The Identity Theft Smoke Screen: Data Mining of Prescription Drug Records and Personal Data Privacy

[Ed Note: We are pleased to welcome a guest article from Christopher J. Asakiewicz, J.D. He graduated from Seton Hall Law in 2011 with a concentration in Health Law, recently passed the New York Bar Exam (congratulations!) and works for ImClone Systems Corporation, an affiliate of Eli Lilly and Company, drafting and negotiating various clinical documents and patient disclosures with both US and ex-US institutions as well as central and local investigational review boards (IRBs). During law school he worked  at Saint Vincents Catholic Medical Centers of New York (SVCMC) in the department of legal affairs, and prior to pursuing a legal education, managed phase IIIB/IV international clinical trials for Pfizer Inc. in the areas of neurology and neurodegenerative diseases.]

Personal data privacy once again has taken front stage in Sorrel v. IMS Health, Inc.[1] Vermont passed the Vermont Confidentiality of Prescription Information Law that allows doctors which prescribe drugs to patients, to decide whether pharmacies can sell their prescription drug prescription records.[2] IMS Health as well as other health information companies contested the law, arguing that the law poses a restriction on commercial speech as access to such information helps pharmaceutical companies market their drugs effectively to doctors. The Supreme Court is now tasked with determining the constitutionality of the restriction on access to prescription information with regards to our First Amendment. [3]

However, this post is focused on the secondary effects asserted in amici curiae briefs supporting the petitioners of allowing companies to purchase such information, specifically the concern of data privacy and patient re-identification. [4] Under the Health Information Portability and Accountability Act (HIPAA), personal health information is de-identified by your local pharmacy prior to such information being shared with any third party. By de-identifying the data, your personal data cannot, it is believed, be linked or traced back to you. De-identifying your health information is a way for covered entities to share your information without your consent or authorization and in accordance with the law. The information once shared is completely anonymized. After the transfer to a third party, like IMS Health, your information is solely data of zeros and ones that translate to dates of dispensing and drug names. No longer does your prescription record list your name or month or day of birth. [5]

Briefs in the case assert that data mining firms could, hypothetically, create profiles based on these de-identified prescription records. Such prescription profiles would constitute certain patient’s prescription habits, including an individual’s medication types, pharmacies visited and dates dispensed. The briefs argue that linking and mining further public information to these drug profiles could result in patient re-identification.

IMS Health, Inc., of course, asserts that it has no knowledge of any patient re-identification and it protects such records with all the security privacy measures set forth under HIPAA and as strengthened by Health Information Technology for Economic and Clinical Health Act (HITECH). So what is the issue, I ask?

A pharmaceutical company does not need nor want to know who you are. Aggregate data is more beneficial to a marketing company, rather than just one record with your name on it. What benefit would a company get from a record that says, John Doe, DOB: 01-Jan-1984? The company could send you a mailer, but under the current regulations, you can opt out of the marketing material and it stops there. However, what helps a pharmaceutical company is aggregate datasets that say Dr. Jane Doe, MD writes 100 scripts for Lipitor ® a month. No one cares if the patients are unidentifiable, and most likely, the pharmaceutical company wants to keep it that way. Not only will the de-identified data be cheaper to buy, but it also assures the third party purchasing the data that it is not aiding a HIPAA violation.

Last, it is also asserted that there is no penalty for re-identification of personal health data, but there are stark penalties under HIPAA for “a person who knowingly … (1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person.” [6] If the offense is committed with the intent to sell, transfer or use the individually identifiable health information for commercial advantage, the penalty could be up to $250,000 and 10 years imprisonment. [7] If claims are brought against companies, like IMS Health, the companies will surely argue they are not covered entities subject to the penalties under HIPAA; however, this does not prevent civil lawsuits against them.

What will happen if a breach occurs due to patient re-identification? Most likely, the current healthcare environment where many companies are acting under corporate integrity agreements or deferred prosecution agreements, promotes reporting, if not out of altruistic purpose at least a compliance purpose. With this said, once reported to both the Department of Health and Human Services, Office of Civil Rights, as well as, in most states, the Secretary of state, privacy and confidentiality laws require notification to be provided to the patient that has been re-identified. This patient whose privacy rights have been infringed can then bring an individual civil claim against the organization responsible for the disclosure of their health information as well as the collateral damages caused by the unauthorized disclosure. Now, what company today wants to get involved with this type of bad publicity?

In conclusion, just because the possibility exists that a patient can be re-identified with data mining practices, does not mean that our current environment will foster such. The nine Justices of the Supreme Court need to be more concerned with the First Amendment and the commercial speech implications of their ruling, rather than amici curiae briefs supporting public policy positions based on unwarranted fears of patient information disclosure.[8]

I therefore urge you to put yourself in the role of your favorite Justice and consider if you should be more concerned that a company is going to buy your prescription records and try to determine that you took amoxicillin for a sinus infection when you were five years old, or if that company would rather purchase all the information you posted on Facebook ® or other social networking sites, including all the locations you have checked in. Which do you think is more useful to market its products? It is with this mindset that you must consider if the regulation directly advances the governmental interest “in protecting the public health of Vermonters, … the privacy of prescribers and prescribing information” and is no more extensive than necessary to serve that interest. [9]

---

[1] Petition for Writ of Certiorari, Sorrel v. IMS Health, Inc., 131 S. Ct. 857, No. 10-779, Dec. 13, 2010.

[2] Vt. Stat. Ann. tit. 18, § 4631 (2010).

[3] See Central Hudson Gas & Elec. Corp. v. Pub. Serv. Comm’n of N.Y., 447 U.S. 557 (1980).

