In 1996 Congress passed the Health Insurance Portability and Accountability Act (HIPAA). One of the components of the law was to protect the privacy of patient information. This law required covered entities to properly store and then destroy patient information. Doctors and hospitals now had to secure the information in their care.
Since becoming law the use of medical records has changed significantly. We are in the middle of the national conversion to electronic medical records(EMR). The Health Information Technology for Economic and Clinical Health Act (HITECH) was part of the stimulus package and encourages the conversion to EMRs. This is done with a carrot in the form of grants to digitize but also with a stick in the form of reduce medicare payments for practices that don’t have EMRs.
The use of EMRs provides many benefits to the medical profession but also has new risks. Instead of a few files found in the trash it might be a disk drive stolen that has the information for thousands of patients. This is the reason that HITECH mandated the disclosure of data breaches to patient data.
Medicine has also changed. It is now much easier to get and use genetic information. To protect privacy the Genetic Information Nondiscrimination Act of 2008 (GINA) was passed. This limits the use of genetic information.
To apply the changes from the new laws the Office for Civil Rights (OCR) has issued final rules on how the law would be applied. The OCR is responsible for enforcing the provisions of the law. The full release is on their website but here are some of the major changes:
- Business associates of covered entities are now liable for compliance with HIPAA Privacy requirements.
- Limiting the disclosure or sale of protected health information without consent from the patient.
- Expand individuals’ rights to receive electronic copies of their health information.
- Restrict disclosures to a health plan when the patient has paid for the treatment out of pocket.
- Require modifications and redistribution of the notice of privacy practices.
- Update the individual authorization for research and the disclosure of immunizations.
- Increase access to decedent information by family members or others.
- Adopt HITECH security enhancements to the Enforcement Rule concerning willful noncompliance.
The changes go into effect on March 26, 2013. Practices will have 180 days to comply with the new enforcement provisions. If you want a date it is September 23, 2013. HHS Secretary Kathleen Sebelius said, ”The new rule will help protect patient privacy and safeguard patients’ health information in an ever-expanding digital age.”
Many smaller medical practices have shrugged of the threat of HIPAA violations. It was hard to argue with them. The Department of Health and Human Services (HHS) has target large organizations in the past. That has changed with the announcement of an agreement with the Hospice of North Idaho (HONI).
The violation happened when a laptop from HONI was stolen. The computer contained unencrypted data with the personal health information (PHI) for 441 patients. The even happened in June of 2010. Since the event HONI has taken many steps to protect the information of their patients.
This is the first prosecution of a breach of less than 500 people. The settlement calls for a fine of $50,000. It is an expensive mistake for a smaller practice to make. The HITECH amendments to HIPAA require the practice to notify patients when there is a breach of medical data.
Medical practices of all sizes are now on notice that HHS is actively looking for anyone who violates HIPAA. They are taking the security of medical information very seriously. It is easier to protect the paper documents. The first part is the physical storage of the records and then shredding them once they are no longer needed.
Protecting the electronic records are a bigger challenge. Not many doctors understand the security requirements for networks and servers. This requires the expertise of a network security expert. They can audit how the records are stored and shared. But in the end the weakest link are the lost laptops and data tapes that people take home. These are inviting targets for thieves looking into car windows or on the bus. A better solution might be a cloud storage solution. This allows a practice to focus the security on one server instead of many computers that may not be as secure. The benefit is now the data is available to anyone with a connection to the internet.
Few papers are more regulated that medical records. HIPAA has been in place for years and covers the safe storage and disposal of personal health information (PHI). Now the Department of Health and Human Services (HHS) is more aggressively going after HIPAA violators. It is hard to imagine the average practice has $1.5 million in reserves to pay the HHS in fines.
The HITECH additions to HIPAA now require practices to give notification for any data breach. A notice to patients is not only expensive but destroys the credibility of the practice in the eyes of the patient. Trust is valuable for any business and even more so when it is your health that is at stake.
Many practices are moving to electronic medical records (EMRs). This has the advantage of eliminating much of the expense of storing and shredding papers. However, it will be decades before paper is completely eliminated from medicine. All this still needs to be properly destroyed.
Most doctors’ offices now have a shredding service that helps them with their HIPAA compliance. It makes it easier to have a destroy all paper policy so there is never a question of what needs to be destroyed and what can be thrown away. The service comes by and provides a certificate of destruction. The good news is the convenience costs less than buying shredders for everyone.
The biggest surprise is the satisfaction of the patients. When people are sick they can be very sensitive. The loud grinding of a shredder is sometimes too much for patients. This makes the staff move the shredding to outside patient hours. And since no one likes to come in early of stay late at work it just piles up.
It is the pile of un-shredded paper that is the biggest risk to a HIPAA compliance plan. Eventually someone will toss them in the dumpster to avoid the work of shredding. With so many people going through dumpsters there is the risk they will be discovered and reported to the news or police. That is how HHS uncovers complaints.
