Protecting privacy in the electronic era: HIPAA and HITECH mandates

In 1890, Louise Brandeis and Samuel Warren published “The Right to Privacy” in the Harvard Law Review, indicating private individuals were being injured by the invasions of modern-day technology. Since tort law at that time contained no notion of privacy, this landmark paper introduced the concept of safeguarding individual privacy and laid the groundwork for doing so. Although today’s laws have evolved to protect the privacy of individuals, especially from being abused for nefarious purposes, we seem to have become an opt-in culture where subtle privacy intrusions are considered customary and are often tolerated. For instance, we routinely receive coupons for future purchases at stores based on our shopping patterns, which are tracked through our customer loyalty cards. It is also common to receive fliers and catalogs in the mail or via e-mail for services and merchants we have never done business with before. This is because many of the organizations we deal with sell our information to other entities, so there is no telling how many individuals have our personal information at any given time. While most people tolerate such intrusions, the majority draw the line when it comes to their financial and health records, taking measures to protect their privacy in those domains from any intrusions.

Despite the legal protection accorded to individual privacy, inadvertent or malicious violations are not uncommon and make for sensational media stories. The majority of privacy violations with malicious intent lead to identity theft, which generally results in financial fraud. Health care identity theft often leads to health care fraud, whereby an individual receives reimbursement for services that were never rendered or obtains health care services when he or she may be ineligible to obtain them using his or her own identity. The US Government Accountability Office estimates that 10% of health care expenditure reimbursed by Medicare is paid to fraudsters, including identity thieves and fraudulent health service providers.

In 1992, Congress passed the Healthcare Insurance Portability Act (HIPAA) to protect patients’ privacy, medical records, insurance activity, and other protected health information (PHI). HIPAA

rules required constant monitoring to ensure compliance by all entities that handled PHI, yet despite monitoring and compliance efforts by physicians, hospitals, clearing houses, and insurance companies, there have been numerous breaches of privacy, and these violations have not been aggressively pursued by the Department of Health and Human Services (HHS). The enforcement climate may change, however, after the passage of the American Recovery and Reinvestment Act of 2009 (ARRA), of which Title XIII of Division A and Title IV of Division B are referred to as the “Health Information Technology for Economic and Clinical Health Act,” or the “HITECH Act.” The ARRA provides incentives for adoption of electronic health records (EHRs), which would lead to an anticipated increase in the exchange of electronic PHI. The HITECH act widens the security and privacy provisions available under HIPAA and includes a number of measures designed to strengthen compliance by imposing substantial civil penalties on health care organization found responsible for those violations.

Even though most health care organizations have implemented HIPAA policies, there have been numerous incidents of medical data leaks that have lead to privacy violations. The Federal Trade Commission (FTC) has reported that a total of 19,428 individuals filed complaints specifically concerning medical identity theft from January 1, 1992 to April 12, 2006. This number is significant because the FTC doesn’t directly deal with health-related complaints; those are handled by HHS.

When health care organizations develop policies for HIPAA compliance and protection of privacy, it is important for them to have an understanding of who commits privacy crimes and how they are

committed. In 1995, Louis Freeh, who was the director of the Federal Bureau of Investigation at the time, stated in a congressional hearing: “In South Florida and Southern California, we have seen cocaine dealers switch from drug dealing to health care fraud schemes. The reasons—the risks of being caught are less.” This statement highlights the need to screen employees carefully who will have access to PHI, as there are also numerous cases of insiders at health care organizations abusing their access to PHI and using it for financial gain. One recent case involved an office worker at a dental clinic in Ohio who used PHI to call in prescriptions at local pharmacies. A more costly information breach occurred when a front desk clerk at the Cleveland Clinic sold the medical information of more than 1100 patients, which was then used to file an estimated $7.1 million of fraudulent claims. Safeguarding PHI is crucial, but it may be absolutely imperative for oncology practices, because they provide complex and expensive care to the sickest patients. These patients do not need the added stress and burden of having their medical identity stolen and shouldn’t have their ability to receive treatments compromised.

Of course, organization insiders aren’t the only offenders. In 2006, the Pittsburg Tribune Review reported the case of a Pennsylvania woman who found a lost wallet and used the insurance card inside to receive medical treatment at facilities in Pennsylvania and Ohio, racking up a total bill of $16,000. In 2007, Business Week discussed the case of a wanted bank robber who used a stolen identity to obtain medical care totaling $41,888 because he could have been apprehended had he

used his own identity.