[4] Brief of Electronic Privacy Information Center (EPIC) et. al. as Amici curiae supporting Petitioners, Sorrel v. IMS Health, Inc., 131 S. Ct. 857, (2011) (No. 10-779), 24-9, available at, http://www.atg.state.vt.us/assets/files/10-779%20EPIC%20amicus%20Sorrell.pdf; Latanya Sweeney, Simple Demographics Often Identify People Uniquely (Carnegie Mellon University, Data Privacy Working Paper No. 3, 2000), available at, http://dataprivacylab.org/projects/identifiability/paper1.pdf.

[5] Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191 (1996), 45 C.F.R. §§ 164.312(e)(2)(ii), 164.514(b)(2)(i) (2010).

[6] 42 U.S.C. § 1320d-6(a)(1)-(3).

[7] Id. § 1320d-6(b).

[8] Brief of Electronic Privacy Information Center (EPIC) et. al. as Amici curiae supporting petitioners, Sorrel, 131 S. Ct. 857, (No. 10-779).

[9] See Vt. Acts & Resolves No. 80, § 17 (2007) (Confidentiality of Prescription Information); Vt. Acts & Resolves No. 89, § 3 (2008) (amending Act 80).

From Viral Marketing to Medical Profile Contagion

As ACA implementation lumbers ahead, and challenges to it slouch toward the Supremes, the U.S. health care system’s arbitrary old ways continue to mystify and frustrate. Consider this story on one person’s quest to obtain insurance:

Most employees assume that if they lose their job and the health coverage that comes along with it, they’ll be able to purchase insurance somewhere. . . .My husband, teenage daughter and I were all active and healthy, and I naïvely thought getting health insurance would be simple. . . .

Then the first letter arrived — denied. . . .What were these pre-existing conditions that put us into high-risk categories? For me, it was a corn on my toe for which my podiatrist had recommended an in-office procedure. My daughter was denied because she takes regular medication for a common teenage issue. My husband was denied because his ophthalmologist had identified a slow-growing cataract. Basically, if there is any possible procedure in your future, insurers will deny you. . . .

As I filled out more applications, I discovered a critical error in my strategy. The first question was “Have you ever been denied health insurance”? Now my answer was yes, giving the new companies reason to be wary of my application. I learned too late that the best tactic is to apply simultaneously to as many companies as possible, so that you don’t have to admit to a denial.

As was recently reported, “50 to 129 million (19 to 50 percent of) non-elderly Americans have some type of pre-existing health condition.” The “health care market” is sending a strong signal: don’t step out of the system if you have any continuing need for even minor care.

But what’s more worrisome are the types of information circulating about you that you aren’t even aware of. Consider this story from Businessweek about the profiling of insurance applicants by third-party intermediaries:

Most consumers and even many insurance agents are unaware that Humana, UnitedHealth Group , Aetna (AET), Blue Cross plans, and other insurance giants have ready access to applicants’ prescription histories. These online reports, available in seconds from a pair of little-known intermediary companies at a cost of only about $15 per search, typically include voluminous information going back five years on dosage, refills, and possible medical conditions. The reports also provide a numerical score predicting what a person may cost an insurer in the future. . . .

[A] 57-year-old safety consultant in the oil and gas industry, says he tried to explain that the medications weren’t for serious ailments. The blood-pressure prescription related to a minor problem his wife, Paula, had with swelling of her ankles. The antidepressant was prescribed to help her sleep—a common “off-label” treatment doctors advise for some menopausal women. But drugs for depression and other mental health conditions are often red flags to insurers. Despite his efforts to reassure Humana, the phone interview with the company representative “just went south,” Walter recounts. He and his wife remain uninsured [as of 2008].

Health-related data from a wild west of unregulated intermediaries may spread to employers and other decisionmakers, just as credit scores have migrated from the bank context to influencing insurance pricing, and credit histories now influence employers. Sharona Hoffman has observed that “It is not uncommon for employers to obtain applicants’ and employees’ medical records. According to one source, every year, over ten million authorizations for release of medical information are signed by workers prior to the commencement of employment.” She has predicted disturbing possibilities arising out of that access to data:

Existing laws, including the ADA, GINA, HIPAA, and their state counterparts, provide important assurances to applicants and employees but are insufficient to guarantee that they will suffer no ill consequences as a result of EHR disclosure to employers. Employees may be especially concerned in times of recession, knowing that financial pressures make workers with health problems particularly unattractive to employers. Employers or their hired experts may develop complex scoring algorithms based on EHRs to determine which individuals are likely to be high-risk and high-cost workers. In addition, in times of financial difficulty, limited resources may be available to implement technology and policies that will secure EHR confidentiality.

Secondary uses of health data could be a very lucrative niche for profilers of the future.

Given these possibilities, individuals should at least have the right to access and correct the health data that intermediaries have compiled about them. The FTC recognized this right, and “forced the [insurance] industry to begin disclosing the use of prescription information under . . . the Fair Credit Reporting Act. . . . Copies of prescription reports are supposed to be available to consumers at no charge under federal law.” This is a small step forward. But if the “scores” assessing individual risk are compiled according to proprietary algorithms, the consumer may still feel “in the dark,” unable to adequately influence the presentation of herself to the insurer.

As Esther Dyson has stated in another context, mysterious data flows can jeopardize individual autonomy:

The comforting thing about the kind of data that Facebook primarily deals with is that it’s public. If your friends and other people can see it, so can you.

More troubling is the data you don’t even know about – the kind of data about your online activities collected by ad networks and shared with advertisers and other marketers, and sometimes correlated with offline data from other vendors. By and large, that’s information you can’t see – what you clicked on, what you searched for, which pages you came from and went to – and neither can your friends, for the most part. But that information is sold and traded, manipulated with algorithms to classify you and to determine what ads you see, what e-mails you receive, and often what offers are made to you. Of course, some of that information could go astray.

