Data Breaches: A Growing and Alarming Trend and a Potential Safe Harbor

February 7, 2012 by · Leave a Comment
Filed under: Electronic Medical Records 

amy-catapano2Since the data breach notification regulations by HHS went into effect in September 2009, 385 incidents affecting 500 or more individuals have been reported to HHS, according to its website. A total of 19 million individuals have been affected by a large data breach since 2009. The regulations require a covered entity that discovers a reportable breach affecting 500 individuals or more to report the incident to the HHS Office of Civil Rights immediately. After an investigation, HHS publicly posts information about the reported incident on its website on what has become known as the “Wall of Shame.” Of the 385 reported incidents, there are six separate incidents each affecting a million individuals or more. In its 2011 annual report to Congress, HHS reported that in 2009 covered entities notified approximately 2.4 million individuals affected by a breach and 5.4 million individuals the following year. This number grew in 2011 and it will likely continue to grow in 2012. To date, the largest breach took place in October 2011 at Tricare, the health insurer of American military personnel, which affected 4,901,432 individuals after storage tapes containing protected health information (PHI) were stolen from a vehicle. These numbers are staggering, but fortunately more can be done and should be done to prevent data breaches.

Data breaches can cause great harm to the affected individuals, providers and institutions. Individuals may experience embarrassment and harassment because sensitive health information was released. Individuals are vulnerable to identity theft and financial fraud if personal information such as social security numbers were accessed. More frequently, institutions are offering credit monitoring services to affected individuals to monitor for potential fraud. Similarly, data breaches carry a very high cost for institutions that will have to spend great sums to investigate and report a breach to HHS, the media and the affected individuals. An institution or provider’s reputation can also be harmed through negative publicity and the loss of consumers. More institutions are hiring public relations teams after a breach to minimize the amount of fallout and negative publicity. The threat of litigation and class action lawsuits following a breach is also present and very real. Stanford Hospital, Tricare, and Sutter Health are all facing million and billion dollar class action lawsuits  for their 2011 data breaches.

The bad news is that data breaches are impossible to predict and it is impossible to protect against every type of possible breach. Unfortunately, even the strongest policies, precautions and security measures cannot protect an entity from a hacker, thief or an employee or business associate’s honest mistake. As more providers and institutions adopt electronic health record systems and digitize their records, data breaches will continue to occur and large breaches will be spotlighted by the media. Pursuant to the regulations, a covered entity must alert a prominent media outlet if a reported breach affects more than 500 people of that state. Based on the events of last year alone, it is clear that the media loves to report on data breaches and will continue to do so. Hopefully this public exposure will serve to increase accountability to the public rather than instill fear in the public and hurt consumer confidence in the EHR movement.

The good news is that more can be done by providers and institutions to prevent harmful and costly data breaches. Data security and patient privacy should be the focus of the industry in the upcoming years because it is just as important as meaningful use certification. The benefits flowing from the Medicare incentive payments that an institution may receive under the Affordable Care Act can be canceled out in the event of a large and debilitating data breach. It would be wise for covered entities to focus on preventing data breaches as much as achieving meaningful use.

There is no easy solution to preventing breaches, but encryption is one surefire way an entity can better protect itself from a costly breach. As entities become more familiar with EHR systems and recognize the risks involved in storing and transferring PHI data, implementing encryption technology should become a top priority for each entity.

Encryption of PHI is a major step a provider or institution can take to secure its sensitive patient data. Encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. According to a Guidance from HHS, if an entity encrypts its data in accordance with the National Institute of Standards and Technology standards for encryption, then any breach of the encrypted data falls within a safe harbor and does not have to be reported. This is an incredibly important safe harbor that could save an entity a lot of money. It is shocking that more entities, especially those with the means and resources to install a qualifying encryption system, do not utilize encryption technology on any of their electronic devices, especially  portable devices.

Of the 385 reported breach incidents, thirty-nine percent involved a lost or stolen laptop or other portable media device containing unencrypted PHI. A report recently released by Redspin, an IT security firm, states that data breaches stemming from employees losing unencrypted devices spiked 525 percent in the last year alone.  This statistic confirms that devices, including laptops, tablets and smartphones, pose a very high risk for a data breach. Redspin reported that eighty-one percent of healthcare organizations now use smartphones, iPads, and other tablets, but forty-nine percent of respondents in a recent healthcare IT poll by the Ponemon Institute said that nothing was being done to protect the data on those devices. At the very least, these reports and the statistics on HHS’s “Wall of Shame” should encourage entities to encrypt their portable electronic devices that contain sensitive PHI.

