EHR era ushers in stricter privacy, security

Offices feeling confident about HIPAA compliance now face HITECH, an increased level of demands meant to secure confidential information in a digital age. The demands have increased, and so have the penalties.

Amid all the news and confusion about how to qualify for federal incentives to purchase electronic health record systems, updated privacy and security regulations have slipped quietly under the radar. But internists should take notice because the regulations are already in effect and they're a prerequisite for getting government funds.

“This is a big change that you need to be aware of. It's passed and on the books,” said Keith T. Shiner, JD, an attorney specializing in health law at McCandlish & Lillard in Fairfax, Va. “The cost of non-compliance has gone up dramatically in terms of penalties and incidental costs related to breach notification.”

Photo by Comstock
Photo by Comstock

The tougher regulations are included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law on Feb. 17, 2009. HITECH builds upon requirements already imposed under the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA.

The expanded regulations specifically address the potential for significant privacy breaches due to the increasing volume of protected health information stored and transmitted electronically. Protected health information is defined by HHS as individually identifiable health information, such as demographics or information relating to a patient's health.

While much of what's in HITECH was already covered under HIPAA, there are several important new provisions, most notably new rules governing breach notification and business associate agreements. Physicians and other covered entities must now inform HHS of any breaches of unsecured (i.e., unencrypted or protected in a way approved by HHS) protected health information. This obligation must be reflected in all agreements with business associates, such as health plans.

Experts are advising physicians to conduct a risk assessment, encrypt their electronic files, update their business associate agreements, and train their staff in order to be ready for audits and avoid hefty penalties for noncompliance. The maximum yearly fine has jumped from $25,000 to $1.5 million for a single, repeated violation. And the government is promising to follow through on enforcement.

According to Edward Shay, JD, a partner in the health law group at Post & Schell in Philadelphia, “In the past, HIPAA was complaint-driven. If there were no complaints about you, you could go about your business as usual. But with the affirmative audit obligation, HHS will be looking [for violations].”

Past breaches highlight risk

Physicians who have kept up to date with their obligations to protect patient information under HIPAA shouldn't experience too much disruption due to HITECH, experts said. The problem is that most physicians suffered from HIPAA fatigue after complying with the first set of regulations in 2005.

“Everyone staggered across the finish line from compliance with the privacy rule,” said Mr. Shay. “A lot of people are not aware that they have an ongoing obligation to periodically reassess risk.”

While compliance with the new regulations may seem onerous, they aren't without justification. Over the past year, several health care insurers reported significant breaches of protected health information that could have been avoided with the proper security procedures in place, according to the nonprofit Identity Theft Resource Center. While these cases concerned large companies with thousands of employees, the mistakes involved, employees violating security rules or inadequate file protection, could occur in any size office.

IT staff believe their organizations have insufficient resources to protect health information, according to an October 2009 report, “Electronic Health Information at Risk,” by the Ponemon Institute, a nonprofit independent research group focused on privacy, data protection and information security. The survey included 542 IT workers from health care providers or related organizations that collect protected health information in both paper and electronic formats.

Organizations are continuing to store more and more protected health information electronically, the report found. Almost half of respondents said that between 25% and 75% of data collected by their organizations are in electronic versus paper documents. (The report is online. )

Do a risk assessment

As more physicians in all sizes of practices adopt electronic health record systems, experts advise taking a few basic steps now to avoid the potential costs, disruptions and embarrassment of a data breach down the road.

“We don't want to scare physicians, but we do want them to stop and think and do an assessment of their practices,” said Thomson Kuhn, ACP's senior systems associate. A good risk assessment should uncover any vulnerability (such as unprotected files or employees faxing out protected health information) in systems or processes. This step is required under the security rules governing electronic information.

A thorough risk assessment has three main objectives: integrity (security), availability, and confidentiality, according to “An Introductory Resource Guide for Implementing the HIPAA Security Rule,” by the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce.

Loss of data or system integrity could lead to mistakes, fraud or erroneous decisions if not corrected immediately, while loss of availability, such as a system outage or malfunction, results in lost productivity and delays for patients. Loss of confidentiality, though usually unintentional, can result in loss of patient confidence, embarrassment and possible legal action against the practice, the NIST states.

In a compliance audit, an auditor likely will ask to see a written copy of the risk analysis right away, said Edward Jones, a health IT consultant and founder of, a Web site that provides resources and expert commentary on HIPAA standards for electronic health care transactions. Mr. Jones was a founding commissioner of the Electronic Healthcare Network Accreditation Commission and served as chair of the Workgroup for Electronic Data Interchange, which advises HHS under HIPAA.

