Privacy Archives

A new bill introduced in Congress would give Medicare and Medicaid providers limited liability protection for electronic health record errors.

Rep. Tom Marino, R-Pa., says the bill "would create a system for reporting potential errors that occur when using electronic records without the threat of that information being used as an admission of guilt."

The Safeguarding Access For Every Medicare Patient Act, HR 3239, also prevents plaintiffs' lawyers from using EHRs as "an easy source for 'fishing expeditions,'" Marino says in a news release. Health-care providers would be able to correct EHR problems "without having those actions be used to establish guilt," according to the release. It also would limit when lawsuits could be filed, and protect against libel and slander lawsuits.

Marino says his bill reduces fear of expensive lawsuits and thereby promotes EHR adoption by Medicare and Medicaid providers. "Every time a doctor or hospital chooses not to participate because of these fears," he says, "our seniors lose another provider."

To qualify for protections under the bill, providers would have to demonstrate that they are using certified health IT products or meet federal criteria for "meaningful use."

The bill has been referred to the House Energy and Commerce Committee.

Stanford University's hospital system and a former billing subcontractor are co-defendants in a class-action suit that seeks damages for the online posting of information from 20,000 patients' medical records.

The lawsuit, filed last week in Los Angeles Superior Court against Stanford Hospital & Clinics and the billing vendor, Multi-Specialty Collection Services, seeks unspecified damages on behalf of anyone whose health data was posted online--namely patients who visited the Stanford Hospital emergency room, in Palo Alto, Calif., between March 1 and Aug. 31, 2009. A copy of the suit is available at ModernHealthcare.com.

A digital spreadsheet containing the patients' names, medical records, hospital account numbers and the dates of treatment was posted online Sept. 10, 2010, at studentoffortune.com, a website that helps students with their homework. The data remained online for almost a year before a patient discovered it on Aug. 22.

Stanford Hospital says responsibility for the data breach rests with Los Angeles-based Multi-Specialty Collection Services, which it fired following discovery of the privacy lapse. In an Oct. 3 statement, the hospital contends that it sent the data to the company in an encrypted format to protect its confidentiality. A hospital investigation showed that the vendor, known as MSCS, prepared a spreadsheet and sent it to a third person not authorized to have the information.

That person "improperly posted it on a website, apparently to get assistance in generating a graph from MSCS's spreadsheet," the hospital says. "This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS's contract ... and is shockingly irresponsible."

MSCS did not immediately return a call seeking comment.

Arguments that electronic health records are safe and secure were dealt a major blow last week with news that the names and diagnosis codes of 20,000 patients at a California emergency room were accidentally posted online -- and stayed there for nearly a year.

Stanford Hospital, in Palo Alto, Calif., was investigating how a billing subcontractor's spreadsheet ended up on a website for students who were soliciting paid help with school assignments, according to reports in newspapers, including the New York Times. The spreadsheet was published on the site beginning Sept. 9, 2010, as an attachment to a question about converting data into bar graphs, a Stanford spokesman told the Times.

The spreadsheet did not include Social Security numbers, birthdays or credit-card numbers, but did include diagnosis codes, hospital account numbers and dates of treatment, the spokesman said.

The hospital learned of the breach from a patient on Aug. 22 and succeeded in getting the offending material removed the next day. The breach was announced publicly on Thursday, several days after affected patients were notified of the problem by mail, according to the San Jose Mercury News.

Stanford Hospital "suspended business" with the vendor, the Mercury News said.

Protected medical information, including patient medical records, is alarmingly susceptible to security breaches, two new reports suggest.

The first report comes from the Health and Human Services Department, and finds that more than 7.8 million people had their medical information compromised by 252 major security breaches over a recent 15-month period. Smaller breaches affected another 30,500 people.

The second report comes from Veriphyr Inc., a data security services provider. It found that 71 percent of health-care providers who responded to a recent online survey had reported at least one medical records security breach in the previous year. More than a third, 35 percent, resulted from employees snooping into their coworkers' medical records, while 36 percent were by employees sniffing out the records of friends, relatives or neighbors. VIP records were compromised in 6 percent of cases involving inside breaches.

The HHS report looked at data breaches that occurred between Sept. 23, 2009, when notification requirements went into effect, and Dec. 31, 2010. HHS is required to report its findings to Congress as part of the Health Information Technology for Economic and Clinical Health Act.

