacy data, do not come from “Hackers” but from improperly stored or lost data from individual not following hospital security protocols.

Data Security is the responsibility of everyone in the hospital or the doctor’s office. All staff should be fully aware their role and responsibilities in keeping private patient information safe and secure. Like anyone else who works with Information Technology, healthcare providers should have annual security training and be aware of the consequences for not following the protocols.

You can read Dr. Scher’s blog at healthcaretechnologymagazine.com.

Privacy by Design or Redesign—a new International Standard

Dr. Ann Cavoukian, Privacy Commissioner of Ontario, Canada, is recognized as one of the leading privacy experts in the world. She has been working with a concept called Privacy by Design for over 20 years. The idea is that Privacy should be designed into systems from the beginning, not added as an afterthought. Systems designers should be made aware of privacy issues and be proactive about embedding them into the system.

Dr. Cavoukian states: “We know from the academic literature that whatever the default condition is, that condition rules 80 percent of the time. I want that to be privacy. By default, I mean it is automatically available to the user without them having to ask for it. It’s embedded; it’s built into the system.”

Once a year, there is an annual international privacy commissioners and data protection regulators conference, usually in Europe. Last year, the conference was hosted in Israel where the privacy commissioners unanimously passed an international resolution making Privacy by Design an international standard.  The standard is now being adopted worldwide, in not only Canada and the EU. The Federal Trade Commission has made it one of its three recommended practices. Senators Kerry and McCain recently introduced a commercial bill of privacy rights which uses language taken directly from the Privacy by Design standard for the first time.

Privacy has become a recent “hot topic” due to what seems to be endless security breaches in the health care and banking industries. To address this current state of affairs, Dr. Cavoukian has developed a new concept called Privacy by Redesign, to bring privacy into systems that are already developed. To do so, organizations need to look at the uses of data, what is permissible and what isn’t, […]

Access Logs Recommended for EHRs

Department of Health and Human Services’ Office for Civil Rights’ recent notice of proposed rulemaking on accounting of disclosures introduces a valuable privacy tool for individuals—the access report.

The HIPAA Security Rule’s information system activity review specification [164.308(a)(1)] requires organizations to “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” The rule’s audit controls standard [164.312(b)] requires organizations to “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

Adam Greene, the primary author of the proposed accounting of disclosures rule mandated under the HITECH Act, states that the proposed rule takes a two-pronged approach.

First, the proposed rule spells out revised HIPAA requirements to provide patients with an accounting of disclosures of protected health information to outside parties for certain purposes, such as law enforcement and public health.

Second, the proposal requires providing patients, upon request, with “access reports” that summarize who electronically accessed their information. Greene explains the rule attempts to address “What’s the best way to get the information that individuals are most interested in, which is, who has seen their records?” He points out that under the proposed rule, a patient could simply ask whether a specific individual has electronically accessed their records, or they could ask for a complete list of everyone who has accessed them.

Kate Borten, president of The Marblehead Group, a health information privacy and security consulting firm, agrees that the Access Report recommendation deserves industry support.

“Access logs and reports are the primary, if not only, way for organizations and individuals to identify inappropriate electronic snooping by otherwise authorized user—a serious problem wherever many users have access […]

Maine reverses decision on HIE Consent

After hearing objections from hospitals and physicians about a proposed “opt-in” approach to obtaining patient consent for health information exchange (HIE), the Maine legislature has dropped a proposal to switch from an “Opt-out” approach.

The original proposal would have been required to give patients an opt-in form that they would need to sign to authorize having their electronic health records shared over HealthInfoNet, the statewide HIE.

Concerns were expressed by the state hospital and medical associations  and HealthInfoNet that the “opt-in” approach would result in few people taking advantage of the benefits of the HIE. Other HIEs using the opt-in approach have found that a relatively small percentage of patients take the initiative to sign the form. Amy Landry, HealthInfoNet’s communications director stated that, “Unless a majority of state residents’ records are accessible via the HIE, physicians and hospitals are unlikely to use it because of its limited value”.

HealthInfoNet has always instructed participating providers to give patients a Notice of Privacy Practices, as required under HIPAA, that also describes that their data may be shared via the HIE and offers the opportunity to opt out.

Last year, the Health and Human Services Privacy and Security Tiger Team, which advises federal regulators, endorsed a “meaningful consent” approach that HIEs should take. It accommodates either the opt-in or opt-out approach, emphasizing educating patients about their privacy rights as well as HIE procedures.

The revised proposal, which awaits the governor’s signature, requires informing patients about the benefits and risks of the HIE and giving them the opportunity to “opt out.” Unless they take action to opt out, their information will automatically be accessible via the HIE, which stores certain records in a central data repository.

To view the revised Maine legislation, visit […]

HHS Privacy and Security Tiger Team Findings Part 2

Last week, I summarized the Health and Human Services Health Information Technology Policy Committee Privacy and Security Tiger Team (Tiger Team)’s findings.

As a reminder, their charge was to “make short-term and long term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that well help build public trust in health information technology and efficiency, particularly as related to the  American Recovery and Reinvestment Act (ARRA) of 2009 and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security.”

Their findings were put out for public comment April 11 –May 11, 2011. Below is a series of excerpts from the comments which represent the major points of discussion. The full set of comments can be viewed on the HHS Federal Advisory Committee Blog.

There should be a health industry discussion on general tracking and accounting of disclosures.  ARRA-HITECH proposed rules have not been released and there has been little industry discussion regarding how disclosures can be tracked especially in larger organizations where disclosure may occur. This is both a policy and a technology issue.
Methods for tracking exchange partners need to be developed.  Web site info with the ability for the patient to print should cover it, and maybe an annual signoff indicating they know where to find it if they want it. A NwHIN participant will have difficulty keeping track of all the potential indirect participants. If the level of HIEs gets to 225-250-plus keeping a list of the possible exchange partners becomes overwhelming and probably complicated for the individual to understand.
Confidentiality is crucial to reducing barriers to care for adolescents. It has long been recognized that if adolescents do not believe […]

HHS Tiger Privacy and Security Tiger Team Findings Part 1

Last winter, the Health and Human Services Health Information Technology Policy Committee gave the following broad charge to the Privacy and Security Tiger Team (Tiger Team).

The charge is as follows: “The Tiger Team is charged with making short-term and long term recommendations to the Health Information Technology Policy Committee (HITPC) on privacy and security policies and practices that well help build public trust in health information technology and efficiency, particularly as related to the  American Recovery and Reinvestment Act of 2009 and the Affordable Care Act (ACA) which mandates a number of duties to the ONC relative to privacy and security.”

Since February 2011, the Tiger Team has conducted a number of public meetings on a variety of issues related to achieving public trust in health IT. The Tiger Team released  the  findings for public comment on April 11, 2011. The Tiger Team presented their finding to the HITPC on April 13, 2011. The complete briefing can be viewed on the www.healthit.hhs.gov/portal.

The following is a summary of the Tiger Team recommendations:

Organizations that are seeking to exchange information as part of the Nationwide Health Information Network (NwHIN) should be required to adopt baseline user authentication policies that require more than just user name and password for remote access. At least two factors should be required .
For more sensitive, higher risk transactions, an additional authentication of greater strength may be required. Similar to the Drug Enforcement Agency policy covering prescribing controlled substances.
The Office of the National Coordinator for Health Information Technology (ONC) should also work to develop and disseminate evidence about the effectiveness of various methods for authentication and reassess NwHIN policies accordingly.
ONC should work with the National Institute of Science and Technology (NIST) to provide guidance to […]