In Brief

The report, entitled the Benchmark Study on Patient Privacy and Data Security, was published by the Ponemon Institute and ID Experts in November 2010. The study was based on findings from 65 health care organizations (mainly hospitals) and included an examination of each organization’s privacy and data protection compliance activities; policies; program management activities; security technologies; security governance practices; and compliance with the mandates of the HITECH Act of 2009.

The major findings of the report are briefly outlined below:

• Data breaches cost the US health care system billions of dollars each year. The study revealed that the economic impact of data breach incidents amounted to over $2 million, over a two-year period.
• The majority of health care organizations have undetected patient data breaches. Organizations participating in the study reported they had inadequate resources (71%); few appropriately trained personnel (52%); and insufficient policies and procedures in place (69%) that could quickly and effectively prevent/detect patient data loss. It was shown that data breaches went undetected due to the lack of preparation and staffing.
• Patient data protection is not a priority in health care organizations. 70% of hospitals participating in the study responded that protecting patient data was not one of their top priorities. 67% of the organizations hired less than two staff members dedicated to data protection management. At many organizations, the patients were the first to detect a disturbingly high number of breaches (41%). This means that sensitive data was being unknowingly exposed until the individuals detected the breach.
• Despite recently-enacted federal regulations, the security of patient records has not improved. Acts supporting the privacy security of medical information, such as the HITECH Act of 2009 and the HIPAA of 1996 have not resulted in stronger safeguards for patient data. According to the study, 71% of respondents did not believe that these federal regulations have sufficiently improved the management of patient records.

What is the HITECH Act?

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was enacted as part of the American Recovery and Reinvestment Act of 2009. It was designed to address privacy and security concerns regarding the electronic transmission of health information. With the HITECH Act, starting in 2011, a physician is eligible to receive up to $44,000 in incentives for “meaningful use” of an electronic health record (EHR).

The HITECH Act also extended the Privacy and Security Provisions of the HIPAA to business associates of covered entities, which include criminal and civil penalties. The Act imposes new breach notification requirements on the following entities:

• Covered entities
• Business associates
• Vendors of personal health records
• Related entities

Finally, the HITECH Act implements rules regarding disclosures of a patient’s health information. Disclosures include information that is used for treatment, payment and health care operations when the health care provider is using an EHR.

Moving to EHR

The majority of respondents in the Ponemon study believed that making the switch to electronic health records (EHR) would make patient data more secure. EHRs are longitudinal electronic records of patients’ health information. They are both generated and maintained within a health care institution, such as a hospital, integrated delivery network, clinic or physician’s office.

Such records would include:

• Progress notes
• Patient’s demographics
• Past medical history
• Immunizations
• Health Problems
• Medications
• Vital signs
• Laboratory data
• Radiology reports

Proponents argue that implementation of EHR processes and systems will help to provide additional functionality (e.g. interactive alerts, interactive flow sheets, tailored order sets), which may not be possible with traditional, paper-based systems. Other major benefits of EHRs include:

• Reduction in medical error
• Improved accuracy/clarity of records
• Increased availability of health information
• Reduced delays in treatment times
• Less duplication of tests
• Better-informed patients

According to a recent study conducted by researchers at the Stanford University School of Medicine, EHRs did little to improve the quality of health care. This was based on data from almost 250,000 patient visits, between 2005 and 2007. Although the federal government’s American Reinvestment and Recovery Act of 2009 allotted $19.2 billion for health information technology, specifically for the adoption of EHRs, there has not yet been evidence of positive impact.

Summary

The article takes a look at the 2010 Benchmark Study on Patient Privacy and Data Security, conducted by the Ponemon Institute. The study revealed that data breaches were costing hospitals across the US up to $6 billion each year. Breaches of patient information are largely undetected by the organization, due to lack of priority, resources, preparation and staffing for privacy and security management. The article then examines the HITECH Act (the Health Information Technology for Economic and Clinical Health Act), passed in 2009 to strengthen privacy and security safeguards for health information. One contentious issue is the adoption of electronic health records (EHRs). Although the federal government has created economic incentives for the implementation of EHR systems, researchers have found them ineffective at improving the quality of health care.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional (CIPP) exam, a privacy professional should be comfortable with topics related to this post, including:

• Regulatory Authorities – Department of Health and Human Service (HHS) (I.A.c.iv.)
• Health Insurance Portability and Accountability Act of 1996 (I.B.a.v.2.)
• Criminal and Civil Liability (II.B.a.)