In some cases, security breaches occur without any malicious intent and result from organizations inadvertently releasing PHI, which is then obtained by outsiders to commit health care fraud. In such cases, although no ill will is intended by the organization or the employees involved in the breach, the breaches cause embarrassment for the organizations and subject them to potential legal action. It is difficult to identify what causes inadvertent breaches, but most occur in settings where there are ambiguous or no organizational policies for privacy and security, inadequate control mechanisms, and employees who are insufficiently trained to protect sensitive data; it can occur in large and small institutions alike. In 2007, the University of Pittsburg Medical Center posted the information of 80 patients, including their names and associated medical images, to the institution’s Website, and in 2008, Wuesthoff Medical Center in Florida had a similar breach, with the names, social security numbers, and personal medial information of more than 500 patients appearing on their Website. Because of the size of these data breaches, they were probably quickly discovered and corrected; however, not all data breaches are discovered immediately, and some may go unnoticed. An

experiment that searched for medical information on peer-to-peer networks showed that information on 20,000 patients, including their social security numbers, contact details, insurance information, and diagnosis codes, were being shared in a spreadsheet. This example is particularly alarming because most organizations don’t actively monitor peer-to-peer traffic, and even though this particular file was being shared without any ill intent, anyone with a malicious objective could have abused this information and caused tremendous damage. The same researchers also found that users of peer-to-peer networks were actively looking for files containing medical information. Their sampling of search queries showed specific search strings, such as “medical health record,” “doctor’s office medical exam,” “medical history,” and “medical billing.” This clearly demonstrates the increased sophistication of those involved in health care fraud, which should cause health care organizations to become more vigilant in safeguarding their PHI.

The aforementioned examples illustrate various scenarios by which data breaches may occur and leave health care organizations vulnerable to prosecution for violation of HIPAA rules. The stringent and broad requirements of the HITECH Act make it imperative for all health care organizations entrusted with safeguarding PHI to reevaluate their security posture and audit their policies to ensure compliance with the security and privacy rules. A short primer on the HIPAA privacy and security rules and a brief description of the HITECH Act follow.

HIPAA Primer

HIPAA Privacy Rule

The HIPAA Privacy Rule, which is contained in subpart E of CFR 164.500 and extends to 164.534, establishes the applicability of the standards to the covered entities and their usage and disclosure of PHI. The salient standards of the privacy rule are as follows:

•A covered entity may not use or disclose PHI except for the permitted uses, which include treatment, payment, disclosure to the individual, or other disclosures that are in compliance with the rules.

•Use of de-identified PHI is permitted for clinical research and public health purposes, provided the rules governing the dissemination of de-identified PHI are observed.

•Disclosure of PHI to business associates is permitted only if written assurances can be obtained that they will appropriately safeguard the information.

•The privacy rule sets forth standards for handling the PHI of deceased individuals, including dealing with personal representatives, confidential communications, and disclosure by whistleblowers.

These standards clearly show the requirements that organizations entrusted with PHI are expected to follow. The privacy rule also sets forth the following standards:

•CFR 164.504 establishes the standard for business contracts and states that if the covered entity becomes aware of a material breach or violation of the contract, the covered entity is required to take corrective action, and if it is unsuccessful in remedying the situation, the contract must be terminated. The key point is that covered entities can’t simply ignore any known noncompliance activities of business associates.

•CFR 164.506 specifies the permitted uses and disclosures of PHI and describes the implementation specifications that delineate the permitted uses, which are outlined as treatment, payment, or health care operations.

•CFR 164.508 describes the uses and disclosures of PHI for which authorization is required. Broadly, this standard requires that authorizations must be obtained for all uses that are not covered in CFR 164.506. This section also specifi es that authorization is required for disclosure of psychotherapy notes and for the disclosure of PHI for marketing purposes, unless there is face-to-face communication between the covered entity and the individual, or a promotional gift of nominal value is provided by the covered entity. For instance, an authorization is not required, and it is not considered marketing, if a hospital provides a free package of formula and baby products to new mothers when they leave the hospital. Similarly, it is not considered marketing if an insurance agent sells a health insurance policy to an individual and then markets the policy based on responses received by the covered individual. If the covered entity is reimbursed by a third party, then it must be disclosed in the authorization. The standard for obtaining authorization where an individual has the right to refuse or agree with the disclosure of PHI is described in CFR 164.510 to 164.512.

•CFR 164.520 sets the standard for providing the notice of privacy practices for PHI, and these standards appear to have been widely adopted by health care providers and organizations.

•Just as the privacy rule standards aim to provide individuals with the right to refusal, CFR 164.522 also provides standards for the requests that can be made by an individual to a covered entity. The health care provider or organization doesn’t have to agree to all of the individual’s requests, and there are defined standards for circumstances where a covered entity may refuse an individual’s requests for restricting the disclosure of PHI. CFR 164.522 allows an individual to prevent disclosures of PHI to family members or other individuals close to the patient. This creates a unique situation for oncology practices because it is possible that an individual, whose health condition may be of interest to those close to him or her or even the general public, may make specific requests to restrict information on his or her general condition or treatment location. For instance, an individual with terminal cancer may want to keep that information private if he or she is involved in a legal dispute that may lead to an adverse decision if the litigants become aware of the individual’s health condition or if they are a high-profile politician; or he or she may be the CEO of a publicly traded company and wants to prevent competitors from using the CEO’s health information to affect the outcomes of a political race or the stock price. One need only consider the case of Steve Jobs, the CEO of Apple Inc, who took a 6-month medical leave to get treatment for his pancreatic cancer, during which time there were wild speculations about which treatments he was receiving and where.