Online advertisers already slice and dice population segments (and distribute opportunities & exposure to ads) via marketing discrimination. Will the “e-health revolution” bring their methods out of cyberspace, and into the deadly serious business of offering employment and insurance based on estimates of health status that applicants can’t understand or challenge?

Privacy Paradigms: From Consent to Reciprocal Transparency

Computational innovation may improve health care by creating stores of data vastly superior to those used by traditional medical research. But before patients and providers “buy in,” they need to know that medical privacy will be respected. We’re a long way from assuring that, but new ideas about the proper distribution and control of data might help build confidence in the system.

William Pewen’s post “Breach Notice: The Struggle for Medical Records Security Continues” is an excellent rundown of recent controversies in the field of electronic medical records (EMR) and health information technology (HIT). As he notes,

Many in Washington have the view that the Health Insurance Portability and Accountability Act (HIPAA) functions as a protective regulatory mechanism in medicine, yet its implementation actually opened the door to compromising the principle of research consent, and in fact codified the use of personal medical data in a wide range of business practices under the guise of permitted “health care operations.” Many patients are not presented with a HIPAA notice but instead are asked to sign a combined notice and waiver that adds consents for a variety of business activities designed to benefit the provider, not the patient. In this climate, patients have been outraged to receive solicitations for purchases ranging from drugs to burial plots, while at the same time receiving care which is too often uncoordinated and unsafe. It is no wonder that many Americans take a circumspect view of health IT.

Privacy law’s consent paradigm means that, generally speaking, data dissemination is not deemed an invasion of privacy if it is consented to. The consent paradigm requires individuals to decide whether or not, at any given time, they wish to protect their privacy. Some of the brightest minds in cyberlaw have focused on innovation designed to enable such self-protection. For instance, interdisciplinary research groups have proposed “personal data vaults” to manage the emanations of sensor networks. Jonathan Zittrain’s article on “privication” proposed that the same technologies used by copyrightholders to monitor or stop dissemination of works could be adopted by patients concerned about the unauthorized spread of health information.

If individuals had enough time to manage their personal data the way they manage their checkbooks and gardens, perhaps the consent paradigm would be a good foundation for addressing public concerns about privacy. If applicants could easily bargain with would-be employers over privacy, or patients with hospitals, perhaps we could rely on them to protect their interests. But actual occurrences of such acts of self-assertion and self-protection are rare. Given the frequently abstract benefits that privacy and reputational integrity afford, they are often traded away for competitive economic advantage. This process further erodes societal expectations of privacy.

A collective commitment to privacy is far more valuable than a private, transactional approach that all but guarantees a race to the bottom. If such a collective commitment does not materialize, record systems will only deserve trust if they become as transparent as the patients and research subjects they profile. Given corporate assertion of trade secrecy (and even privacy rights), reciprocal transparency will not be easy to achieve. Nevertheless, repeated breaches, fraud, and data meltdowns in the US should provoke an alliance of socially responsible researchers to lobby the US government to set minimal standards of reciprocal transparency and auditing. Consumers can only trust innovators if they can understand what is being done with data. As we become “transparent citizens” (as Joel Reidenberg puts it), we should demand that the corporate, university, and governmental authors of that trend reciprocate, and become more open about the data they gather.

Fortunately, as a recent presentation by Deborah Peel reminded me, there is significant audit authority built into the recent HITECH act which may curb some abuses. Audits will become increasingly important as a “wild west” of health data is excavated by scrapers, marketers, and other data miners.

Consider, for instance, the following scenario: contributors to the medical website PatientsLikeMe.com found that “Nielsen Co., [a] media-research firm . . . was ‘scraping,’ or copying, every single message off PatientsLikeMe’s private online forums.” Had the virtual break-in not been detected, health attributes connected to usernames (which, in turn, can often be linked to real identities) could have spread into numerous databases. A reciprocal transparency paradigm would require all those harboring health data to have some certified indication of its legitimate provenance. Data would not be allowed to persist without certification of its provenance.

Unforeseen spread of inaccurate or inappropriate health data is not just a problem for those who want to avoid getting solicitations for burial plots after a sensitive appointment. Given law enforcement exceptions to medical privacy laws and regulations, it should come as little surprise that the government claims that “a 2005 law authorizes it to monitor and record all prescription drug use by all citizens via so-called “Prescription Drug Monitoring Programs.” Such programs may just be the tip of an iceberg of new domestic intelligence programs that rely on private companies to act as “big brother’s little helpers.”

Whenever health data is fed into an evaluative profile of an individual, there should be safeguards in place to assure that the data is accurate, and that the resulting profile is, if at all possible, not used to harm or disadvantage the individual. Without assurances like these, we can count on continued resistance to the development of health data infrastructures.

CVS & HHS: Partners in Compromising Your Privacy

On January 16, 2009, the Department of Health and Human Services (HHS) and CVS entered into a resolution agreement requiring CVS to pay a $2.25 million fine and implement a corrective action plan for “potential violations of the HIPAA [The Health Insurance Portability and Accountability Act of 1996] privacy rule.”  Why?  CVS had allegedly been placing prescription bottles and labels into dumpsters that were accessible to the public.  The bottles/labels contained protected health information (PHI), which CVS was required to safeguard under federal law.

