Security Rules Put Providers on Notice

December 10, 2009
Benjamin Wright

MDNG Primary Care, October 2009, Volume 11, Issue 10

HITECH says covered entities must be able to monitor and record every time that patient data is accessed, enabling the entity to comply with the new notification requirements should unauthorized access occur. Will the new rules end up restricting the efficient exchange of data that is crucial to providing high-quality healthcare?

With the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH), Congress has imposed a demanding new data security regime on all healthcare providers and organizations. Congress expects key healthcare industry stakeholders (hospitals, doctors’ offices, insurance companies, and other entities) to track and account for each and every time protected electronic patient information is accessed. To comply with the data security and patient notification provisions called for by HITECH, covered entities will be expected to enact policies and procedures (such as application-layer logs and audit trails) that enable them to track when, how, and by whom protected patient health information is accessed.

Healthcare providers, payers, and administrators make extensive use of information technology. Although much medical information is still recorded on paper, computerized record systems are already ubiquitous in clinics, hospitals, and doctors’ offices; insurance companies and other third-party payers also use computers for all facets of record keeping. E-mail and other forms of electronic data collection and exchange are common. More personal medical information than patients and providers probably realize already is exchanged via e-mail today, whether intentionally or otherwise.

Information technology is designed to facilitate the collection, storage, and sharing of data. Data sharing especially is critical to the effective delivery and administration of healthcare. Indeed, one of the major factors behind the push for wider adoption of electronic medical records and other forms of information technology in healthcare has been the realization that efficient, timely access to and sharing of information is critical to ensuring better healthcare quality and improving health outcomes. The healthcare industry already engages in extensive sharing and collaboration by way of computer technology and is actively seeking to expand on this.

However, in some ways, a big-picture confl ict may be emerging. Although computers promote data sharing, HITECH is about data restraint and accountability. The essence of the data security requirements imposed by HITECH is that health entities must install lots of fine granular controls to monitor, regulate, or prevent the sharing of data. Just as new collaborative technologies are enabling easy data sharing, the security and privacy rules set out under HITECH may end up stifl ing the fl ow of key information as covered entities take steps to protect against data breaches.

According to the HITECH Act, it’s as easy as 1-2-3-4 Under Section 13402 of the Act, a healthcare “covered entity” must notify the patient if the entity discovers that a patient’s unsecured data has been accessed without proper authority. How is this requirement to be satisfied in practice? All notifications must be made “without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity.” Notification of the individuals who have been affected by the information breach must take several forms, including written (or e-mail) communication, a “conspicuous posting” on the covered entity’s website, notices in “major print or broadcast media,” or even, if the situation is sufficiently urgent, direct telephone contact. To ensure that they are effectively monitoring and tracking access to protected data, covered entities are going to have to “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Section 13405(c) of the Act goes on to stipulate that a patient will have the right to receive from a covered entity an accounting, dating back three years, of all disclosures of his or her protected information to anyone outside the entity. A disclosure could include the sharing of information among healthcare entities for treatment, payment, or health operations. In other words, it could cover the exchange of treatment information from one doctor to another doctor who is not employed by the same entity as the first doctor--a very common event! This accounting requirement applies to information contained in any “electronic health record,” which section 13400(5) of HITECH expansively defines as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized healthcare clinicians and staff.” This could include a large volume of dayto- day internal e-mail in a clinic, a hospital, or a doctor’s office--or external e-mail among multiple healthcare providers. The effective date for this requirement varies, but could start for some data as early as 2011. As a practical matter of compliance, this step will require extensive logs and audit trails that enable providers to “log all disclosures made through EHRs — including those made for treatment, payment and healthcare purposes — and report them to patients when requested.”

Under Section 13405(a) of HITECH, a patient can request that a covered entity not disclose certain information to a “health plan.” The delivery and administration of healthcare is a very complex undertaking. Compliance with a patient request to allow X information to be disclosed but not Y information is difficult. Compliance will require careful attention and review; affected healthcare entities are going to need to implement proper information controls that include application-layer logs and audit trails so that this kind of patient request can be enforced and employee actions can be reviewed after the fact.

Finally, under Section 13405(b) of HITECH, a covered entity shall be considered to be in compliance with these requirements regarding the use, disclosure, or request of protected health information “only if the covered entity limits such protected health information, to the extent practicable, to the limited data set… or, if needed by such entity, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively.” Although the law stipulates that “the covered entity or business associate disclosing such information shall determine what constitutes the minimum necessary to accomplish the intended purpose of such disclosure,” this is in fact a very subtle requirement. Effective compliance will require a great deal of human attention, supervision, and after-the-fact review, possible only if there is sufficient auditing and other data security architecture in place.

Interpretation and implications For any organization, complete compliance with the HITECH requirements will be hard to achieve and sustain. The four steps/requirements outlined above should not be thought of as separate ideas; covered entities must view them in the aggregate if they want to implement data security policies and tools that achieve verifiable, real-world compliance. Healthcare organizations need to be archiving e-mail (and other e-messages such as text) for generous periods of time. Archival allows later review of which patient information was delivered to which provider, business associate, or other stakeholder subject to the HITECH requirements (not to mention other operational functions, such as review of who was consulted on a particular matter, at which time, and so on). Any healthcare e-mail archive application used by a covered entity must support audit trails that show who accessed a particular e-mail archive record at which time. Healthcare firms will similarly need access logs and audit trails for other (non-e-mail) forms of electronic collaboration and data sharing.

The call for certain groups of healthcare entities to maintain audit logs is not entirely new. The existing HIPAA Security Rule already requires that covered entities implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. And data access audit trails are already part of medical privacy law. New Mexico’s Electronic Medical Records Act, SB 278, for example, requires a “record locator service” (a kind of clearinghouse for health records) to maintain detailed audit logs of the access of patient information.

Nonetheless, the HITECH Act requires a substantial new layer of security for protected health information. Unlike anything before it, the Act impels extensive adoption of access logs and audit trails in healthcare computers. Hospitals, physicians, and all other groups to whom these new rules apply are urged to stay up to date with the latest guidance coming from the Department of Health and Human Services and other regulatory bodies and to be proactive in their efforts at compliance.

Mr. Wright is an attorney with Messaging Architects. This feature is adapted from an article that originally appeared online at http://benjaminwright.us

.


x