“Our rules do not [prescribe] specific security approach or a specific kind of security, but they do require an actual process to evaluate whether in fact the things you are using are providing you an adequate level of security.” – Health and Human Services Office for Civil Rights Director Leon Rodriguez.
Securing patients’ personal health information will be more important than ever starting today, as new federal privacy, security, and breach notification rules of the Health Insurance Portability and Accountability Act (HIPAA) take effect.
HealthLeaders Magazine laid out how hospital chief information officers have been gearing up for the change.
But the omnibus rule has presented CIOs with a balancing act: Protect patient privacy, while actually making records easier to see and share for patients themselves.
“The more we’re pushing for transparency and interchange of records, and patients being able to have a lot of access to their own records online, the more you have to think about security and privacy,” Pamela McNutt, CIO at the six-hospital Methodist Health System in Dallas, told HLM. “We want to give patients portals, but how can we make sure that we’ve made it secure enough that someone can’t hack in and get that patient’s records? This raises the bar on the need for security.”
Providers can expect lots of new speed bumps, first among them that patients might actually start requesting their medical records in electronic form, and formally complaining when they don’t get them on time.
Providers may also face random audits, fines of up to $1.5 million per “breach” based on the number of compromised records, and more frequent and sterner communications from Health and Human Service’s Office for Civil Rights.
This CIO tightrope-walk might have gotten lost in the deluge of other deadlines, changeovers, and go-lives on the calendar this fall, but it’s still an important one.
Here are some changes, effective today, patients and providers should know:
1. Patients can ask for more, and providers have to say yes
Patients can request their own medical records electronically, by email, on a USB stick, or any similar mode of delivery, and providers have to deliver in a timely fashion. They can ask to pay for care in cash without notifying their insurance carrier, and that has to be honored.
“That includes tweaking your billing systems to make sure the patient is flagged in such a manner that all employees know that the patient’s insurance should not be billed,” McNutt said.
“I’d be willing to bet that the first penalty that gets applied after September is going to be one not for a breach, but from a patient complaining about being denied their PHI. People from advocacy groups have been plastering letters around from the OCR explaining patients’ access right, with information on how and where to complain,” said Brian Ahier, president of Gorge Health Connect, a health information exchange in The Dalles, Ore.
Patients can even ask for their records unencrypted, but that’s going to cause problems for providers because…
2. There’s a new definition for “security breach”
Though security guidelines are much tighter now, there is one “safe harbor.” Security breaches only have to be automatically reported if the data that slipped out was “unsecure.” There are two ways to make patient info secure: Encryption or building in a fancy James Bond-esque self-destruct mechanism.
If you’re sending around unencrypted patient data and something goes awry, a “breach report” is mandatory and will probably be closely followed by a fine.
If the patient info that got out was secure, then a closer investigation will reveal how much damage could have been done and whether or not the breach needs to be reported.
We’ve reported before on how important back-end encryption is for medical app developers, and it’s just as essential for personal health information in an electronic health record.
Under the old rules, an incident was an exception to the definition of ‘breach’ if the personal health information disclosed a limited data set that did not contain any birthdates or ZIP codes. Under the final rule, breaches of limited data sets must trigger the HITECH reporting system.
3. What to do after a breach has also changed
The provider system or business responsible must now conduct a formal risk assessment that considers how much the breach has compromised health information. This includes:
- The kind of information that was involved.,
- How easy it would be to identify the person based on the information.
- Who gained access to it.
- If they actually saw anything or did anything with this knowledge.
Under the earlier rules, providers had to prove that a leak caused “harm” to a patient in order to report it; but now they must prove the leak did not “compromise” the health information in order to avoid reporting it.
As before, providers and covered entities must provide notice to the patient, the media if the breach affects more than 500 residents of a state or smaller jurisdiction, and Health and Human Services if the breach affects more than 500 individuals.
4. Security responsibility extends beyond the hospital now
For the first time, business partners handling patient data are subject to the same rules, and penalties, as providers. That includes private contractors for cloud data storage, which is becoming more and more common in healthcare.
Business associates must provide notice to covered entities no later than 60 days after the discovery of a breach of “unsecured” personal health information.
Links to More Information
Hopefully, CIOs knew all they needed to know when the final rule was enacted earlier this year.
If you’re falling behind or just want to lean more, check out these nine steps to secure patient file transfer under the Omnibus rule.