Keeping Abreast of New Healthcare Trends
Medical data breaches raising alarm
By David Schultz, Published: June 2
As more doctors and hospitals go digital with medical records, the size and frequency of data breaches are alarming privacy advocates and public health officials. Keeping records secure is a challenge that doctors, public health officials and federal regulators are just beginning to grasp. And, as two recent incidents at Howard University Hospital show, inadequate data security can affect huge numbers of people.
On May 14, federal prosecutors charged one of the hospital’s medical technicians with violating the Health Insurance Portability and Accountability Act (HIPAA). Prosecutors allege that over a 17-month period, Laurie Napper used her position at the hospital to gain access to patients’ names, addresses and Medicare numbers to sell their information. A plea hearing has been set for June 12. Napper’s attorney declined to comment.Just a few weeks earlier, the hospital notified more than 34,000 patients that their medical data had been compromised. A contractor working with the hospital had downloaded the patients’ files onto a personal laptop, which was stolen from the contractor’s car. The data on the laptop was password-protected but unencrypted, which means anyone who guessed the password could have accessed the patient files without a randomly generated key. According to a hospital news release, those files included names, addresses and Social Security numbers — and, in a few cases, “diagnosis-related information.”
Howard University spokesman Ronald J. Harris said in an e-mail that the two incidents are unrelated but declined to answer further questions. In its news release about the stolen laptop, the hospital said it will set new requirements for all laptops used by contractors and those issued to hospital personnel to help protect data. Just days after Howard University contacted its patients about the stolen laptop, the Utah Department of Health announced that hackers based in Eastern Europe had broken into one of its servers and stolen medical information for almost 800,000 people — more than one of every four residents of the state.
And in November, TRICARE, which handles health insurance for the military, announced that a trove of its backup computer tapes had been stolen from one of its contractors in Virginia. The tapes contained names, Social Security numbers, home addresses and, in some cases, clinical notes and lab test results for nearly 5 million patients, making it the largest medical data breach since the Department of Health and Human Services began tracking incidents 2 1/2 years ago. As recently as five years ago, it’s possible no one outside Howard University would have known about the incidents there. But reporting rules adopted as part of the 2009 stimulus ensure that the public knows far more about medical data breaches than in the past. When a breach occurs that affects 500 or more patients, health-care providers must notify not only HHS but also the news media.
According to an HHS database, more than 40 percent of medical data breaches in the past 21 / 2 years involved portable media devices such as laptops or hard drives. Deven McGraw, head of the health privacy project at the Washington-based Internet advocacy group Center for Democracy & Technology, said many of these incidents were avoidable. “We have technology that can help save us when we’re all too human,” she said. Cloud storage, password protection and encryption are all measures health-care providers could be taking to make portable electronic health records more secure, McGraw said. Another thing that might make health-care providers tighten their security is the potential of facing hefty fines if their patients’ data are breached. But until recently, providers haven’t had to worry much about this.
Since the enactment of HIPAA in 2003 until late last year, there were more than 22,000 complaints about violations of the law’s privacy rule. HHS assessed a monetary penalty only once, according to a report it gave to Congress. Although the department has the power to issue subpoenas when enforcing HIPAA, it has only used that power twice since 2003.“The industry is very interested and responsive to correct the mistakes that they make and improve their privacy policies, so it’s not necessary for us to resort to these types of penalties,” said Susan McAndrew, deputy director for health information policy at HHS’s Office of Civil Rights.
HHS was criticized for lax enforcement at a Senate hearing in November. In the six months that followed, the department reached settlements in several HIPAA cases with penalties totaling more than $1.5 million. McGraw said HHS was losing credibility on the enforcement issue, so she’s pleased by the department’s rapid response to its Senate grilling. But, she said, federal regulators can only do so much. While the benefits of electronic health records far outweigh the risks, she said, those risks can only be mitigated — not eliminated.
“No matter how good you make the technology,” McGraw said, “we’ll never get the risk down to zero. But we can do a lot better than we have been doing.”
— Kaiser Health News
Kaiser Health News is an editorially independent program of the Henry J. Kaiser Family Foundation, a nonprofit, nonpartisan health policy research and communication organization not affiliated with Kaiser Permanente.
ROI+ Key Element in North Shore Jewish Health Center PHI Management
North Shore-Long Island Jewish Health System (NSJIJH) has invested $400 million to connect 15 hospitals, 2,500 employed physicians and 8,000 affiliated physicians. This represents one of “the largest EHR programs in the New York metropolitan area and one of the largest in the nation.” AMR, the Healthcare arm of ABT Global, was chosen as the legacy PHI content "Cloud" repository located at the AMR San Diego data center. In addition, AMR developed critical migration middleware to smooth the integration of the various AllScripts systems in the North Shore provider network. “What I see bodes well for the future," said John Bosco, CIO of North Shore-Long Island Jewish Health System, Allscripts' biggest client. “We’re the largest Allscripts customer by orders of magnitude,” said Bosco. “Allscripts is our go-forward partner.” AMR is now a critical part of the total EMR initiative at North Shore working with Allscripts and Digital Information to implement a total PHI management solution.
“The healthcare delivery system is founded upon trust – a trust that those receiving health information will keep it confidential and secure. This trust is now being tested as the healthcare industry moves to adopt electronic health records, access federal incentives, and facilitate better patient care. PHI is now more susceptible than ever to accidental or impermissible disclosure, loss or theft. Health care organizations (providers, payers, and business associates) are not keeping pace with the growing risks of exposure as a result of EHR adoption, the increasing number of organizations handling PHI, and the growing rewards of PHI theft. PHI data breaches are growing in frequency and in magnitude with huge financial, legal/regulatory, operational, clinical and reputational repercussions on the breached organization, they say.