There are of course costs associated with adopting encryption technology in an EHR system. There are costs to install the system and maintain it with the help of an IT expert. Encryption of information can also slow down the processes used in sharing information. After all, one of the main goals of an EHR system is to make it easier for providers to share health information about their patients. An entity should work with an IT expert to determine what information should be encrypted in order to maximize the efficiencies of an EHR system. Despite the costs, the money and resources spent implementing encryption technology can be well worth it and are a smart investment for any entity with an EHR system. In a study published in 2011, the Ponemon Institute found that the cost of a data breach was $214 per compromised record and the average cost of a breach is $7.2 million. In light of the large data breaches that have been reported, it is clear that the costs of a breach can be much higher than the costs to implement encryption technology.

Under the HITECH Act and HHS’s interim final rule, encryption of health information is not mandatory. It remains to be seen whether HHS will impose a mandatory encryption policy on all devices or, at the very least, all portable devices capable of storing or transferring PHI, when it releases the final version of the data breach notification regulations sometime this year. The health care industry’s lack of encryption for patient information has drawn attention on Capitol Hill. At a November 2011 hearing before the Senate Judiciary Committee’s panel on Privacy, Technology and Law, Deven McGraw of the Center for Democracy and Technology testified that “we know from the statistics on breaches that have occurred since the notification provisions went into effect in 2009 that the healthcare industry appears to be rarely encrypting data.”  At the hearing, Senator Tom Coburn, a physician himself, and Senator Al Franken, the chair of the panel, both voiced their concern over patient privacy protection and the current regulatory scheme. Senator Franken has said that he is contemplating legislation to encourage encryption by providers, although no action has been taken.

In the interim, it is reasonably clear that most, if not all, entities can benefit from implementing encryption technology when considering the costs and headaches associated with a data breach. When encryption is done properly, it has the potential of saving an entity a large sum of money, perhaps millions of dollars, in costs and fines — and that should be reason enough for entities to start taking this step in EHR technology.


FDA Drafts Guidance on Mobile Medical Apps

September 1, 2011 by · Leave a Comment
Filed under: Food and Drug Administration (FDA) 

800px-iphoneIn an effort to keep up with advancing technology, the Food and Drug Administration (FDA) has proposed new regulations to monitor medical smartphone applications (apps). The draft proposal states that any mobile app that is intended for use in performing a medical device function meets the definition of a medical device under the Federal Food, Drug, and Cosmetic Act. Specifically, these mobile medical apps must be either used as an accessory to a regulated medical device, or transform a mobile platform into a regulated medical device.

To further clarify what apps will be regulated, the document notes that a mobile app is a device “when the intended use of a mobile app is for the diagnosis of disease or other conditions, or the cure, mitigation, treatment, or prevention of disease, or is intended to affect the structure or any function of the body of man.” The guidance document explains how the intended use of mobile apps can be shown by labeling claims, advertising materials, or oral or written statements by manufacturers or their representatives.

The goal of the regulations is to protect patient safety, though to date there have been no adverse events reported to the FDA. The proposal seems to be forward looking in creating a framework for mobile app manufacturers. According to the Associated Press, there are already more than 17,000 medical applications currently available.

Physicians can use mobile phones to calculate prescription dosages, review disease treatment guidelines, and explain diagnoses and procedures to patients. The FDA expects that by 2015, 500 million smartphone users will rely on health care apps.

Two medical apps have already received FDA approval for use by physicians. The first is a prenatal care app called AirStrip OB. Cleared in 2009, the app allows obstetricians to use their phones to remotely access real-time data for mothers and babies. The second app, approved earlier this year, is Mobile MIM. This app allows hospitals and doctors offices to send images to physicians’ mobile devices. The FDA noted that the software should not be used to replace radiology workstations as the primary way to view medical images, but is useful when a physician has limited access.

