The Data Protection Primer 2007

More than four years removed from the end of the beginning of the national Health Insurance Portability and Accountability Act (HIPAA) experience, the legislation’s requirements regarding data security continue to baffle clinicians in thrilling new ways from month to month. To describe recent progress in this area as “glacial” would be a gross insult to glaciers. A recent poll by Phoenix Health Care Systems, found that 44% of providers are still not compliant with the HIPAA Security Rule finalized in February 2003—a stirring improvement of 1% since January 2006. Because failure to protect sensitive patient data may have practical and ethical implications quite apart from those associated with HIPAA, the issue of data protection has never been more critical. Changing interpretations of HIPAA guidelines, and the continuing evolution of the technology used by and against would-be data thieves, means that constant attention is necessary; a practice that is airtight today may be vulnerable tomorrow. Among the key issues of the moment:

Continuous Data Protection

By now, most practices are aware that the creation of backup copies of important data is a critical defense against data theft, destruction, or corruption. Generally, backups are created at pre-specified intervals; a typical practice might backup data once every 24 hours. Unfortunately, the eight-hour workday is fast becoming an outmoded concept; physicians may work at any time, and it is often the most recent data that is the most valuable. If a periodic backup is scheduled for 5:00pm, and data corruption occurs at 3:15pm, all changes entered in the 20+ hours since the last backup may be lost.

Continuous data protection (CDP) is a concept designed to deal with this problem. CDP solutions create a real-time record of all changes made to every file by automatically saving a fresh backup copy to a secure independent location after each change. In practical terms, this means that the user can instantly restore a file to any point in time— be it minutes, days, or weeks earlier. Because CDP systems save only the changes to a given file instead of saving the entire file each time

(if a user changes only three bytes of a 500GB file, CDP will save only three bytes), this approach will also save disk space. CDP is different from other data protection strategies, such as the Redundant Array of Independent Drives (RAID) concept or replication/mirroring, which create copies of the most recent changes only. Whereas CDP can restore data to a point prior to corruption or damage, these other approaches can only restore the corrupted or damaged data.

Until fairly recently, the market leader in the area of CDP was EMC; an outstanding EMC white paper exploring CDP in more detail may be found. In 2005, Goliath entered the ring with the launch of IBM’s Tivoli solution. Some products marketed as CDP allow only restoration to pre-specified time-points; users interested in the ability of CDP to restore to any point in time should be sure that any product they purchase actually has this ability.

Removable Media

Data theft is a significant concern for business in general. A 2005 Computer Security Institute/FBI report estimated that approximately one-quarter of all information security-related financial damages derived from the theft of proprietary information. In a simpler time, when storage devices were larger and limited in capacity, actual physical theft of computerized data was extremely difficult (imagine having to transfer a huge sensitive file onto dozens of 51/4" floppy disks). The recent proliferation of fl ash drives and other inconspicuous devices capable of storing very large amounts of information—a typical 51/4" floppy could store about 100KB of information, while the iPhone boasts internal fl ash memory of up to 8GB, or nearly one million times as much storage space—and interacting with a wide range of other devices has made it much easier for would-be information thieves.

In its Guidance on the subject, the Department of Health and Human Services suggests that “covered entities should be extremely cautious about allowing the off site use of, or access to, electronic protected health information (EPHI).” However, completely outlawing the use of removable media may be counterproductive—a flash drive may allow a physician to legitimately review a series of case files out-of-office, or allow for quick sharing of relevant data among treatment team members—so providers must develop policies and procedures for managing this kind of risk, including restricting use of removable media not justifiable from a work standpoint. In some cases, providers may wish to institute an IT system in which an administrator controls and monitors all access to removable hardware.

The Minimum Necessary Standard

No aspect of the HIPAA Safety Rule is responsible for quite as much confusion and gnashing of teeth as the so-called “minimum necessary standard,” described by the University of Miami’s Data Protection Project. In essence, this standard is a “need to know” rule; for situations in which providers must disclose, use, or request patient information in furtherance of patient care, it requires them to disclose, use, or request only the minimum necessary to accomplish the goal of the disclosure, use, or request. There are a host of exceptions to the minimum necessary standard, most importantly disclosures made for the purposes of treatment (information uses related to treatment are subject to this standard). Couldn’t be clearer, right?

The treatment exception affords practitioners considerable leeway, facilitating collaboration on patient care. However, there is much confusion over the proper application of the standard. Many providers may be unaware that the standard does not apply to disclosures for the purpose of treatment, or unfamiliar with the distinction between use and disclosure—thus leading them to apply the standard in inappropriate cases. Further confusion stems from the absence of a system-wide definition of “minimum necessary;” left to develop individual definitions, institutions or providers may withhold information when they should not. Providers with electronic medical records tend to have an easier time adhering to this standard, as records with only the necessary information included can be readily generated. Providers with paper records “were having to print out copies of charts and manually redact information before faxing it,” according to the article linked above. Readers are urged to review their own minimum necessary policies to be sure they are adhering to, but not unduly limited by, the standard.

Legislative Solutions

At its outset, many pundits expected that 2007 would be the year that meaningful health IT legislation finally saw the light of day (and the President’s desk). Earlier this year, a coalition of patient groups and other organizations formed HealthITNow!, an advocacy group headed by a pair of former Congresspersons and dedicated to supporting this cause. In June, efforts of this and other groups were rewarded when a Senate Committee passed the Wired for Health Care Quality Act, an initiative sponsored by a bipartisan group of Senators including Utah’s Orrin Hatch and New York’s Hilary Rodham Clinton. The Act would earmark $163 million in 2008 and 2009 to provide grants to healthcare professionals supporting health IT adoption, help establish state-level loan programs for other providers, and create a national coordinator for health information technology. Unfortunately, this legislation, like similar bills proposed in the past, has been hamstrung by concerns about privacy and data protection.

Patient Privacy Rights Foundation founder Deborah Peel says that the current Act is even worse in the area of patient privacy than the 2005 health IT bill that passed the Senate and died in the House of Representatives; the new bill “doesn’t even have a definition of what privacy is,” she notes. Peel says that at present, electronic medical records are more susceptible to theft than paper records. The Veterans Administration (VA) is well-known for its system-wide Vista Electronic Health Record system. In 2006, a VA laptop was stolen, resulting in the compromise of the private medical information of 26.5 million patients. Privacy advocates call for data protection measures to be built into any proposed health IT legislation; it seems unlikely that any such legislation will become a reality without addressing these issues directly.

...and Three More

Automatic Log-Off

Most practices are wise enough to require users to have passwords in order to access sensitive data. However, if it’s possible to wander by and access protected information every time a logged-on user needs a bio break, password protection is of little value. HIPAA regulations—and good data protection policy—mandate that all workstations should automatically log-off after a brief period of idleness.

Malware

Malware is a catchall term for viruses, spyware, and other software programs that infect your system and steal, alter, or damage data. Malware can enter your system through an open network connection with no precipitating user action, making it difficult to prevent. Antivirus and anti-spyware programs can help, but are useful only against known threats; a more reliable solution is the hardening of overall security using firewalls and related protections. For more, see the Privacy/Data Protection Project website.

The Physician as Privacy Advisor

HIPAA requires you to obtain a signed form from each patient indicating that he or she has been informed of his or her privacy rights. Some may need guidance and clarification, and will naturally turn to their physician for both. For this reason, it is critical that providers become familiar not only with the rules and restrictions that affect them, but also with basic patient rights under HIPAA. The links in this article, especially the educational modules available through the Privacy/Data Protection Project, are an excellent place to start.

Frank Ferrara is a freelance writer and former editor of MDNG.