Although HHS appears to regard the settlement as a success, given its prominence on the HIPAA enforcement section of HHS’s website, it is nothing of the sort.  The agreement provides that CVS “expressly den[ies] any violation of HIPAA or the Privacy Rule, and further den[ies] any wrongdoing,” while HHS does not concede that CVS is “in compliance with the Privacy Rule.”  HHS did agree with itself, however, releasing an FAQ (accompanying the press release) stating that under its Privacy and Security Rules: “covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

Why is this old news important?  This week I had a prescription filled at my local CVS pharmacy in Livingston, New Jersey.  While standing at the pharmacy I noticed that all of the filled prescriptions were stored directly behind the counter in plain view of any customer.  Each prescription was inside a small bag to which a customer receipt was attached.  The receipts in the front row of the storage bins were readable from the counter.  The receipts contain protected health information (PHI) that is subject to the Privacy and Security Rules of HIPAA including:

1) Full name,

2) Address,

3) Telephone number,

4) Day and month of birth,

5) Drug name and dosage, and

6) Prescriber.

HHS maintains the authority for civil enforcement of violations of the Privacy and Security Rules promulgated pursuant to HIPAA.  So, why is it that CVS allows the public to view its customers’ PHI in violation of HIPAA even while still subject to the corrective action plan for its prior alleged violations?  Well, I asked the pharmacist on duty.  The pharmacist acknowledged that it was a problem that the PHI could be viewed from the counter.  However, CVS was expecting to remodel and “hopefully” the shelf would be placed farther away to render the PHI unreadable.  Upon requesting the contact information for CVS’s privacy officer, the pharmacist readily provided such information and stated that she would “appreciate” someone actually reporting the apparent violation.

HHS was recently provided with additional enforcement tools under the HITECH provisions of the American Recovery and Reinvestment Act of 2009.  Unfortunately, it does not appear that HHS is serious about enforcing its own regulations or resolution agreements; nor, if the flagrantly violative placement of prescriptions is indicative of mindset,  is CVS serious about HIPAA compliance.

HIPAA Administrative Simplification: Enforcement

By Laura Sunyak

In February of 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 (ARRA), and with it enacted the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  The HITECH Act contains regulations that significantly increase the penalty amounts the Secretary of the Department of Health and Human Services (HHS) may impose for violations of rules promulgated under the Health Information Portability and Accountability Act (HIPAA), and encourages corrective action.  In order to incorporate the increased penalty structure into HIPAA, HHS has recently issued an interim final rule designed to strengthen its enforcement power and incorporate the new penalty structure of the HITECH Act into HIPAA.

Prior to the HITECH Act, the Secretary could not impose a penalty of more than $100 for each violation, or $25,000 for all identical violations of the same provision.  A covered entity could also bar the imposition of a civil monetary penalty by simply showing that it did not know that it violated a HIPAA rule.  As a result, enforcement of HIPAA rules has been weak, bordering on nonexistent.  The number of covered entities that were in full compliance with the law was always very low, simply because HHS did not have a sufficient enforcement mechanism in place to deter violations.  If covered entities did change their behavior to become compliant, it was out of a desire to follow the law, not due to fear of prosecution or administrative action.

Before ARRA was signed into law, although there were HIPAA audits that took place, they were few and far between.  Covered entities complained that the requirements were not clear, and so hesitated to attempt to comply. With the enactment of ARRA and the HITECT Act, and the adoption of the interim rule, HIPAA covered entities will have no choice but to take notice and comply, or face much harsher penalties.  The implementation of these acts also transfers authority for enforcement of HIPAA’s security rules from the Centers for Medicare and Medicaid to the Office of Civil Rights which, with 275 investigators and an annual budget of $40 million, is in a better position to bring enforcement actions and recover penalties.  The penalties collected for violations will in turn be used to fund greater enforcement efforts. The interim rule amends 45 CFR part 160, subpart D, which establishes rules relating to the imposition of civil money penalties, to conform several provisions to section 13410(d) of the HITECH Act’s amendments to section 1176 of the Social Security Act, which became effective February 18, 2009. This interim final rule’s amendments distinguish between violations occurring before February 18, 2009, and violations occurring on or after that date, with respect to the potential amount of the civil money penalty and the affirmative defenses available to covered entities.

The interim final rule, effective as of November 30, 2009, modifies the penalties for HIPAA violations occurring after February 18, 2009.  (For an explanation of the meaning of “interim final rule,” click here.  According to this rule, the penalty for unknown violations, where the covered entity did not know of the violation, and would not have known by exercising reasonable diligence, is now between $100 and $50,000.  For violations involving reasonable cause, such as circumstances that would make it unreasonable to comply with HIPAA despite extraordinary care, the penalty is now between $1,000 and $50,000. For violations involving willful neglect, or a conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA, the penalties are further broken down into whether or not the covered entity corrects the violation.  If the violation is corrected within 30 days, the penalty is now between $10,000 and $50,000.  If the penalty is not timely corrected, each violation will be fined $50,000.  The rule also puts into place an annual cap of $1.5 million on all violations of an identical provision.

According to Georgina Verdugo, the director of OCR, the implementation of these tougher enforcement provisions strengthens HIPAA protections and rights related to protected health information, and should encourage covered entities, including health care providers and health plans, to “ensure that their compliance programs are designed to prevent, detect, and quickly correct violations of the HIPAA rules.… such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”

The enactment of these tougher enforcement penalties create additional incentives to make sure that covered entities have HIPAA compliance programs in place, which should include training employees to be compliant and ensuring that they are aware of how important it is to report potential violations so that they can be corrected in a timely manner.

When taking into account the lack of enforcement that had occurred prior to the recent HIPAA amendments, the new provisions seem to be a necessary step in enforcing the law and preventing the misuse of protected health information.  With more resources available to track down HIPAA violations, and steeper penalties exacted against entities that violate HIPPA, the new rule is a step in the right direction toward greater protection of protected information.  With the rampant rise of identity theft in this electronic age, consumers can never be too careful in ensuring that information stays in the right hands.