Opinions from within the industry vary on the new guidelines. Some feel that the regulation is both necessary and welcome. By regulating the medical app industry, the FDA is offering market players clear guidelines for continued development. Others argue that the regulations may be too far reaching. For example, medical apps to calculate prescription dosages for patients are not new and are based on accepted formulas. Smartphone apps that achieve the same goal increase efficiency and do not put patients at risk, and therefore do not merit differential treatment.

The proposed regulations raise two main concerns for patients and physicians. The first is a privacy concern, similar to the drawbacks considered for other forms of Electronic Health Records. Transferring data between hospital systems and physician smartphones will increase confidentiality and security concerns. Once patient data is accessed on a smartphone, privacy may be easily breached should the phone be used by another person, lost or stolen. The second concern is that these proposed rules could increase the purchase price for medical apps. App developers will likely have increased costs for filing applications and seeking legal counsel, and those costs will be passed to end users.

The draft proposal is currently in an open comment period, and the FDA will amend the regulations after the comment period closes.


Doctors Wary of New Health IT

March 17, 2011 by · Leave a Comment
Filed under: Electronic Medical Records 

pasquale_frank_lg11The Washington Post recently featured Lena Sun’s reporting on why many physicians are wary of adopting an electronic medical records system.  As noted in the piece,

Many are aware that beginning this year, health-care professionals who effectively use electronic records can each receive up to $44,000 over five years through Medicare or up to $63,750 over six years through Medicaid.  But to qualify, doctors must meet a host of strict criteria, including regularly using computerized records to log diagnoses and visits, ordering prescriptions and monitoring for drug interactions. And starting in 2015, those who aren’t digital risk having their Medicare reimbursements cut.

Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, complains that, despite all these requirements, patient confidentiality concerns are being neglected:

But no federal regulations clearly require that doctors turn the data encryption on or prevent those who don’t do so from getting paid. . . . “This is a point of frustration,” said McGraw, who sits on an advisory group that sought unsuccessfully to prevent those who violate privacy regulations of the federal Health Insurance Portability and Accountability Act, or HIPAA, from getting incentive money.

Some older doctors may find it easier to retire than to get on board with new EMR systems.  We frequently hear complaints about Luddite doctors resisting technology that has long been adopted by other sectors.   But, as one commentator recently insisted, a doctor is not a bank.  To get a sense of how frustrated doctors can become because of the new health IT (and the legal contracts that accompany it), check out this parody website for the faux firm Extormity.  It announces a memorable experience for doctor clients/conscripts:

At the confluence of extortion and conformity lies Extormity, the electronic health records mega-corporation dedicated to offering highly proprietary, difficult to customize and prohibitively expensive healthcare IT solutions. Our flagship product, the Extormity EMR Software Suite, was recently voted “Most Complex” by readers of a leading healthcare industry publication.

I loved this description of a firm committed to maximizing the value of it’s intellectual property:

The Extormity EMR Software Suite is built on a proprietary software model renowned for its complexity. This proprietary platform and all of its components must be procured and implemented as a complete package we call the Extormity BundleTM (which describes both our comprehensive package and its associated cost).

Operating the Extormity Bundle requires a phalanx of servers, which of course need to be replicated for redundancy. Fortunately, Extormity acts as a value-added reseller of these servers, which we pre-load with operating software. This allows us to mark-up the cost of the servers and charge for server configuration. In addition, the server software carries with it steep annual license fees.

Let’s hope the ONC’s ongoing regulatory process can help reduce the risk of Extormity-style raw deals for doctors. Given the recent flap over the FDA’s effective imprimatur for an extreme drug price increase, no DC agency should set in motion a process that could lead to prohibitively expensive fees for an essential aspect of health care.

X-Posted: Health Law Prof Blog.


CMS and HHS Release New Proposed Rules Governing Health IT – Part 1: Overview of Proposed Rule on “Meaningful Use”

img_0627-1Issues surrounding the implementation of health information technology (HIT) have not garnered anywhere near the amount of attention as issues such as the public plan, the intersection of abortion and health insurance, pre-existing condition provisions, etc. There are a variety of reasons for this.

First, HIT is not as accessible as these other issues. Discussions of HIT often involve the heavy use of acronyms as well as technical jargon that can be intimidating and confusing. This will not likely change in the future. HIT will increase in complexity, especially as variegated computer systems used by providers and hospitals are to be linked together.