There are numerous guidelines, best practices and regulations for collecting information on customers, patients or other data subjects (for this article, let’s generally call them consumers) in the United States.  The most regularly visited is probably HIPAA, where nearly everyone signs some sort of disclosure notification that a primary care physician, pharmacy, lab, hospital or some other medical office will share your Personal Health Records with third parties that handle administrative tasks for the provider.  There’s a decent sized list of who constitutes a health care provider, a third party and what information between all parties involved may be exchanged for transactions such as an insurance claim.  The financial sector also regularly distributes privacy policy notifications, although most times inaccurate information doesn’t affect anyone outside the credit reporting industry.  What happens when the collected data aren’t right?  How can a consumer even discover the inconsistencies?  What course of action does a consumer take, and what should a corporation do to respect the rights of their customers?

Historical Perspective

This is not a new issue, and has been tackled in multiple symposia and expanded several times over the past decades.  In 1973, the US Department of Health and Human Services introduced the Code of Fair Information Practices.  The 1981 Organization for Economic Cooperation and Development (OECD) guidelines and the comprehensive 1995 European Union Data Protection Directive 95/46/EC both deal with this issue.  They define two topics – “Individual Participation” and “Data Quality”.  Individual participation centers on consumer access, or the right to view any collected information and the ability to correct errors.  The EU expounds upon individual participation, where access must be at reasonable intervals and rectification without excessive delay or expense.  The Federal Trade Commission (FTC) released an advisory on online access and security in 2000. The CIPP defines these scenarios as customer access and redress.

Problems in credit reporting

Let’s first examine the US credit reporting world.  Information collected by the credit bureaus is used by banks and other money lenders to determine an applicant’s credit worthiness, or more important to the lender, their risk of default.  The credit bureaus have reason to keep the information collected as unavailable as possible – between the three main companies they had a monopoly on the compiled credit history the lenders need and each one tries to glean every ounce of data on an individual to justify ordering their credit report product.  The bureaus were charging consumers for every access to their credit reports, by what some would consider an inordinate amount.  A 1998 survey by the Public Interest Research Group underscored the customer redress situation:

• Of the consumers that did obtain their credit reports, at least 14% of them were forced to call back 3 or more times after receiving busy signals or had to write a letter in order to receive their report;
• And 12% of the consumers waited two weeks or longer to receive their report once they finished requesting it. It took more than a month for one California man to receive his report.
• Overall, 15% of consumers who attempted to participate in the survey either made at least 3 phone calls and never got through or requested their reports but never received them.

This treatment went against the privacy principles laid out in the OECD and Fair Information Practices.  Plus, mistakes were reportedly found on 79% of consumer credit reports.  Without more readily available customer access, the system was in jeopardy.  To compound these problems, there was simultaneously a rise in identity theft.

Congress steps in

In response, the US Congress passed the Fair and Accurate Credit Transactions Act (FACT Act or FACTA) in 2003.  The FACTA amended the 1970 Fair Credit Reporting Act (FCRA), and gave rise to a free annual credit report requirement from each of the major bureaus… and the slew of funny commercials about guys in pirate hats. Congress decided the credit bureaus’ reporting was simply too important to the US financial systems stating their rationale for the legislation:

(a)Accuracy and fairness of credit reporting. The Congress makes the following findings:

1. The banking system is dependent upon fair and accurate credit reporting. Inaccurate credit reports directly impair the efficiency of the banking system, and unfair credit reporting methods undermine the public confidence which is essential to the continued functioning of the banking system.
2. An elaborate mechanism has been developed for investigating and evaluating the credit worthiness, credit standing, credit capacity, character, and general reputation of consumers.
3. Consumer reporting agencies have assumed a vital role in assembling and evaluating consumer credit and other information on consumers.
4. There is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.

(b)Reasonable procedures. It is the purpose of this title to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this title.

Unintended Consequences

It is interesting to note, that in response to the FACTA, “imposter” domains sprang up, with a World Privacy Forum study calling out 96 specific known sites.  The web site touted in the pirate hat commercials is not the free annual credit report required by Congress, but actually one of the imposter domains belonging to Experian.  The World Privacy Forum study, “Call Don’t Click: Why It’s Smarter to Order a Federally Mandated Credit Report via Phone Instead of the Internet,” found:

• 28 of the imposter domains belong to Experian, a credit bureau.
• 68 of the imposter domains belong to or are hosted at “pay per click” companies.
• 50 of the “pay per click” domains are live, and some are luring consumers to inappropriate and risky Web sites. Some of    the “pay per click” sites lead consumers to Experian and other credit companies’ commercial sites in order to cash in on the credit bureaus’ affiliate marketing programs.

Electronic Health Records & HIPAA

Consumer access is probably not as obvious of a problem with the health care community.  Most of the work currently happens on the back end, where insurance companies and health care provider’s offices wrangle over receiving the right amount of money for procedures.  As an uninsured American, you may have to pick up the torch of dealing with doctor’s office blunders, but in those cases, you’re likely handling them at the time of service and wont pay until they get it right.  Most people simply don’t see the man behind the curtain.