As HHS, acknowledges, this Interim Final Rule is only the first of several steps being taken to implement the HITECH Act’s tougher enforcement provisions.  The remaining provisions, which are not yet effective, will be addressed in the near future.

Breach Notification for Unsecured Protected Health Information

By: Michael R. Spaltro

Gordon Moore, Intel co-founder, famously predicted that the speed of technology will double about every two years. Between 1981 and 1991, “computer processing speed increased tenfold, the instruction execution rate a hundred fold, system memory grew a thousand times, and system storage expanded by a factor of 10,000.” That was just the beginning. Intel has kept that pace for nearly 40 years, now introducing the world’s first 2-billion transistor microprocessor. The development of fundamental computer technology has translated into ubiquitous information technology infrastructure. Deploying information technology within the healthcare industry is significantly complicated by the indispensability of life and health to everything else we do. The privacy of electronic health records (”EHR”) that contain personally identifiable health information (”PHI”) is one area of particular concern.

Health care providers, health care plans, health care clearinghouses, and their business associates across the country are currently using EHRs as an efficient method to locally store patient records.[1] EHRs may contain patient treatment history, social and demographic data, and a multitude of other personal health information (”PHI”).[2] If the underlying computer technology continues to grow at the staggering pace predicted by Moore’s Law, the function of EHRs will expand to “assume a key roll in medical diagnosis and treatment management.”[3] Moreover, the Food and Drug Administration, in collaboration with public, academic, and private entities, is expected to use EHRs to link and analyze medical safety data from over 100 million patients by July 2012.[4] The resulting electronic network of interoperable healthcare data is of a scale never before contemplated in the industry. Personally identifiable health information, such as the data contained across local provider EHRs, health plan claims databases, and Medicare databases, will be remotely transmitted, stored, accessed, and analyzed.

Transmitting EHRs between an originating entity and the entity/infrastructure involved in research, development, and storage of EHRs, creates an increased potential for internal and external breach. Moreover, as EHRs become populated in local and remote institutions across the country, the incidence of breach ostensibly increases. In the event of breach, an individual may be exposed to a number of dangers. EHRs contain personal information of high value to computer hackers, such as social security numbers or payment information.[5] Furthermore, an otherwise legitimate entity could potentially use health information in a less nefarious way that nonetheless breaches individual privacy. How can we legally protect privacy while realizing the benefit of electronic health information technology?

The Health Insurance Portability and Accountability Act (”HIPAA”) shores up unauthorized access to protected health information. The HIPAA Security Rule and Privacy Rule require an entity such as a health plan, health care provider, business associate, or a health care clearinghouse, to safeguard all protected health information. Civil and criminal penalties are enforced against entities that fail to comply. The FDA’s qualified contractors[6] will similarly be subject to HIPAA under the Health Information Technology for Economic and Clinical Health (”HITECH”) Act by 2017.[7] Therefore, the entire electronic network of EHRs will be covered by the Privacy Rule and the Security Rule. Within covered entities, protected health information is to be stored with any security measure that allows an entity to reasonably and appropriately implement all safeguard requirements. The Security Rule approves that a covered entity may use firewalls and other access controls (such as passwords) to safeguard PHI in its electronic form. Without this intangible structure protecting EHRs, unauthorized parties could easily access PHI and PHI could easily flow out to any individual, device, or system that interoperates with EHR databases. The HIPAA Security Rule therefore assures that a covered entity is reasonably protecting an individual’s privacy by safeguarding personal health information.

Firewalls and other reasonable access controls are not impermeable. Earlier this year, an ultra sophisticated hack attack on Google penetrated the multi-billion dollar corporation, causing it to later withdraw from China. Merck & Co. and Cardinal Health Inc. were among others infiltrated in the attack. The extent of information exposed is still not fully understood. Thus, breaches occur even if reasonable and appropriate safeguards are required. The access controls required by HIPAA in the Security Rule are not sufficient to protect a vast network of interoperable EHRs. Further data encryption and/or secure data destruction will eventually be required to protect individual privacy.

Pursuant to the Privacy section of the HITECH Act, Title XIII Division A, Subtitle D, the Department of Health and Human Services (”HHS”) was required to promulgate breach notification for unsecured protected health information rules and regulations (”Breach Rule”). HHS issued a final rule, effective September 23, 2009, requiring all entities and business associates covered under HIPAA to provide notification in the cases of breaches of unsecured protected health information. Presumably, an individual who is made aware that his personal information was compromised is better equipped to mitigate identity theft or other harms that could arise.

The provisions in Section 13402 of the HITECH Act are consistent with HIPAA definitions of a “covered entity” and “protected health information.” The Act defines breach as the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security of that information. In other words, if a firewall or reasonably appropriate access control is breached — a covered entity must report that breach to all of the individuals affected. Importantly, notification of breach is only required for unsecured personal health information. If a covered entity is in the practice of encrypting and/or destroying PHI in accordance with the National Institute of Standards and Technology (NIST), then that entity does not have to report a breach of their firewalls or access controls. It is only necessary to provide notice if “unsecured protected health information that is not secured through the use of technology or methodology specified…” is breached. The rationale is obvious. If a covered entity encrypts PHI in accordance with NIST standards, then the data is unusable in the event of a breach, and notification would be superfluous.