About half of the major breaches reported to HHS - those affecting more than 500 people -- were the result of theft, including stolen electronic equipment such as network components, laptops or hard drives. The largest reported theft affected 1.9 million people, HHS said.

Other reported incidents involved hacking or other intrusions with intent to commit fraud. Human error, the loss of electronic or paper records, and improper disposal of paper records accounted for the other major cases.

General patient data contained in electronic medical records can help genetic researchers quickly and accurately identify patients for their investigations, thereby slashing the cost of collecting research data, according to a Northwestern University study.

Researchers analyzed electronic records for information generated from routine doctors' visits -- including diagnoses, medications and laboratory tests -- for signs of five diseases: type 2 diabetes, dementia, peripheral arterial disease, cataracts and cardiac conduction. They used e-records from five national sites, each of which used different vendors, according to a Northwestern news release.

The data in the electronic records allowed the researchers to correctly identify patients' diseases 73 percent to 98 percent of the time. They also were able to rule out the five targeted diseases with at least 98 percent accuracy. The researchers' predictions were confirmed with the patients' doctors.

According to an abstract of the study, the case-identification rate improves when electronic records use natural language processing that helps computers to understand nuance and jargon of human speech.

Eventually, patients' genomes could be included in their medical records, says the lead investigator, Dr. Abel Kho, an assistant professor of medicine at Northwestern's Feinberg School of Medicine. "With permission from patients," he says, "you could search electronic health records at not just five sites but 25 or 100 different sites and identify 10,000 or 100,000 patients with diabetes, for example."

The Northwestern study was published last week in Science Translational Medicine journal. The research project received financial support from the National Human Genome Research Institute, with additional funds coming from the National Institute of General Medical Sciences.

Health-care providers would face tougher standards for documenting how they will secure electronic health record data under recommendations made last week by a Health IT Policy Committee work group.

The committee's privacy and security Tiger Team is discussing how to structure privacy and security rules for EHR meaningful use standards going into effect in 2013. Hospitals and medical professionals are eligible for significant incentives from Medicare and Medicaid when they implement EHRs and demonstrate meaningful use of those electronic records.

The health IT world is working to meet Stage 1 meaningful use standards this year and next. The Tiger Team now is studying privacy and security aspects of the more robust Stage 2 standards being developed for 2013-2014, including for encrypted "data at rest."

The team's latest draft report recommends the following revisions to earlier recommendations:

• Requiring health-care providers to specifically address how they are encrypting data at rest, including for mobile devices such as smartphones and flash drives, and document their encryption functions if audited. Data breaches are "a serious issue that the Tiger Team believes will negatively impact public trust in EHRs if not addressed," the report says.


• As an alternative, requiring medical professionals to demonstrate how their EHRs are meeting all provisions of the HIPAA (Health Insurance Portability and Accountability Act) Security Rule, which also addresses encrypting data at rest. The team notes that the federal Centers for Medicare and Medicaid Services would have to fully support the recommendation for this recommendation to have the intended effect.

The report also includes several recommendations regarding "audit trails" for access to patient record "portals" as well as provisions for ensuring that patients can easily see, download and copy their medical records through the portals.

The Tiger Team meets again next Monday, as well as May 4 and May 16. The Health IT Policy Committee that it advises will eventually submit final meaningful use recommendations to the Office of the National Coordinator for Health IT. The committee and ONC both fall under the U.S. Department of Health and Human Services.

Most patients trust their doctors to keep their medical and financial information private, but one out of every two don't trust electronic health records to do the same, a new survey shows.

That concern might be well-founded: Roughly one-third of physician practices lack even basic anti-viral software or security firewalls, according to research by CDW Healthcare of Vernon Hills, Ill.

"The new era of EHR brings with it a whole new set of requirements for health-care organizations -- particularly in the area of IT security," Bob Rossi, vice president of CDW Healthcare, says in a news release.

The company surveyed 1,000 U.S. patients in January for the report, "Elevated Heart Rates: EHR and IT Security." The vast majority of respondents, 84 percent, said they hold the practice and individual staff members responsible for the security of their private information. About half -- 49 percent -- said they think their private information will be less secure because of EHRs.

"Right now, patients trust their doctors more than anyone else to protect their personal information," Rossi says. "But like any relationship based upon trust, even one breach can fundamentally change the dynamic."

Of the survey respondents whose private information has been compromised by any company or organization, 9 percent said they severed their relationship, 12 percent spent less money with the offending group, and 12 percent said they lost trust in the group.