The scary part will surround electronic health records (EHR) and the push to incorporate them through ARRA.  As digital bits, EHR integrity could become more questionable.  It will also uncover a slew of inconsistencies that have yet to reach the light of day – the proverbial Garbage In, Garbage Out.  A recent adopter of Google Health recounts his experience utilizing his hospital’s auto-migrate feature.  Some of his revelations:

• [T]he docs in the back room… quickly figured out what was going on… the system transmitted insurance billing codes to Google Health, not doctors’ diagnoses. [I]nsurance billing codes bear no resemblance to reality… if a doc needs to bill insurance for something and the list of billing codes doesn’t happen to include exactly what your condition is, they cram it into something else so the stupid system will accept it.
• EMR pontificators are saying “Online data in the hospital won’t do any good at the scene of a car crash.” Well, GOOD: you think I’d want the EMTs to think I have an aneurysm, anxiety, migraines and brain mets?? Yet if I hadn’t punched that button, I never would have known my data in the system was erroneous.
• [M]y 12/6/2003 x-ray identified me as a 53 year old woman… it took me months to get that error corrected, because nobody’s in the habit of actually fixing errors…

This was a contemporary hospital.  Their CIO touted the EHR revolution and already took steps embracing customer advocacy.  There will undoubtedly be push back with older hospitals or stodgier doctors.  The documented excavations are inevitable, especially with so many people involved in providing healthcare.  An article in Fast Company chronicled the clinical staff access associated with the writer’s medical care:

… a list of everybody that accessed the medical record from the time he was seen in the clinic to two weeks post-op.’There were 113 people listed — and every one had an appropriate reason to be in that chart. It shocked all of us. We all knew this was a team sport, but to recognize it was that big a team,every one of whom is empowered to screw it up — that makes me toss and turn in my sleep.”

To top it all off, there are already questions as to how older, paper records might be brought into the digital realm.  Who’s to handle the scanning?  What’s to be had of the old records?  Will the security provisions be in place to prevent EHR compromise?  It’s already time consuming to update a digitized hospital’s records – how about those of a newly computer literate doctor’s office?

International Example

The US doesn’t have a lock on the access and redress problem.  Even with the heavy emphasis placed on privacy in the EU and a separate Information Commissioner’s Office (ICO) responsible for privacy, the United Kingdom has had it’s share of reporting and correction problems, most recently with their national health database.  Until late May, citizens only had the option of opting out of the National Healthcare System (NHS) electronic health database or masking their data in the system.  With the socialized health care in the UK, there were instances where the opt out had serious consequences.  In British health care, a summary care record (SCR) includes information such as allergy information, current medications, medical conditions and resuscitation preferences.  There is obviously personal information included in the SCRs, and security of the communications medium between the hospitals (called the Spine) has been called into question.  Additionally, access controls on the system allow any authorized users to view any patient’s information, not just those currently being treated.

The NHS agency Connecting for Health (CfH) runs the records system.  An ICO spokeswoman confirmed medical record deletion would now be possible after discussions with the ICO privacy watchdogs and CfH managers.

People want the assurance that they can restrict who can access their personal details in NHS electronic records.  We met recently with Connecting for Health (CfH) to discuss the permanent deletion of summary care records once a patient requests their summary record no longer appears on the database.  We are pleased that as a result of these discussions CfH have found a way to ensure that these records are permanently removed from the database when appropriate and we are continuing to talk to them about how this is put into practice.

Summary

When drawing corporate or group policies, general best practices dictate data subjects should have the ability to review all information an organization holds on them and have the right to change any errors.  Those changes must be reconciled across the organization, either pushed upward from third party partners or downward from the main collecting organization.  By adhering to this standard, nearly every organization will be kept in lock step with multi-national laws with regard to data subject access and redress.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Privacy Regulations (Foundations:I.F.b, CIPP: I.B) and Compliance Requirements (Foundations:II.B)
• Data Subject Access & Redress (Foundations: III.B.d)

Abandoned medical records and their privacy implications made the news in two separate incidents over the past 10 days.  One instance was in the Commonwealth of Massachusetts, while the other was in the Canadian Province of Alberta.  Common sense should tell all of us that this is not just a US or Canadian issue, and a quick search turned up incidents with a bankrupt contractor in an Australian amusement park, a closed Scottish hospital and several more situations in Illinois, California and North Carolina, in addition to the visual evidence below.

