"/>
HCPLive Network

Son of HIPAA--Who's Been Looking at My Data?

If your patient records aren't already stored digitally, they are likely to be digitized soon. There is a tremendous push by the federal government-as well as by some private payors and self-insured employers-to get all healthcare providers wired in the near future, in order to better coordinate patient care, improve outcomes, and "bend the cost curve" all at the same time. There are some financial incentives in play to achieving "meaningful use" of "certified" EHR systems; those terms are to be defined in federal regulations later this year, but the outlines of those definitions are already pretty clear.

Once all that patient data-or as it is known in HIPAA-speak, protected health information (PHI)-is stored electronically, it becomes exposed to potential data breaches. In late September, two sets of federal regulations took effect that address the way in which PHI should be maintained, and the steps that should be taken to prevent a data breach and to notify the government and affected individuals in the event there is a data breach. Compliance with these rules-issued under authority of the HITECH Act by the US Department of Health and Human Services (HHS) with respect to healthcare providers, and by the Federal Trade Commission (FTC) with respect to EHR vendors and other similar third parties-requires affected practices and businesses to assess and update their data privacy and security policies and procedures, as well as train all affected staff accordingly.

The exposure in case of violation is significant, both in terms of fines and penalties and in terms of bad publicity-certain data breaches require notice to potentially affected individuals via the general media in addition to notices required to be fled with the regulators. The new rules-I call them Son of HIPAA-are layered on top of existing HIPAA privacy and security rules: the FTC's Red Flags Rule, regarding identity theft protections to be put in place by any "creditor" (which includes healthcare providers not paid in full at the time of service), and state privacy rules. While HHS and FTC took some pains to harmonize the new rules so that patients will not be bombarded with multiple data breach notifications about the same incident, for example, the other applicable rules out there have not been harmonized.

The key concept in the new breach notification rules is that encryption of patient data will eliminate the need to notify patients and the federal regulators in case of an inappropriate release of data. Such a release, if the data is encrypted (ie, unusable, unreadable, or indecipherable), is not considered a breach. Encryption is not required, though, and each affected entity must engage in a cost-benefit analysis before deciding whether to encrypt all affected data.

Another important aspect of the rule is the concept of harm-the regulators decided that not every data breach should trigger all of the notice requirements, just breaches that "pose a significant risk of financial, reputational, or other harm to the individual." For example, if an employee of a healthcare provider accesses a patient record inappropriately, but immediately realizes his or her mistake, and exits the record quickly and does not retain any PHI, that is not a reportable data breach.

Finally, "business associates" under HIPAA are now required to implement policies and procedures to maintain privacy and security of PHI, parallel to those that have been required of "covered entities" under HIPAA since the beginning. All business associate agreements and notice of privacy practices (NPPs) will have to be updated to account for the new requirements before February. Healthcare providers that wish to distinguish themselves should consider revising their NPPs to highlight the ease with which they will make copies of records available to patients. This is a bone of contention for many patients, and ensuring that patients' rights to their records are easily exercised could be a way to build goodwill among patients and potential patients.

By necessity, this is an extremely brief introduction to a very involved set of regulations. My hope is that you now have a sense of how important it is to be sure that your operations are fully compliant with the regulatory requirements before full enforcement and random field audits begin in February 2010.

Mr. Harlow, Principal of The Harlow Group LLC, is a healthcare lawyer and consultant based in Boston, MA. He helps healthcare providers and related businesses of all shapes and sizes realize their goals in an increasingly regulated environment. His blog, HealthBlawg, is recognized as a leading healthcare law and policy blog. You should subscribe to his blog and follow him on Twitter: @healthblawg. David H. Lewis.

 

Further Reading
The US Food and Drug Administration (FDA) announced it will give priority review status to Amgen’s application to market ivabradine as a treatment for chronic heart failure. The drug works to slow the heart rate in appropriate patients without causing negative effects on cardiac rhythms. It was developed by Les Laboratoires Servier in Suresnes, France, and first approved by the European Medicines Agency (EMA) as Procoralan in 2005. According to Servier, a global pharmaceutical firm, Procoralan (also sold as Corlentor) is available in 102 countries.
As healthcare organizations look to cut costs while increasing patient safety and satisfaction, the focus is all landing on how to make the employee happy.
As the nation tries to cut its health-care costs critics of reform have worried that some patients who need expensive though risky procedures like coronary artery bypass graft surgery (CABG) might not get them. But a new Harvard School of Public Health study could allay those fears.
With more people than ever using cell phones, tablets, and other personal technological devices, dermatologists have voiced concerns over the increase in cases of nickel allergies. Nickel, one of the most prevalent allergens in the United States, can be found within most handheld electronic devices and jewelry.
Although hemodialysis is a commonly used treatment for kidney failure, a recent study has shown it may not be as beneficial for people who develop a sudden case of the condition.
Healthcare workers in poor nations often do not have enough protective gear to keep them safe from being infected with blood-borne viruses such as Ebola and HIV, according to a study published online Aug. 8 in Tropical Medicine & International Health.
Para-aortic radiation correlates with increased diabetes mellitus risk for Hodgkin's lymphoma survivors, according to a study published online Aug. 25 in the Journal of Clinical Oncology.
More Reading