Consequently, a covered entity has two choices: (1) secure all EHRs that contain PHI; or (2) report breaches of PHI. The Breach Rule encourages cover entities to take the former approach. To secure EHRs that contain PHI, an entity must regularly perform two standard procedures. First, the NIST published standards recommend a “one pass” method of data deletion for most applications.[8] When electronic data is deleted, it is only removed from the file system. The “image” of the data physically remains on the hard drive of the device. Software and hardware methods of recovering deleted data are available to the public. Therefore, “deleted” PHI data could be recovered by an unauthorized entity in the event of a breach. The NIST recommends that one data overwrite be performed on the deleted data, as to render it unrecoverable. Depending on the method used and size of the database, data deletion can take up to an hour.

Second, and perhaps less straight forward, the NIST recommends data encryption using one the following four methods: full disk encryption; volume encryption; virtual disk encryption; or file/folder encryption.[9] The capital expenditure necessary to install and maintain encryption software/hardware throughout a covered entity is immense. Furthermore, encrypting millions of EMRs will tax computer processors and networks, and will additionally hamper interoperability. When data is encrypted it losses all functionality, and therefore must be decrypted by the authorized end-user before each use. It would be additionally problematic to transfer encrypted data throughout an electronic network, like that contemplated by the FDA, unless all systems were equip to recognize and decrypt the data. Thus, under either of the encryption methods above, the net result is a loss of productivity and interoperability. Moreover, encrypted data may not be mean secure data. The end-user authorized to access encrypted data will likely decrypt it during the course of a work day. Therefore, so-called encrypted PHI would be exposed to the same daily risks as unsecured PHI. Consequently, the nature of data encryption may not even provide the security and privacy that the Breach Rule contemplates.

While some covered entities are voluntarily choosing to encrypt and secure PHI, the impracticality and cost of data encryption is prohibitive. Covered entities were allowed 180 days to become compliant with the Breach Rule. That period has expired, and most covered entities have not opted to encrypt PHI. Instead, covered entities have put reasonable systems in place to detect breaches, as required by the Breach Rule. The Breach Rule requires notification without unreasonable delay once a covered entity learns of a breach. A majority of states already had breach notification laws in place, and thus covered entities had respective systems in place to detect and report breaches.

Reporting breaches under the Breach Rule still requires some capital expenditure. In some cases, notification to popular media outlets and the Secretary is required. This notification could potentially detract business and invite legal action. Of greater concern, a major breach and broadcast resulting in legal action may dissuade industry players from adopting EHR systems that could potentially reduce medical error and healthcare costs.[10] However, the burden of encrypting PHI is overwhelming, and perhaps ultimately ineffective. Consequently, the Breach Rule has done little to foster the actual security of PHI. In practice, covered entities merely provide notification of breach. It is unclear how this may or may not benefit a patient whose privacy has been breached. Deploying new EHR technology throughout the healthcare industry presents a risk to individual privacy that is not adequately addressed by the Breach Rule and HIPAA.

Privacy concerns should positively correlate with the volume of online EMRs. Pursuant to the FDAAA, 100 million EHRs will be linked within the FDA’s seminal network by July 2012. The sensitive and valuable nature of robust EHR databases will likely attract the attention of unauthorized parties around the world, and should therefore warrant a heightened level of security. Within two years, encryption technology may prove to be significantly smarter, cheaper, and more efficient. The concerns that bar covered entities from adopting data encryption may be lifted. While absolute data security is not likely attainable under any standard, software operating systems that integrate on-the-fly encryption would be ideal and foolproof. Rules and regulations should proportionately reflect advances in computer technology and the quantity of EMRs over the next two years. To protect public privacy and trust in our healthcare system, all PHI should eventually be encrypted by covered entities and their business associates.

---

[1] Hoffman and Podgurski, Finding a Cure: The Case for Regulation and Oversight of Electronic Health Record Systems, 22 Harv. J. L. & Tech 103.

[2] Id. at

[3] Id. at

[4] Food and Drug Administration Act of 2007 (FDAAA), 21 U.S.C. 355(k)(3).

[5] See, Hoffman, surpa note 1, at 113.

[6] 21 U.S.C. 355(k)(3). A qualified contract is similar to a business associate. The FDA contracts with entities that are deemed “qualified” within the meaning of the Act.

[7] See, HITECH, Pub. L. No. 111-5 Section 13401 and 13404.

[8] Special Publication 800-88, available at http://csrc.nist.gov.

[9] Special Publication 800-111, available at http://csrc.nist.gov.

[10] See, Hoffman, surpa note 1, at 104.

Recent Developments in the Implementation of the Patient Safety and Quality Improvement Act of 2005

By Jeanine Juillet

In 2000 the Institute of Medicine (IOM) published a report entitled “To Err is Human: Building a Safer Health System.” The report estimated that as many as 98,000 people die in America each year due to medical errors.  In order to combat this problem, the IOM recommended that providers should voluntarily report errors and the results should be evaluated to discover weaknesses in the health care delivery system in the United States.

Congress responded to this appeal for reform by passing the Patient Safety and Quality Improvement Act of 2005.  The Act calls for voluntary and confidential self-reporting by health care providers and creates independent local or regional Patient Safety Organizations (PSOs) to collect and analyze safety events in the hope of uncovering problems with the current system. Hospitals, physicians or other health care professionals submit reports, memoranda, analyses, or written or oral statements referred to as a patient safety work product (PSWP), describing adverse events. PSWP may include details identifying the providers involved in the event as well as protected patient information as defined by the Health Insurance Portability and Accountability Act (HIPAA). Based upon an assessment of the data, PSOs develop insights into underlying problems contributing to patient safety events. Moreover, in order to aggregate data on a larger scale, the Act provides for the establishment of a Network of Patient Safety Databases (NPSD); PSOs contribute PSWP information after removing patient and provider identifiers before submission to the NPSD. The database includes definitions and reporting formats in order to facilitate analyses of information. Through use of the NPSD, large volumes of data are available in order to rapidly identify patterns with the goal of developing strategies to avoid, mitigate or eliminate risks and hazards in the delivery of patient care nationally.

