Responding to an Electronic Medical Records Security Breach: What Every Health Care Provider Needs to Know
The personal health information of thousands of Detroit area patients was compromised recently when five computers and a flash drive were stolen from the Herman Kiefer Health Center in downtown Detroit. The stolen devices contained electronic medical records for approximately 10,000 immunization program patients, including names, addresses, social security and Medicare/Medicaid numbers.
Following this electronic medical records security breach, many health care providers may be wondering how they would respond to a similar crisis. In light of the Congressional push to require health care providers to make “meaningful use” of electronic health records by 2011, the prevalence of electronic records is on the rise and will only increase in coming years. Additionally, the proper handling of such breaches has become even more crucial in light of the security breach notification requirements that were added last year to the Health Insurance Portability and Accountability Act (“HIPAA”).
Given that a medical records security breach is enough to send even the most seasoned health care provider into a panic, practitioners should familiarize themselves with the HIPAA breach notification requirements and establish written policies and operating procedures before a breach occurs. Importantly, providers who fail to adhere to the HIPAA breach notification requirements may face penalties of anywhere from $100 to $1.5 million, depending on the nature of the breach and the mental state of the provider.
After the jump - a crucial checklist for providers
The following is an outline of steps health care providers should take to determine if a breach has occurred, and what needs to be done in that event. (Providers should take note that this is only a general outline, and that such analysis may vary depending on the unique characteristics of each practice.)
Step #1 – Did a Breach Occur?
First, providers need to remember that not every improper disclosure of patient information is a reportable breach. A true “breach” is defined as “the acquisition, access, use or disclosure of unsecured protected health information (not otherwise permitted under the HIPAA rule) which compromises the security or privacy of the protected health information.” Additionally, the phrase “compromises the security or privacy” means that the breach poses a significant risk of financial, reputational, or other harm. Therefore, the mere fact that protected health information (PHI) has been disclosed does not automatically trigger the breach notification requirements.
Whether or not a breach has occurred can be analyzed using the following questions:
Question 1 – Was the disclosure authorized by the patient, and/or is it for treatment, payment or health care operations? The full list of permitted uses and disclosures are found in the HIPAA statute. If the disclosure is authorized or permitted, no breach has occurred.
Question 2 - Is the PHI “unsecured”? “Unsecured” essentially means that the PHI has not been rendered unusable, unreadable or indecipherable to unauthorized individuals. Although Health and Human Services has issued specific guidance, in a nutshell, this means that electronic PHI must be encrypted or encoded, and that non-electronic PHI (i.e. paper charts and files) are shredded or otherwise destroyed.
Questions #3 – Does a HIPAA exception apply? In addition to the permitted uses and disclosures described above, there are three main circumstances where an unauthorized disclosure will not count as a breach. The first is an unintentional acquisition by an otherwise authorized person, where the PHI is not further disseminated. An example of this would be a biller typing in a social security number incorrectly and accessing the record for Patient X instead of Patient Y. (Note that this “mistake” must be unintentional – covered entities and their employees do not have unfettered access to peruse patient records out of boredom or curiosity.)
The second exception is an inadvertent disclosure to a person otherwise authorized to access the information (i.e., a nurse handing the wrong chart to a doctor.)
The third exception is a disclosure made to someone “not reasonably able to obtain such information.” An example of this may be an accidental disclosure to a small child or developmentally disabled person who is incapable of further disseminating the information.
Question 4 – Does “breach” compromise security or privacy? Specifically, does the breach pose a significant risk of financial, reputational, or other harm? The Department of Health and Human Services has said that providers must carefully analyze each potential breach situation to determine whether or not a reportable breach has occurred. For example, the disclosure of a patient name and the fact that he/she has received services from a certain facility may (taken by itself) not be a breach. However, if the disclosure reveals that a patient received a specialized kind of care (for example, from an oncology clinic or HIV clinic) or discloses information that is potentially financially threatening such as social security numbers, credit card numbers, etc., then this is likely to be a breach.
Step #2 – Who Should Be Notified?
Once a provider has determined that a breach has occurred, certain steps must be taken in order to comply with HIPAA guidelines. Specifically, providers are required to issue notification of the breach to the individuals affected, the Department of Health and Human Services, and possibly the media, depending on the number of individuals impacted. Notification must be issued “without unreasonable delay” but no later than 60 calendar days after the breach is discovered.
First, providers must notify all affected patients of the breach. The notification should be sent by first class mail (the HIPAA rule provides for alternative methods of notification if agreed to in advance or if certain conditions are met) and include information on the nature of the breach, the information disclosed, the steps being taken to correct the breach, how individuals can protect themselves, and list either a phone number, website, or email address where the patient can receive additional information.
If breach involves more than 500 residents of a state or jurisdiction, notice must be given to “prominent media outlets” serving the state or jurisdiction. A breach of this scale also involves immediate notice to the Secretary of Health and Human Services. (Note that if the breach involves less than 500 individuals, then providers are only required to submit a log of all breaches to Health and Human Services by March 1 for the previous calendar year.)
As a general precaution, providers should establish written emergency procedures to be followed in the event of a breach, ideally created with the assistance of legal counsel, information technology consultants, or both. These guidelines should be disseminated to all employees and posted in a conspicuous area, and include, at a minimum:
o Phone numbers to local police departments to report thefts or break-ins;
o Phone numbers to information technology consultant who can take proactive steps to halt PHI from being further disseminated if a computer server is “hacked” or otherwise breached;
o Names of designed individuals responsible for contacting patients and issuing other notifications, if needed, and;
o Contact information for other individuals who can assist in the event of a breach, such as a post-breach services provider or cyber-liability insurance carrier.
While crimes and mistakes do happen, it is important for providers to take the necessary precautions to protect both their patients and businesses.