A second reason for the lack of coverage of HIT is that there have been few if any significant steps on the federal level towards implementing a national HIT system. As I will discuss below, this is beginning to change, and this change provides for an important New Year’s resolution that all of those interested in health policy should make: stay informed about the changes in the HIT landscape. To make this resolution easier, I will write a series of posts describing the changes.

One of the more recent changes occurred with the passing of the American Recovery and Reinvestment Act (ARRA), and more specifically, portions known as the Health Information Technology and Clinical Health Act (HITECH Act). The HITECH Act initiated, among other things, an incentive-driven paradigm for transforming our health information system. The general idea is that physicians and hospitals will be paid for using HIT. However, in order for this transformation to take place, guidelines must exist such that physicians, providers and vendors of HIT products understand how to operate within this new system.

On December 30th 2009, CMS and the Office of the National Coordinator of Health and Human Services (ONC), released two rules. ONC released an interim final rule regarding the standards that will govern the Medicare and Medicaid incentive program. Additionally, CMS released their proposed rule on what is considered meaningful use.

The interim final rule regarding the standards can be found here.

The proposed rule regarding meaningful use can be found here.

Meaningful Use

CMS’s proposed rule on meaningful use is important because it defines how physicians and providers must implement HIT in order to qualify for CMS’s incentive payments for the use of such technology.  Much of the proposed rule is based on the HIT Policy Committee’s proposals on Meaningful Use, but comments had been solicited and incorporated from other committees, HIT vendors, and providers. The proposed rule states that incentive payments will begin in 2011, and that there will be two different payment methodologies: one for Medicare and one for Medicaid. Those receiving incentives must choose either the Medicaid or the Medicare plan. Furthermore, the rule states that hospitals and providers that are not meaningfully using HIT will have their payments from Medicare reduced, with the reductions taking effect in 2015.

The HITECH Act amended the Social Security Act, and in doing so, incorporated a broad definition of what constitutes a meaningful user of Electronic Health Records (EHR). Specifically for a provider to be a meaningful user they must:

  1. Demonstrate use of certified EHR technology in a meaningful manner;
  2. Demonstrate to the satisfaction of the Secretary that certified EHR technology is connected in a manner that provides for the electronic exchange of health information to improve the quality of health care such as promoting care coordination, in accordance with all laws and standards applicable to the exchange of information; and
  3. Use its certified EHR technology, submits to the Secretary, in a form and manner specified by the Secretary, information on clinical quality measures and other measures specified by the Secretary.

The proposed rule is an extension of this definition, and aims to provide those EPs and hospitals with the proper information to become a meaningful user.

Specifically, the rule provides for two classes of providers to participate in the incentive system: eligible professionals (EPs) and hospitals.  EPs are defined as non-hospital-based physicians, who either receive reimbursement for services under the Medicare Fee-For-Service program (FFS) or have an employment or contractual relationship with a qualifying Medicare Advantage organization (MA); or healthcare professionals meeting other requirements. (See page 22 of PDF). Hospitals are defined as hospitals that either receive reimbursement for services under the Medicare FFS program or are affiliated with a qualifying MA organization as described in section 1853(m)(2) of the Act; critical access hospitals (CAHs); or acute care or children’s hospitals. (See page 22 of PDF).

Transitioning to the meaningful use of EHRs will be phased in, taking place in three stages. On page 40 of the proposed rule, CMS describes the stages as follows:

Stage 1 (beginning in 2011):  The Stage 1 meaningful use criteria focuses on electronically capturing health information in a coded format; using that information to track key clinical conditions and communicating that information for care coordination purposes (whether that information is structured or unstructured, but in structured format whenever feasible); consistent with other provisions of Medicare and Medicaid law, implementing clinical decision support tools to facilitate disease and medication management; and reporting clinical quality measures and public health information.

Stage 2: Stage 2 expands upon Stage 1 to use HIT for continuous quality improvement at the point of care and the exchange of information in the most structure format possible, such as the electronic transmission of orders entered using computerized provider order entry (CPOE) and the electronic transmission of diagnostic test results such as blood tests and nuclear imaging tests.

Stage 3: Stage 3 focuses on improving the quality, safety, and efficiency of health care, focusing on decision support for national high priority conditions, patient access to self-management tools, access to comprehensive patient data, and improving public health.

