It was back to the bad old days in Chattanooga, Tenn., when passersby recently discovered thousands of patient medical records in a mixed paper bin at the DuPont Recycling Center. The documents included graphic photos and sensitive health information, including the Social Security numbers of patients. The origin of the documents isn't known, but police are pointing fingers at nearby Hutcheson Medical Center and a local plastic surgery practice as possible sources of the files.
As any health care worker could tell you, document dumping runs afoul of the federal Health Insurance Portability and Accountability Act (HIPAA), a 12-year-old regulation that covers patient privacy. That law, which is overseen by the Department of Health and Human Services (DHSS), has been infamously toothless throughout the Clinton and most of the Bush administrations. But health care providers that might have been tempted to play fast and loose with HIPAA compliance rules in the past are in for a rude awakening, as a feistier DHHS combines with new HIPAA provisions that strengthen enforcement and stiffen civil penalties for violations.
Remember: Stories like the Chattanooga snafu created the impetus for HIPAA back in the mid-1990s, when similar tales of health records carelessly disgorged from doctors' offices and hospitals started turning up in newspaper headlines and evening news broadcasts. They're all the more remarkable now, six years after HIPAA's so-called Privacy Rule governing the disposition of patient health information (PHI) in both paper and electronic forms went into effect. That rule was supposed to put an end to loose handling of PHI by instituting clear guidelines on how PHI is handled by medical providers and tough penalties for violators. But years passed with little evidence that the government was taking note of which health providers were being naughty or nice.
That started to change in 2007, when DHHS zeroed in on Seattle-based Providence Health & Services, which was accused of misplacing or losing backup tapes, laptop computers and optical disks containing data on around 386,000 patients. In July 2008, DHHS and Providence announced a deal in which Providence agreed to pay $100,000 in penalties for violating HIPAA compliance rules. It also agreed to implement a corrective action plan to ensure that electronic patient information is secured against theft or loss. DHHS said it was the first such agreement for a "covered entity," though the agency claimed there have been more than 6,700 cases in which HIPAA violations were cited and changes to security procedures or PHI handling procedures were recommended. I don't know about you, but if I got ticketed once for every 6,700 times I got caught speeding, I'd drive a lot faster.
But that's all ancient history, and if the fine levied on Providence wasn't enough to get health care providers to sit up and pay attention (and it was), changes passed into law by Congress this year sure will. The updates are part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was signed into law in February as part of the larger American Reinvestment and Recovery Act. Though HITECH's funding of a switch to electronic medical records grabbed the headline, the act outfitted HIPAA with some pretty sharp fangs. Among other things, HITECH:
- Directs DHHS to conduct periodic audits and expands DHHS oversight from HIPAA "covered
entities" to the much larger community of business
associates -- data processors, third-party labs and other firms that contract with covered
entities and handle PHI.
- Requires HIPAA-covered entities to notify individuals of any PHI breaches, not just cases where
notification is necessary to mitigate damages to the consumer. Business associates are required to
notify the covered entity of breaches, as well as the individuals affected.
- Broadens criminal enforcement of violations of HIPAA compliance rules to include business
associates and gives states' attorneys general the ability to bring civil actions against violators
in federal court.
- Adds new civil penalties ranging from $100 to $50,000 per HIPAA violation, with higher
penalties (up to $1.5 million) for organizations that show willful neglect of the law and are lax
in addressing mistakes.
What does this mean for the health care industry and the companies that serve it? Even in the absence of penalties, HIPAA has led to wholesale changes to the way hospitals and doctors' offices run. Beefed-up network security, better access control, staff training around record handling and small tweaks to clamp down on inadvertent sources of data loss have removed much of the low-hanging fruit in the past decade. Stiffer penalties and the prospect of criminal charges and perp walks will go a long way to eliminate lax practices like those on display in Chattanooga.
Data security ... will be especially important as Uncle Sam steps up with tens of billions of dollars in subsidies for health care organizations to move to electronic medical records.
But as the case against Providence Health & Services suggests, there's much more to be done to secure PHI data stored on laptops, backup tapes, mobile devices and in applications accessed over the Internet. In the short term, there will be increased investments in data encryption technology by health care organizations and their many suppliers. Within the last month, the secretary of HHS has released guidance (based on National Institute of Standards and Technology guidelines) for acceptable methods for destruction and encryption of data under HIPAA.
In the long term, the health care sector -- like other verticals -- will need to get much smarter about how it manages and uses PHI. Some forward-looking hospitals are already using frameworks like application virtualization, Software as a Service and so-called private cloud computing deployments to centralize and manage access to sensitive patient data through hosted applications. Tackling the problem of data security -- rather than network security -- will be especially important as Uncle Sam steps up with tens of billions of dollars in subsidies for health care organizations to move to electronic medical records, thereby increasing the amount of PHI floating around in digital format, rather than harder to disseminate hard copies.
This was first published in May 2009