Healthcare IT security has been a sensitive subject for the past 12 months in Utah’s health care community with two major healthcare security breaches.
On May 31, 2011, the Department of Health and Human Services’ (HHS) Office for Civil Rights proposed a new rule recommending that patients have the right to ask for a report on who has accessed their medical records. The recommendation has been out for public comment since that time.
A number of healthcare organizations including the Medical Group Management Association (MGMA), the College of Healthcare Information Management Executives and the American Health Information Management Association are asking the Department of Health and Human Services’ Office for Civil Rights to reconsider the access report requirement.
The reasons given give are:
Few patients request such information and it would cost too much to add that feature to every system. 55% of 1,400 physicians surveyed stated that they had not received such a request in the past year.
MGMA contends the access report proposal could do more harm than good. There is concern that the proposed rule could serve as a “disincentive” for adoption of Electronic Health Records.
There was also concern about compromising the privacy of the health care professionals, particularly Mental Health care providers who sometimes use pseudonyms “to avoid patients stalking or contacting them outside the workplace.”
The recommended solution is for the patient to provide a list of specific names to determine whether those individuals have or have not accessed the patient’s information.
The HHS is accepting comments on the proposed rule till August 1st. Apparently, they will have a number of positions to reconsider before they find the right balance of cost effectiveness and protecting the privacy rights of both patients and clinicians.
It appears that the health care industry lacks understanding of basic information technology security. Dr David Lee Scher, MD, just wrote an article for the Healthcare IT and Technology blog outlining five things healthcare providers should know about electronic health care record security. From his article, it is obvious that health care workers could use some IT security training.
Here are some of the problems he described.
30% of physicians did not use antivirus on their office computers.
34% of physicians offices did not have network firewalls.
The Inspector General of the HHS Office for Civil Right inspected 7 hospitals for HIPPA compliance and found that although ALL of them had implemented some policy and rules to protect EHRs, None had implemented sufficient controls to adequately protect patient privacy. Common violations were improper disposal of printed records and leaving computer screen on and unattended.
Most EHR systems date and time stamp all entries, these entries are permanent records and cannot be deleted, just corrected so healthcare providers should be careful about what they put in the record. The entry log may be audited by the practice or IT manager , as well as attorneys during discovery.
Most breaches of privacy data, do not come from “Hackers” but from improperly stored or lost data from individual not following hospital security protocols.
Data Security is the responsibility of everyone in the hospital or the doctor’s office. All staff should be fully aware their role and responsibilities in keeping private patient information safe and secure. Like anyone else who works with Information Technology, healthcare providers should have annual security training and be aware of the consequences for not following the protocols.
You can read Dr. Scher’s blog at healthcaretechnologymagazine.com.
Department of Health and Human Services’ Office for Civil Rights’ recent notice of proposed rulemaking on accounting of disclosures introduces a valuable privacy tool for individuals—the access report.
The HIPAA Security Rule’s information system activity review specification [164.308(a)(1)] requires organizations to “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” The rule’s audit controls standard [164.312(b)] requires organizations to “implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
Adam Greene, the primary author of the proposed accounting of disclosures rule mandated under the HITECH Act, states that the proposed rule takes a two-pronged approach.
First, the proposed rule spells out revised HIPAA requirements to provide patients with an accounting of disclosures of protected health information to outside parties for certain purposes, such as law enforcement and public health.
Second, the proposal requires providing patients, upon request, with “access reports” that summarize who electronically accessed their information. Greene explains the rule attempts to address “What’s the best way to get the information that individuals are most interested in, which is, who has seen their records?” He points out that under the proposed rule, a patient could simply ask whether a specific individual has electronically accessed their records, or they could ask for a complete list of everyone who has accessed them.
Kate Borten, president of The Marblehead Group, a health information privacy and security consulting firm, agrees that the Access Report recommendation deserves industry support.
“Access logs and reports are the primary, if not only, way for organizations and individuals to identify inappropriate electronic snooping by otherwise authorized user—a serious problem wherever many users have access […]
Surveys have shown that the majority of Americans are “very concerned” about identity theft or fraud (80 percent), the use of their medical information for marketing purposes (77 percent), and that their data might become available to employers or insurance companies (56 and 55 percent, respectively). At the same time, 89 percent of respondents say that they want their physicians to be able to communicate with one another, while the majority support the development of Health Information Technology as a whole and believe that it will improve care and reduce costs1.
According to a current listing on DataLossDB.org, four of the ten major data security breaches on the list involved medical records getting into the wrong hands. The VA experienced one of the top ten data security breaches of all time (over 26 million records). Patient records contain information that can be used to steal a person’s identity or help criminals pinpoint vulnerable targets. Medical information can be used to discriminate unfairly because it is often beyond what the payors and others are allowed to know. Employers and insurance companies can discriminate based on past health issues if given access to these records.
Initiatives for a standardized Electronic Health Record (EHR) are gaining acceptance. As these standards are developed, the government and industry should look to the Purchase Card Industry Data Security Standard (PCI DSS) standard for eCommerce security. Under PCI DSS, compliant systems require sensitive information to be separated from non-sensitive data within the system and to be encrypted both in transit and at rest. This prevents hackers from reading the information even if they manage to break into the system or steal a computer. While PCI DSS compliance has helped prevent security breaches in […]