Physicians are expected to keep their risk analysis up to date to reflect new processes or systems, such as adoption of electronic records. But many physicians regard HIPAA as something they've already taken care of and they are not paying attention to the updated regulations under HITECH, said John Richards, executive director of the Medical Society of Northern Virginia.

“We're advising our members that they need to re-educate themselves about the rules and regulations regarding HIPAA and make the changes they need to make in their practices,” said Mr. Richards.

Some companies are offering tools to help physicians conduct risk assessments and comply with the new rules. Having all documentation in an easily accessible location makes it easier for physicians to demonstrate compliance if they are faced with an audit or complaint, noted Mr. Jones. Resources and tools will be posted on the HITECH resource page on ACP's Web site as they become available.

Encrypt your data

According to the Ponemon Institute report, organizations commonly experience multiple breaches of protected health information. In the survey, 38% of respondents said their companies had experienced at least one breach, while 28% said they had two to three. Of those that reported a breach, 33% said that the breaches involved information stored on computer databases (as opposed to documents, spreadsheets or e-mails).

To prevent breaches of protected health information, at the very least, physicians should “have your laptop and any portable device encrypted,” advised Mr. Shiner. Unfortunately, encryption doesn't appear to be the norm. Most respondents to the Ponemon Institute survey said that their organizations rely on security policies and procedures (81%), anti-virus systems (69%), training programs (67%) and firewalls (61%) to protect health information. Only 28% said they used encryption.

Information transmitted over the Internet has to be secured as well, said Mr. Kuhn. “If data leaks out for some reason but it is properly encrypted, you're safe as long as it is sitting in your system. But when data is in motion, if it is not in encrypted form, that's where your risk is.”

According to the HHS Office for Civil Rights, which enforces the updated privacy regulations, most recent reports of breaches affecting 500 or more individuals were related to lost or stolen portable devices that contained unencrypted files. Check with vendors to ensure that devices comply with encryption processes and standards set by NIST.

Review business associates

The HITECH Act requires physicians and their business associates to notify affected individuals and HHS within 60 days about any breach of protected health information involving 500 or more patients. (Breaches affecting fewer than 500 patients are reported to HHS on an annual log.) What's new is that physicians and business associates are now responsible for policing each other, whereas in the past only physicians were required to report breaches.

The change relieves some pressure on physicians in the event of a breach, Mr. Jones said, because business associates can now be held accountable and are subject to the same penalties for noncompliance as physicians. “In the past, if a problem arose, the only recourse for the covered entity [the physician] was to terminate the contract,” he added.

Thus, agreements with health plans, billing services, hospitals, and any other entities that either receive or exchange information with your office must be updated to reflect the new rules. In particular, agreements should specify how both parties will handle security breaches and notify HHS and the affected parties.

If the breach affects more than 500 people in one state, local and state media outlets must also be notified. For example, if the individuals affected are concentrated in one city or in one or more states (each with 500 affected), the physician should notify prominent newspapers or television stations serving those areas. Media outlets do not have to be notified if the affected individuals are spread out over multiple states, with no more than 500 in any one state.

Business associates are looking at agreements with physicians as well, said Mr. Shay, because they now have to consider the costs of compliance.

“It's probably a good time to say to your associates, ‘Are you aware of the new regulations and please tell us if you're doing what you need to do to get ready for this,’” he said. “You don't want to depend on a business partner who suddenly wakes up to the fact that they may have to spend $125,000 on compliance. They may choose to sever the agreement instead.”

Staff training

Staff should also be aware of new rules affecting patients, said Mr. Shiner. Under HITECH, patients have the right to access their records in electronic format and, if they pay out-of-pocket, can require (not just request) that protected health information not be shared with health plans.

Also, bring staff up to speed on how to comply with the updated rules, experts said. Review or update the office's privacy and security policies and procedures. Go over security measures specific to electronic files and portable devices. Ensure staff knows what to do in the event of a breach.

“You need to educate your staff that they can't just fax stuff out anymore,” said Edward J. Zych, JD, associate chief legal officer for the Geisinger Health System in Danville, Pa., who was closely involved in the system's EHR implementation. “You need to update your authorizations” and track whether you have appropriate patient disclosure and access procedures, he said.

Perhaps most important, train staff about the breach notification rules so that there is a process in place when one occurs, said Mr. Shay.

“So often breaches [are discovered] on the day-to-day operational level, when someone notices something that doesn't look quite right,” said Mr. Shay. “It's important to train your whole workforce so that they are sensitive to it.”

While a breach is an “unlikely event” in a small practice, it's still important for staff to take precautions and to realize that “there are massive penalties possible,” added Mr. Kuhn. “They need to know what the likely causes are so that they aren't putting the practice at risk.”