•CFR 164.524, 164.526, and 164.528 outline access of individuals to PHI, amendments of PHI, and accounting of disclosures of PHI. The access of individuals to PHI is often governed by state laws; thus, covered entities must consult the applicable state laws as well as the privacy rule standards.

One of the most important sections for covered entities is CFR 164.530, which sets the standards for administrative requirements. These requirements include the following:

•designation of a privacy officer for implementing the standards and resolution of complaints;

• training all personnel on privacy issues;

•implementing administrative, technical, and physical safeguards to protect PHI; and

•providing processes for initiating complaints, imposing sanctions against noncomplying individuals, mitigating risks, refraining from retaliation, and not requiring individuals to waive their privacy rights.

The administrative requirements also stipulate that all privacy documentation standards and related communication must be kept in written or electronic form, and such documentation should be

retained for 6 years from its creation or last enforcement date.

HIPAA Security Rule

The HIPAA Security Rule is essentially a subset of the privacy standards and requires implementation of administrative, physical, and technical safeguards for protecting PHI. The security rule differs from the privacy standards in its implementation, as its requirements are more technical than administrative. To comply with the security rule, a covered entity must do the following:

•Implement a security management process to prevent, detect, and correct security violations.

• Designate an individual to develop and implement the policies.

•Define appropriate access-control policies.

•Provide security awareness training to all employees.

•Implement procedures for security incident reporting and establish a contingency plan to deal with security violations.

•Perform periodic technical evaluations to ensure standards compliance.

•Provide physical safeguards for workstation use, workstation security, and device controls.

•Implement technical safeguards for authentication, access, audit, integrity, and transmission of PHI.

The HITECH Act

Enforcement

Under the HITECH Act, mandatory penalties must be enforced for willful neglect of privacy and security provisions. Willful neglect is open to interpretation and may be decided on a case-by-case basis by HHS. Civil penalties for willful neglect can extend to up to $250,000, and repeat violations may increase the penalty to $1.5 million. Although HITECH prevents an individual from bringing a lawsuit against a covered entity, it does permit the state attorney general to take legal action on behalf of the individual.

Breach notification

The HITECH Act imposes breach notification requirements that are similar to many state data breach laws related to banking and credit cards. The Act states that all patients affected by a breach must be notified, and the following information should be included in the notice:

• brief description of what happened, date of breach, and date of breach discovery;

•descriptions of the types of unsecured PHI involved, such as names, social security numbers, dates of birth, addresses, and diagnoses;

•steps that an individual affected by the breach must take to protect themselves against the harmful effects resulting from the breach;

• brief description of what the covered entity is doing to investigate the breach, the measures that are being taken to mitigate any damage, and what preventive stratagems are being implemented to prevent future breaches; and

•information on where affected individuals can obtain additional information, such as a Website URL, phone number, e-mail address, or postal address.

If the breach impacts 500 or more patients, HHS must be informed, which will then publish the name of the entity involved in the breach on its Website. The covered entity must inform the affected patients by mail or e-mail, but if addresses are not known for 10 or more individuals, then the covered entity may post a message on its Website. If 500 or more individuals are affected, then the prominent local media outlets in each state where the individuals reside must also be notified of the breach, and the secretary of HHS must be notified immediately. Once the notifications have been completed, an annual log of audits that track any other breaches must also be submitted to HHS for evaluation.

Electronic PHI access

The HITECH Act states that if a provider has implemented an EHR, then individuals have the right to request and obtain their PHI, or they can designate a third party to be the recipient of this information.

Extension of HIPAA rules to business associates

The most significant change introduced in the HITECH Act is that business associates are now required to comply with the safeguards of the security rule. The business associates are liable for civil penalties under certain conditions. The Act also requires business associates to report any security breaches to covered entities consistent with the breach notification criteria.

Methodology for PHI protection

The HITECH Act requires the secretary of HHS to provide guidance on the methodologies for protecting PHI, such as data destruction and encryption methodologies, which render data unusable by unauthorized persons. The use of encryption for PHI may provide a safe harbor to covered entities, preventing them from having to give notice in the event of a breach.

Take-home message

Health care organizations of all sizes have made efforts to comply with HIPAA requirements, but larger organizations have generally done a better job at instituting stricter security and privacy policies to prevent data breaches and comply with the security and privacy rules. Many small health care organizations, including smaller community oncology practices, lack the resources and expertise to fully institute the privacy and security policies. Also, the common perception is that stricter security rules lead to imposing access controls and data access safeguards that may slow or impede the normal existing workflows.

Through proactive audits and strict breach requirements, the HITECH Act is going to require that all health care organizations and their business associates ensure compliance. All organizations will have to audit their existing HIPAA privacy and security practices and update them to comply with the new requirements. In addition, organizations will be required to update their notice of privacy practices, modify their existing business associate agreements to include vendors and other participants, and review these agreements for compliance with the HITECH Act. Organizations will also have to assess their data protection requirements carefully to ensure that they can circumvent the breach requirements under the HITECH Act and state laws by

using encryption and data destruction guidelines.

Taimur Aslam is Vice President of Technology at Argole

Systems, Inc.