It’s an understatement to say that the invention of the Internet has been one of the most important developments in history. With the advent of this revolutionary technology, individuals are no longer limited in their citizenship – i.e., just members of a village, town, city, or country. Rather, they can choose to be a part of a worldwide cyber-community. This global interconnectivity allows us to communicate with our friends, family, and colleagues across the globe in milliseconds. It propels business growth and development throughout the world, and it has even served as the catalyst for sweeping political change.
However, along with this unprecedented informational resource come dangers and risks related to the loss, theft, or compromise of confidential or proprietary information we do not want disseminated to unauthorized recipients. Among the various types of information that is most at risk is the personal health information contained in electronic health records. These records include health information, social security numbers, birthdates, and other significant personal identifiers.
Even before the advent of electronic health records, Congress enacted the Health Insurance Portability and Accountability Act to ensure that healthcare providers, also known as Covered Entities, protect patients from unauthorized disclosure of paper medical records. The HIPAA rules and regulations went into effect over the next ten years by way of a series of privacy implementations and compliance deadlines.
In 2009, President Obama signed the American Recovery and Reinvestment Act, which included the Health Information Technology for Economic and Clinical Health Act (the HITECH Act). The main goal of the HITECH Act is “improving health care quality, safety, and efficiency” by the “promotion of health information technology.” The centerpiece of the HITECH Act is:
- 1) The conversion of paper medical records to electronic health records; and
- 2) The “meaningful use” of electronic health records to accomplish the HITECH Act’s goal.
The HITECH dedicated $31 billion in stimulus funds to healthcare providers to assist them in the conversion process from paper records to electronic health records.
However, now that this information is on data servers and easily transmittable by way of desktops, laptops, and mobile devices, it is now more vulnerable to theft and misuse. And now the potential scale of potential risk is exponentially higher—the theft or loss of not just one or even a hundred records, but millions. Despite this potential, the healthcare industry remains behind in cyber security. A year-long examination of cybersecurity by the Washington Post from December 2012 found that the health care industry “is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems.”
Researchers estimate that in 2012 alone, 94% of healthcare organizations experienced a data breach, resulting in a total loss of more than $7 billion. The losses are not just borne by the private sector; experts estimate that identity theft by use of stolen personal health information costs Medicare millions of dollars each year.
The losses related to security breaches are not just economic; they are often personal and emotional. In 2008, the UCLA Medical Center discovered that television celebrity Farrah Fawcett’s electronic medical records had been accessed by an unauthorized individual while she was receiving cancer treatment from UCLA. The individual responsible for accessing the records apparently sold the information to the Enquirer, which then published the fact that Fawcett’s cancer had returned before she had shared this information with her son.
For these reasons, the financial incentives extended to Covered Entities to adopt electronic health records included mandatory data privacy and security regulations. The HITECH Act imposes data privacy safeguards on Covered Entities along with monetary penalties for breaches of these safeguards, including:
- Mandatory self-reporting of privacy breaches;
- The extension of HIPAA rules and regulations to healthcare provider “Business Associates” and even subcontractors;
- Mandatory fines for privacy breaches ranging from $25,000 to $1.5 million;
- Statutory authority to federal government and state attorneys general to enforce and punish HIPAA violations through criminal and civil enforcement; and
- Mandatory audits by the Department of Health and Human Services.
Then, on January 25, 2013, HHS’s Office for Civil Rights published the HIPAA Final Omnibus Rule, which took effect on September 23, 2013. The Omnibus Rule significantly increased the HIPAA privacy rules and provides the Office for Civil Rights with greater authority to police and enforce HIPAA/HITECH Act privacy regulations. The bottom line is that Covered Entities have a legal duty to:
- 1) Conduct a mandatory risk assessment of any and all potential “compromise” of personal health information; and
- 2) Self-report any occurrence of a “compromise” of electronic health records to HHS, the patient or patients affected by the compromise, and even the media in some circumstances.
When a Covered Entity or Business Associate finds that a personal health information breach has occurred, it has no more than 60 days from the date of the incident to make a determination of whether or not the incident resulted in a reportable “compromise” of personal health information. If a “compromise” has occurred, the incident must be reported within this 60 day period.
As of September 23, 2013, the Covered Entity or Business Associate will carry the presumption that a “compromise” of personal health information has occurred when there is an inadvertent or unauthorized disclosure of personal health information and, therefore, maintain the burden of proof in proving its position at any future audit. Should the Office for Civil Rights disagree, the Covered Entity or Business Associate may be found willfully neglectful, resulting in more severe fines or corrective action.
The bottom line is that the September 2013 enhancements to the HIPAA privacy and security rules expose Covered Entities or Business Associates to a significantly greater level of regulatory oversight when it comes to personal health information, and the possibility of significant monetary penalties or corrective sanctions for non-compliance.