The most recent occurrence near Concord, Massachusetts surrounded Dr. Ronald T. Moody.  He was evicted from his office in September after state regulators pursued him for practicing without a license.  The patient records from Moody’s office in Acton, were scheduled for disposal in March, when an employee for the storage company holding the records contacted the state Board of Registration in Medicine.  The Board did not have the authority, nor the budget to move, store, or notify the patients.

Thousands of patient medical records abandoned at a medical facility

Massachusetts’ state law requires medical records be kept for 7 years since the last visit, after which time the records may be destroyed without notification.  These requirements transfer to deceased physicians’ estates and inherited practices.  What’s not covered: abandoned or abruptly closed offices.  There are no laws relating to patient notification, and no state agency has responsibility for finding patients or delivering notice in these circumstances.  Even policies dealing with abandoned records aren’t necessarily covered by the physician trade associations, such as the Massachusetts Medical Society.  Thankfully, Emerson Hospital offered to take responsibility and shoulder the costs for the records.

This isn’t one isolated state.  California appears to have a similar unsettling situation, and,  after a media frenzy over the sale of records by self storage facilities, Maine is just recently beginning to tackle the problem when the records are stored in a self storage facility.

Other states are clear cut and straightforward, including Florida’s statute 456.057 (21) and Texas’ Medical Board’s 165.4, allowing the State’s Licensing Board or Department of Health to appoint a custodian and attain ownership and direction of abandoned records.

The second orphaned records incident took place in Didsbury, Alberta.  The College Green Medical Clinic closed after the lead physician suffered a stroke.  After the physician’s passing, the other partners decided to quit the practice, taking some of their patients’ records with them.  However, 111 boxes remained after the closing and departures, representing over 3,000 patients’ medical records.   Surprisingly, two similar occurrences happened about a year earlier in the City of Yorkton in Saskatchewan.  In those events, thousands of Canadian patients health records were found in two empty office buildings. The Health Information Protection Act, Canada’s HIPAA, requires physicians retain records for 6 years and includes possible jail time and maximum breach penalties of $50,000 for individuals and $500,000 for an organization

Each Canadian territory has a separate Privacy Commissioner for enforcement and fine assessment.  Unlike the in European Union, the Canadians are not under a comprehensive privacy framework where all private information is protected (ed: a popular topic on the CIPP),  and therefore recently passed the Health Professions Amendment Act to strengthen regulations of patient file storage.  Instead of the EU comprehensive framework, the Canadians use a co-regulatory model, placing regulatory bodies for groups like doctors, pharmacists and hospitals in charge of establishing standards for formal record storage plans. In the event files are abandoned, the regulatory body will then be in charge of securing them, while the Privacy Commissioner makes sure it happens.

Mesa State Training School closed in 1990 - June 2005

The US doesn’t approach the problem with the same fervor.  With over 941,000 physicians in the US and a lack of clear responsibilities from state to state, it’s a wonder more abandoned record reports are not surfacing.  Discussion threads and commentary associated with the two most recent stories expect the Electronic Health Record (HITECH) requirements from the U.S. Economic Stimulus package to eliminate all of the lost record worries in a single, silver, digital bullet.  A Massachusetts law passed last year requires electronic health records by 2015.   Other states have recently followed suit, clamoring for the billions in stimulus funds.   And there are many benefits to be had replacing paper files with electronic records.  Drug interaction flagging, reduced costs, lower transcription errors and higher quality of care are all cited as pros for an EHR program.   The US sees good reason in forcing the issue – A 2007 Harvard study showed only 17% of US doctors were using electronic records.  One thing’s for sure, EHR will bring about an unprecedented access to a patient’s personal information.

As with everything digital, there is a big drawback.  EHR will bring about an unprecedented access to a patient’s personal information.  Physical record protection is well understood (guards, gates, and guns) and the occasional fire or misplaced box of records is troublesome, but overcome with a copy machine and offsite storage.  It’s difficult to divulge a lot of records when you have to go office to office in an 18 wheeler.  Digital records fit on a thumbdrive, and thirty years after the first computer virus, technology professionals are still struggling with information security.  A single breach of a large EHR holder could ruin a large swath of people financially, socially, professionally, even their decedent’s insurability.  Need examples: a religious official with an abortion on file, a positive HIV test  in a long standing monogamous relationship, a genetic predisposition to alcoholism/obesity/violence.  These probably led to HIPAA forcing your doctor to not leave voice mail messages on answering machines – now we have to deal with doctors upgrading desktops.

With President Obama’s push towards electronic medical records and the amount of money being spent on updating the US medical system in the stimulus package, expect to see 83% of the US’ physicians dragged into the 21st century. We’ve seen we can’t expect every physician to properly protect a piece of paper.  What happens when there’s not even the cost of paper deterring them from making another copy of a patient’s chart?