James Pyles is an attorney who specializes in the privacy rights of patients. He thinks there is a need to extend more privacy protections to patients. He has authored the Health Information Privacy Bill of Rights. The goal is to bring the same level of privacy protection that consumers get to patients.
As the nation moves to electronic health records (EHRs) at the direction of HITECH there are holes forming around patient privacy. It is no longer just shredding medical records. This data is now currently sold for research and marketing purposes without the knowledge of the patient. This can no longer be done with financial records.
There is also more security that needs to be put in place. The number of breaches of patient data is alarmingly high. There are requirements in 46 states to notify patients of the breaches but every state is different and four states are still left with nothing.
A lack of patient data may also lead to bad medical outcomes. People needing mental healthcare may avoid it since the information is not private. Leaving these problems un-treated can lead to problems for society at large. There may also be reluctance to get treatment for STDs or other stigmatized diseases.
EHRs have the potential to be of great benefit for the patient as well as for the medical community. Records can now be shared more easily which is nice when you want your records sent to a specialist but most people don’t feel the practice has the right to sell your information without your knowledge. Lets hope the privacy legislation like what Mr Pyles is proposing can help close the gap.
Washington has been unable to pass a national data breach notification law. This is the result of a lack of interest and the standard gridlock from politicization. The one exception is for medical data that was part of the HITECH updates to HIPAA.
The problem is that 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have filled the void with their own laws. For businesses working in multiple states it can be very confusing. Every state law is different in the size of breach, type of breach, and notification method. Here is a good list of each law from the National Conference of State Legislators.
So for those of you wondering who the four states are that have avoided the trend to require data breach notification, they are Alabama, Kentucky, New Mexico, and South Dakota.
For businesses in the 46 states or anyone who handle medical information there are some simple steps to make sure you are not needing to notify your customers.
- Limit access to private information with locked doors and locked file cabinets.
- Perform a network security audit on computers and servers. Make sure nothing sensitve is exposed on the internet.
- Shred everything you no longer need. Keep a copy of your certificate of destruction on file for your compliance records.
Jacquelyn Romero was looking for boxes to store her Christmas decorations but got more than she expected. She found what looked like good boxes by a dumpster but they weren’t empty. They were filled with medical records. The files inclueded all the basics you need for identity theft.
Jacquelyn called the local news with the problem. It is still unclear who was responsible for the records. They are now with the Nevada Board of Medical Examiners.
Shredding medical records has been a federal requirement since HIPAA went into effect half a dozen years ago. The fines that can be imposed are very punative with the HITECH changes to the law.
If you have medical records we have some great Las Vegas shredding services that can help you out. The can turn medical records into bits and then recycle it all.
Eco-Shred LLC of Menomonee Valley is growing . The business just closed on a new 8,300 square foot location. The business provides off site shredding to businesses in Madison, Sheboygan, and Racine. They make it a point of hiring veterans. They expect to expand from three employees to six over the coming year.
The opportunity for document shredding services continues to expand. The recent hearings by the Senate Judiciary Committee’s privacy, technology and law subcommittee hint at increased enforcement of HITECH. This law requires better security for all medical documents including their destruction.
The concerning part for medical practices are the large penalties for data breaches. The fines increase if the breach was caused by “willful neglect.” It is hard to argue that leaving medical records in the trash is anything but neglect. Multiply every record by $10,000 and now you have the fine. This is obviously a punitive fine to deter such negligence.
The other part of HITECH are incentives for medical practices to convert to Electronic health records (EHRs). This creates a tremendous amount of shredding of the old paper records. But even with EHRs there will always be some paper that is printed or arrives by mail that must be shredded to protect patient privacy.
The Sutter Gould Medical Foundation is moving to Electronic Medical Records (EMRs). The process involves scanning all past medical records. A HIPAA violation occurred when a box of medical records was thrown in the trash by a vendor instead of being shredded. The were unable to recover the box but believe it to be buried at the dump. The affected patients were notified of the incident in compliance with HITECH. [news report]
It sound like they did everything by the book once the problem was discovered. They must also be doing a good inventory to know that one box was missing. It is unfortunate that any information was mishandled but they are an example of how to respond.
There is no doubt that the companies are required to spend money on privacy compliance. Privacy laws like Sarbanes-Oxely, FACTA, HIPAA and HITECH require careful control and destruction of personal information. Ponemon Research puts the cost of compliance at $3.5 million for the 46 businesses they studied.
The obvious alternative is do simply ignore the laws and hope you avoid detection. But that might not be the best bet. A recent study says that non-compliance would have cost the same 46 businesses $9.4 million. The costs comer from productivity losses, business disruption, fines, and penalties.
Many people live but the motto “It’s easier to ask forgiveness than it is to get permission.” When it comes to privacy compliance this study would say the opposite.
The University of Tennessee Medical Center failed to shred the medical information for 8,000 patients. The information was left in a dumpster. As part of the HITECH changes in HIPAA the hospital was required to disclose the breach.
At this time it is not suspected that anyone took the documents. However, it is still a black eye for the hospital. [article]
Always start with the basics of preventing physical access to private information. They make sure you get a good shredder in Tennessee.