The success of the Act depends on providers voluntarily reporting medical errors. To this end, the Act includes federal privilege and confidentiality protections for PSWP. This protection alleviates provider concerns that reported information will be used against them in civil and criminal actions, specifically, medical malpractice litigation. Further, the Act forbids disciplinary actions as a result of a provider’s report. In order to ensure confidentiality of patient information, the Office for Civil Rights (OCR) will investigate allegations of violations and the HHS Secretary has the power to impose civil money penalty (CMP) of up to $10,000 per violation.

The Act vests oversight responsibilities in the Health and Human Services (HHS), Agency for Healthcare Research and Quality (AHRQ). The Patient Safety and Quality Improvement Final Rule (Patient Safety Rule), the regulation implementing the Act, was published on November 21, 2008 and became effective on January 19, 2009. The Patient Safety Rule provides a framework for PSOs by identifying 15 distinct statutory criteria that an organization must meet before it is qualified by the AHRQ. These public or private entities do not receive federal funding to fulfill this role and cannot be a health insurance issuer or be owned, managed or controlled by a health insurance issuer. Additionally, employees of PSOs must have expertise in analyzing patient safety events. The Patient Safety Rule also authorizes AHRQ to conduct PSO site visits to assess continued compliance with the eligibility requirements.

Supporters are excited that specialized organizations will be analyzing providers’ adverse events in order to identify common patterns that will minimize risks associated with health care delivery. Not only will this save lives, it will also reduce health care costs. Medical mistakes are expensive and needlessly waste resources. The Act also encourages the submission of information by providing protection for reporters from legal liability and professional sanctions. Additionally, it protects the patients by requiring that all information submitted to the database comply with HIPAA regulations. Further, the NPSD represents the largest effort to collect data from various providers across the country and the immense amount of information gathered may be able to identify improvements that could not be identified otherwise.

Opponents of the Act are particularly critical of the exceptions to the Patient Safety Work Product including disclosure exceptions. It remains to be seen how broadly these exceptions will be interpreted since the Act has a limited history. Additionally, by not offering federal funding for PSOs and by forbidding insurance companies from providing capital, the source of revenue to support these organizations is uncertain. Providers are also skeptical that standardized data gathered by PSOs will be effective in curtailing medical errors or that PSOs will be able to provide useful information for various provider structures (i.e., hospitals, doctors offices, etc.) in states across the country. Critics also argue that the existing state organizations, which currently collect this information, are likely to be more effective than PSOs. On the other hand, such peer review protections are limited in their scope and do not offer the same confidentiality protection.

Another area as yet to be defined is the overlap between this initiative and FDA measures to evaluate drug effects in a more thorough and timely manner. These latter initiatives include the Observational Medical Outcomes Partnership (OMOP), which will assess the feasibility of using a range of analytical methods against multiple data sources to evaluate safety events. Moreover, through the Sentinel initiative, claims databases and electronic health records will be integrated nationally, linking data from 25 million patients by July 1, 2010 and 100 million by July 1, 2012. Thus, both OMOP and the Sentinel Network taken together may be used to identify and evaluate safety risks for marketed products. These initiatives, while focused on drug and device safety, will need to be integrated with similar data generated from the NPSD.

The underlying purpose of the Act — to collect data and identify weaknesses in the health care system — is an unprecedented and laudable goal. However, it is unclear whether the Act will achieve its stated goals. The rules establishing a critical element of the Act, PSOs, have only been in effect for little more than a year. The success of the Act requires more time for implementation in order to adequately assess the effectiveness of this ambitious effort.

HIPAA, The HITECH Act, and How Google May Still Be Able to Distribute, and Profit From, Your Personal Health Info

Below I will explore what seems to be a gaping hole in the HITECH Act. However, as with any new legislation, it is often necessary to reexamine the laws that preceded it, which in this case is HIPAA.  This is particularly true given that the HITECH Act does not replace HIPAA. Rather, it provides–amongst other things–additional security and privacy safeguards with respect to health information. To that extent,  at least a cursory reexamination of HIPAA is required before understanding HITECH and the importance of comprehensive legislation.

HIPAA was a product of the 1990’s–an era triggering nostalgic memories of grunge music  for some, and the (in)famous Macarena dance for others. For a large part of this period, the Internet was accessed by a handful of tech savvy individuals who dialed into services like CompuServ, Prodigy, and AOL.  It was during this transition that Congress felt the need to make health insurance more portable, as well as standardize the variegated electronic systems that were conducting nonstandard healthcare-related transactions. There was a concomitant concern that health information needed better protection. Thus, in 1996 Congress adopted the Health Insurance Portability and Accountability Act (HIPAA), providing HHS with the responsibility to enforce it. However, the regulation enforcing privacy and security of health information would not be implemented until years later.

HIPAA’s Privacy Rule, which describes the appropriate use and disclosure of certain health information, came into force on April 14th, 2001, updated in 2002, with compliance required by April of 2003. The Security Rule, which establishes the policies and best practices for securing health information, came into force in 2003. Thus, the Privacy and Security Rules (referred to below as HIPAA) came to life in a period of technological transition. New technologies like residential broadband Internet access and Wi-Fi networks were becoming the norm. Electronic Health Record (EHR) systems had been developed, but had only marginal penetration within certain academic medical centers and government entities. Consequently, the threats to patient privacy from early EHRs was much smaller than it is today, since these systems were not widespread and did not often share data over disparate regions. Thus, access to the systems was not necessarily available outside of the intranets where the servers were located.