The private health information of more than 6 million people has been compromised by digital security breaches since August 2009 -- and those are just the big cases. The Health and Human Services does not release information about breaches affecting fewer than 500 people.

The disconcerting statistics are included in a new report by RedSpin Inc., an IT security audit firm in Carpinteria, Calif. "Breach Report 2010: Protected Health Information," looked at 225 breaches reported under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The breaches occurred in all but seven states, the District of Columbia and Puerto Rico, the auditors reported. The average breach affected about 27,000 people. Incidents traced to portable media, such as laptop computers, affected an average of 66,000 people.

Other details in the report:
--An average of 82 days passed between discovery of the security breach and HHS notification or updates. HITECH requires that HHS be notified of major breaches within 60 days.
--The bulk of the breaches, 78 percent, resulted from just 10 incidents. Half of those were traced to the theft of common storage media such as a desktop computer, network server or portable device.
--Six out of 10 breaches were intentional and malicious.
--Business associates with access to health information were responsible for four out of 10 breaches.

"It is clear that protected health information is actively targeted and has successfully been compromised by a malicious threat-source,"say RedSpin auditors. "This trend will likely increase as health-care IT initiatives are deployed across the industry as a result of financial incentives associated with 'meaningful use' objectives."

The auditors recommend reducing security risks by:

--Encrypting protected health information data in storage and in transit.
--Improving training for users.
--Implementing a mobile device security policy.
--Periodically reviewing security controls.

The Centers for Medicare and Medicaid Services has outlined plans for updating its computer and data systems to comply with the Patient Protection and Affordability Act. The agency projects that it will complete the overhaul in five- and 10-year increments, with "usable functionality" delivered every six months.

CMS released the 73-page document, "Modernizing CMS Computer and Data Systems to Support Improvements in Care Delivery," in late December. CMS says it needs the technology upgrade to transform itself "from a passive payer of claims to an active purchaser of quality health care," according to the report. The upgrade also will help CMS to facilitate development of a national health IT network, the report said.

By modernizing its IT systems, CMS will be able to improve business operations, better measure and oversee performance, improve accountability and innovate, it says. The two primary goals are to develop systems to analyze results of new health care delivery systems and to reward providers that meet quality-performance metrics.

The overhaul will save money by reducing the risk of system failure, simplifying infrastructure, eliminating costly product licenses and updates, cutting the IT labor force, and negotiating better rates for resources that do not require special domain knowledge, CMS said. The organization predicted that it would see major savings after the core capabilities are established in fiscal 2015.

Major initiatives include:

• A single source of data for Medicaid and the Child Health Insurance Program.
• An encounter data processing system using a service-oriented architecture.

The Health Care Data Improvement Initiative is the major funding source. Other funding comes from the Affordable Care Act, the Health Information Technology for Economic and Clinical Health Act, and the 2010 Small Business Jobs Act.

If federal health IT initiatives are to succeed, the government must promote widespread adoption of a universal exchange language for securely transferring health data, announced the President's Council of Advisors on Science and Technology on Wednesday.

In a new report, "Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward," the council makes several recommendations for the development of an "IT ecosystem" that would enable the secure, real-time exchange of patient information.

"Information technology has the potential to vastly improve patient care and create new markets based on health care innovation -- but only if we make wise decisions now," said Eric Lander, co-chair of the council. "This report outlines a path to achieving these aims."

Health IT is well behind other IT sectors in developing universal exchange standards that "have resulted in new products that knit together fragmented systems into a unified infrastructure ... and increases the value of the infrastructure for all," according to the report. "The market for new products and services based on health IT remains relatively small and undeveloped compared with corresponding markets in most other sectors of the economy, and there is little or no network effect to spur adoption."

The technology to create the necessary digital infrastructure and exchange language is already "proven and available," according to the council's news release, but there's little profit potential in developing those systems. If the federal government facilitates that development, private industry could develop more profitable products that build on the infrastructure and language, the release said.

The council recommends that the federal Office of the National Coordinator for Health Information Technology and the Centers for Medicare and Medicaid Services develop guidelines to spur adoption of an exchange language. Physicians would acquire applications and other middleware that would work with existing electronic health record systems.

The report advocates using tagged data elements to manage and store bits of information, an approach that would allow individualized privacy rules for each nugget of data. Users could adjust privacy and security rules for each piece of information, depending on sensitivity, according to the report.

The system would not require creation of universal patient identifiers or a centralized federal patient database, both of which cause major privacy concerns.