The proposed rule that was recently released only describes the specific criteria for Stage 1, with the criteria for Stage 2 and Stage 3 to be released at the end of 2011 and 2013 respectively. In terms of Stage 1 criteria, there is a hierarchy of organizational structure. At the broadest level there are “health outcome policy priorities.” Within each of these policy priorities there is a group of “care goals,” and associated with each group of care goals are the specific “objectives.” CMS has provided a very helpful table which breaks down the hierarchy, including the various objectives. I have extracted the table, which can be accessed here. However, for reference purposes, I have summarized the organization below, and provided the objectives for the first health policy priority. Note that there is a different list of objectives for hospitals, many of which are similar or identical.

The organization is as follows:

Health Outcome Policy Priority 1: Improving quality, safety, efficiency and reducing health disparities.

Care Goals:
1. Provide access to comprehensive patient health data for patient’s healthcare team
2. Use evidence-based order sets and computerized provider order entry (CPOE)
3. Apply clinical decision support at the point of care
4. Generate lists of patients who need care and use them to reach out+ to those patients.
5. Report information for quality improvement and public reporting.
Objectives for Eligible Professionals (EPs):
1. Use Computerized Physician Order Entry (CPOE)
2. Implement drug-drug, drug-allergy, drug-formulary checks.
3. Maintain an up-to-date problem list of current and active diagnoses based on ICD-9-CM or SNOMED CT®.
4. Generate and transmit permissible prescriptions electronically (eRx).
5. Maintain active medication list.
6. Maintain active medication allergy list.
7. Record demographics
8. Record and chart changes in the following vital signs
9. Record smoking status for patients 13 years old or older.
10. Incorporate clinical lab-test results into EHR as structured data.
11. Generate lists of patients by specific conditions to use for quality improvement, reduction of disparities, research, and outreach.
12. Report ambulatory quality measures to CMS (or, for EPs seeking the Medicaid incentive payment, the States)
13. Send reminders to patients per patient preference for preventive/follow-up care.
14. Implement five clinical decision support rules relevant to specialty or high clinical priority, including for diagnostic test ordering, along with the ability to track compliance with those rules.
15. Check insurance eligibility electronically from public and private payers.
16. Submit claims electronically to public and private payers.

Health Outcome Policy Priority 2: Engaging patients and families in their healthcare

  1. Care Goal 1: Provide patients and families with timely access to data, knowledge, and tools to make informed decisions.

Health Outcome Policy Priority 3: Improving care coordination

  1. Care Goal 1: Exchange meaningful clinical information among professional health care team.

Interestingly, for CPOE, EPs are required to use CPOE for at least 80 percent of all orders whereas hospitals are only required to use CPOE for 10 percent of orders. Why such a discrepancy exists is presently unclear.

In terms of the requirement for reporting clinical quality measures (as described in the original definition of meaningful use in the HITECH Act), the proposed rule adopts different measurements for EPs and hospitals. For EPs, the proposed rule utilizes the quality measures endorsed by the National Quality Forum (NQF) including selected for the Physician Quality Reporting Initiative (PQRI) program that had previously been endorsed by the NQF. For hospitals, the measures are a combination of the NQF measures and those measures from the Reporting Hospital Quality Data for Annual Payment Update (RHQDAPU).

Reporting of these clinical quality measures would be accomplished by one of three methods. The primary method would require EPs or hospitals to log onto a CMS-designated portal and upload the clinical quality data in a specific data structure (as defined by the ONC’s standards). Alternatively, data could be submitted through a Health Information Exchange(HIE)/Health Information Organization (HIO) depending on whether the Secretary can access that network. Another alternative is submission through registries dependent upon the development of the necessary capacity and infrastructure to do so using certified EHRs. See page 169 of the PDF for more details on the uploading process.

As discussed earlier on this blog, one aspect of the transition that remains to be addressed is whether the incentives provided to EPs and hospitals will be sufficient to encourage physicians to take on the initial outlays associated with EHRs. H.R. 3014 ,a bill to provide loans guarantees to solo and small group practices, has been passed by the House and is currently being reviewed by the Senate Committee on  Small Business and Entrepreneurship. Without such measures to spur the initial implementation of EHRs, the incentives or downward payment adjustments may not be sufficient to implement the bold plan set out by CMS.