The report provides CISOs, CIOs, IT security, privacy, and compliance personnel with information to help them better understand the potential risks and liabilities resulting from data breaches. Healthcare is one of the most-breached industries,” said Larry Ponemon, chairman and founder, Ponemon Institute. Healthcare providers and supporting organizations don’t currently have sufficient security and privacy budgets, including adequate processes and resources, to protect sensitive patient data."
the financial impact of breached protected health information (download)
But if healthcare industry leaders really understood the privacy expectations of their patients and customers and the repercussions and costs resulting from a PHI breach, as well as the advantages that increased security and HIPAA compliance could bring to their organizations, the return on investment (ROI) in strengthening their compliance programs would be far more attractive.
In fact, privacy and security programs would likely become a high priority if the health care industry more widely understood the increasing costs of class action lawsuits resulting from data breaches, not to mention the statistical probability that nearly all health organizations will experience an electronic data breach in the next few years.
To understand the value of PHI in an organization’s care is to understand what is lost if that PHI is breached. This report provides a framework for calculating the cost of a data breach for any organization responsible for protecting PHI, thereby making a convincing case that achieving HIPAA compliance and data security is one of the best investments an organization can make.
The threats are real and ubiquitous, the risks are high, and the financial, reputational, and legal repercussions to individuals and organizations can be severe.
New Texas health care privacy law more stringent than HIPAA (download)
By Linn Freedman and Christopher Browning
Texas House Bill 300 (HB 300), recently signed into law by Governor Rick Perry, mandates new patient privacy protections and harsher penalties for privacy violations related to electronic health records (EHR). The requirements of the Texas law are more stringent than those of its federal counterpart, the Health Insurance Portability and Accountability Act (“HIPAA”).
The Texas law requires covered entities to provide patients with electronic copies of their EHR within fifteen days of the patient’s written request for the records. This provision of the Texas law reduces the timeframe a covered entity has to produce EHR following a patient’s request from thirty days under HIPAA. The law charges the Texas Health and Human Services Commission with establishing a standard format for releasing patient EHR that is consistent with federal laws.
HB 300 also requires the Texas Attorney General (AG) to establish and maintain a website that states and explains patients’ privacy rights under Texas and federal law. The website will list the state agencies that regulate covered entities, and provide the agencies’ contact information and each agency’s complaint enforcement process. Under the new law, the AG must issue an annual report regarding the number and types of complaints pertaining to patient privacy issues.
Why one-third of hospitals will close by 2020 (download)
by DAVID HOULE AND JONATHAN FLEECE | in POLICY | 301 responses
For centuries, hospitals have served as a cornerstone to the U.S. health care system. During various touch points in life, Americans connect with a hospital during their most intimate and extraordinary circumstances. Most Americans are born in hospitals. Hospitals provide care after serious injuries and during episodes of severe sickness or disease. Hospitals are predominately where our loved ones go to die. Across the nation, hospitals have become embedded into the sacred fabric of communities.
According to the American Hospital Association, in 2011 approximately 5,754 registered hospitals existed in the U.S., housing 942,000 hospital beds along with 36,915,331 admissions. More than 1 in 10 Americans were admitted to a hospital last year.
Hospitals make a substantial imprint on local economies. In many communities, hospitals represent one of the largest employers and economic drivers. Of the total annual American health care dollars spent, hospitals are responsible for more than $750 billion.
Despite a history of strength and stature in America, the hospital institution is in the midst of massive and disruptive change. Such change will be so transformational that by 2020 one in three hospitals will close or reorganize into an entirely different type of health care service provider. Several significant forces and factors are driving this inevitable and historical shift.
First, America must bring down its crippling health care costs. The average American worker costs their employer $12,000 annually for health care benefits and this figure is increasing more than 10 percent every year. U.S. businesses cannot compete in a globally competitive market place at this level of spending. Federal and state budgets are getting crushed by the costs of health care entitlement programs, such as Medicare and Medicaid. Given this cost problem, hospitals are vulnerable as they are generally regarded as the most expensive part of the delivery system for health care in America.
Second, statistically speaking hospitals are just about the most dangerous places to be in the United States. Three times as many people die every year due to medical errors in hospitals as die on our highways — 100,000 deaths compared to 34,000. The Journal of the American Medical Association reports that nearly 100,000 people die annually in hospitals from medical errors. Of this group, 80,000 die from hospital acquired infections, many of which can be prevented. Given the above number of admissions that means that 1 out of every 370 people admitted to a hospital dies due to medical errors. So hospitals are very dangerous places.
It would take about 200 747 airplanes to crash annually to equal 100,000 preventable deaths. Imagine the American outcry if one 747 crashed every day for 200 consecutive days in the U.S. The airlines would stand before the nation and the world in disgrace. Currently in our non-transparent health care delivery system, Americans have no way of knowing which hospitals are the most dangerous. We simply take uninformed chances with our lives at stake.
Third, hospital customer care is abysmal. Recent studies reveal that the average wait time in American hospital emergency rooms is approximately 4 hours. Name one other business where Americans would tolerate this low level of value and service.
Fourth, health care reform will make connectivity, electronic medical records, and transparency commonplace in health care. This means that in several years, and certainly before 2020, any American considering a hospital stay will simply go on-line to compare hospitals relative to infection rates, degrees of surgical success, and many other metrics. Isn’t this what we do in America, comparison shop? Our health is our greatest and most important asset. Would we not want to compare performance relative to any health and medical care the way we compare roofers or carpet installers? Inevitably when we are able to do this, hospitals will be driven by quality, service, and cost — all of which will be necessary to compete.
What hospitals are about to enter is the place Americans, particularly conservative Americans cherish: the open competitive market. We know what happens in this environment. There are winners and losers.
A third of hospitals now in existence in the United States will not cross the 2020 finish line as winners.