Acronyms of HIPAA & HITECH

Acronym	Phrase	General Definition (see 160.103 for regulatory language)
PHI	Protected Health Information	Any oral or recorded information relating to any past, present, or future physical or mental health of an individual, provision of healthcare to the individual, or the payment for the healthcare of that individual.
CE	Covered Entity	A group of entities whose use, disclosure, and protection of PHI is regulated by HIPAA and HITECH. CEs are comprised of: 1) Health care provider (e.g. physicians) that submit transactions electronically. 2) Health care plans (e.g. HMOs) 3) Health care clearinghouses (which are public or private entities, including a billing service, repricing company, community health management information system, etc… that processes or facilitates the processing of health information received from another entity in nonstandard form into standard form, or from standard form to non-standard form.
BA	Business Associate	Individuals or organizations performing an activity involving the use or disclosure of PHI on behalf of the CE. BAs can include attorneys, accountants, shredding companies, billing companies, or any other person or organization that is not a CE but which is accessing a CE’s PHI.
EHR	Electronic Health Record	An electronic record of patient care comprised of information about the delivery of care, including demographic information, medications, diagnoses, etc.
PHR	Personal Health Record	An electronic record of patient care comprised of much of the same information that an EHR is comprised of, but which is created and maintained by the individual (usually a patient) as opposed to a provider. Prominent examples are Google Health and Microsoft HealthVault

d

Given the historical context of HIPAA’s passage, it is easy to appreciate HIPAA’s missteps in not specifically  focusing on EHRs or PHRs.  Rather, HIPAA regulates protected health information at a broader level, focusing primarily on the “use and disclosure” of PHI by CEs, and the best practices and policies for securing the PHI itself.   To be fair, the Security Rule does focus on PHI that is stored and transmitted electronically. However, even the most stringent best practices and policies are useless if the corresponding privacy regulations are inadequate.

But the times they are a-changin’–sort of.

Buried on page 112 of the American Recovery and Reinvestment Act (ARRA)–also known as the Stimulus Bill–is Title VIII of the bill, known as the Health Information Technology for Economic and Clinical Health Act, or more commonly, the HITECH Act. One (of the many) purposes of the HITECH Act is to fill in the gaps that have emerged since the Privacy and Security rules came into force.  But like before, we are in a transition period. Whereas HIPAA’s passage coincided with a period of generalized transition towards digital information, HITECH has coincided with its own transition: the implementation of personal health records (PHRs). Unfortunately, the current HITECH Bill and regulations have serious flaws in how they protect patient information stored in PHRs. However, before discussing the problems, it is only fair to discuss the benefits to privacy and security that HITECH’s passage has provided.

Specifically, HITECH introduces breach notification requirements. HITECH’s provisions govern the procedures which CEs and BAs must follow if health information has been compromised. HITECH also empowers the FTC to promulgate regulations pertaining to the notification procedures of PHR vendors (as well as those who offer services to PHR vendors). The FTC’s proposed breach notification requirements can be found here. Thus, CEs, BAs, and PHR vendors are, for the first time, required by law to notify individuals if their unsecured PHI has been accessed by unauthorized individuals.  Surprisingly, this was not required under HIPAA. CEs were obligated to notify individuals only insofar as the CEs were required by HIPAA to mitigate damages. But now, with the passage of HITECH, breach notification is no longer amorphous, but is spelled out in detail in HITECH’s regulations.

Additionally, HITECH requires BAs to abide by many of the same privacy and security requirements that CEs have had to abide by. Before HITECH, a BA, such as an attorney reviewing the PHI of a CE, was required to sign an agreement promising to protect the PHI that they were accessing, but were not themselves regulated by HIPAA. Thus, BAs had only contractual liability to the CE if the BA violated the rules of the agreement. On the other hand, if a CE violated HIPAA, it was subject to specific penalties and fines by the government.

Under HITECH, BAs must now comply with much of the Privacy and Security Rule, and face many of the same penalties and fines if they violate HIPAA regulations. That is, BAs are now accountable to the government if they improperly use or disclose PHI, or fail to adequately secure PHI.

HITECH also offers other benefits, such as increased enforcement of violations, a strengthening of the requirement that only the minimum necessary information is disclosed to other CEs or BAs, a more thorough framework of accounting for uses and disclosures, as well as a certain prohibitions on the sale of PHI.

The last benefit of HITECH–the prohibition on the sale of PHI–is a perfect springboard for discussing the potential pitfalls of HITECH. The benefits of HITECH may well be sufficient to shore up HIPAA’s gaps when it comes to regulating CEs and BAs. However, as HITECH’s regulatory language makes clear, there remains a gaping hole:

(d) Prohibition on Sale of Electronic Health Records or Protected Health Information-

(1) IN GENERAL- Except as provided in paragraph (2), a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual, in accordance with section 164.508 of title 45, Code of Federal Regulations, a valid authorization

The emphasis is added to underscore that PHRs are not included in this provision. There is no corresponding provisions in the FTC’s proposed regulations which concern breach notification. The upshot of this is that, as of the date of this posting, PHR services like Google Health and Microsoft HealthVault are not subject to this prohibition, nor is there a provision in HITECH mandating that PHRs comply with HIPAA’s Privacy and Security Rule. Therefore, PHR vendors can use, disclose–and possibly even sell–an individual’s health information outside of the HIPAA and HITECH regulations. This problem underscores a larger issue: PHRs are not regulated by HIPAA, and only regulated by HITECH insofar as the FTC’s interim rule requires certain breach notification procedures. Read more