As if physicians didn’t have enough to concern themselves with regards to HIPAA, new healthcare legal guidelines are about to make things much more complicated. But first, let’s take a closer look at the regulations regarding the protection of patient information.
Legislation. HIPAA (the Healthcare Information Portability and Accountability Act) has provisions requiring the safeguarding of “protected health information” (PHI). Specifically, this sets out the rules for encryption of the data so that if it falls in the wrong hands, the information is safe and sound. Fair enough. But what kinds of data are covered under this definition? We’ll discuss that a bit later.
Enter the HITECH Act (Health Information Technology for Economic and Clinical Health), part of the American Recovery and Reinvestment Act or Stimulus Bill of 2009. With it comes another set of verbiage regarding protection of PHI data. Now, the HITECH Act itself doesn’t require encryption of the data. It specifies the kinds of encryption that makes the data secure. For guidance on the specific requirements, HITECH punts back to HIPAA.
But what HITECH has done is to allow for sizeable increases in fines for violating provisions of HIPAA for not only “covered entities” such as medical practices, but also for what are known as business associates, those entities such as medical supply vendors who work with covered entities. Practices should be careful with whom they make formal contractual agreements, specifically if those parties have any access to patient information; any infringement on the part of a business associate may bring investigators to your front door.
HITECH also sets more stringent provisions for what are known as breach notifications. Entities who have had data compromised are required to advise patients if there has been any kind of unauthorized acquisition, access, use or disclosure of their “unsecured” PHI. Unsecured in this case is defined as information not protected by technology that renders it unreadable or indecipherable.
Enforcement. The HITECH Act has also amended the HIPAA regulations to allow for enforcement and prosecution through the Department of Health and Human Services’ Office of Civil Rights (OCR). They can levy fines from $100 to $50,000 per violation, and up to $1.5 million per calendar year. And through this office, the States Attorneys General have been given clear authority to prosecute healthcare providers for “criminal penalties” – and they get to keep part of the collected fines.
The problem is that there is much discrepancy between the two pieces of legislation concerning not only what information must be protected but also how that is to be accomplished. And the statutes have not quite caught up with the legislation. But for those who believe that this is just a bunch of bluster, a precedent has already been set: a UCLA researcher who was a licensed surgeon in China was sentenced to four months in jail for illegally accessing patient electronic records.
What data needs protecting?
A critical debate is brewing regarding which kinds of data need to be encrypted, or protected with certain security protocols. This is because the two pieces of legislation mentioned above don’t quite agree. To make matters worse, the technical terminology that they use is not used by experts in the computer industry.
In general, data that is going from one place to another needs to be protected. This is easy enough to understand. If someone who is unauthorized were to intercept this information, the privacy of the data would be compromised. But this is where things get complicated: who decides what information is vulnerable to a breach?
According to the National Institutes of Science and Technology (NIST), information on external storage media such as backup tapes or flash memory sticks is considered data-at-rest. Since this information can be physically taken from one place to another, it runs the risk of being compromised, and so it must be encrypted. This makes sense.
This refers to information traveling from one point to another, usually between distinct networks. Think about electronic transactions between a hospital and an insurance company, or between two financial institutions. The problem is that some interpret the HIPAA data requirements to include data that is ‘traveling’ within a local area network (LAN). And this would include local networks within a medical practice containing the practice management and electronic medical records systems.
Others argue that the data that is flowing on a local network is under the control of the practice. Therefore, the assumption is that this data need not be encrypted when going from one practice computer to another. The system is protected from unauthorized users by passwords and other security measures.
And further confusing still, there are others that say the data in your network is data-at-rest and for that reason it should be encrypted.
The bottom line is that there is no definitive ruling on how data on a local network should be treated. And unfortunately, there will need to be some sort of statutory ruling before medical practices know for sure.
Regardless of its classification, if all of the data on a medical practice’s local network (LAN) falls under the requirements for protected information, this would undoubtedly be an onerous proposition. It would be prohibitively expensive for a medical practice if it had to encrypt their LAN information not only in terms of the additional hardware and software needed but also in terms of processor and memory ‘overhead.’ Even if a practice could afford to do it, their network may slow down to a crawl.
What should a practice do?
The best and safest option for the time being is to go for the “low-hanging fruit.” Any data that is contained on portable media – CDs, tapes, thumb drives or memory sticks – needs to be encrypted. This is simple enough to do. However, there will be challenges in terms of pushback from physicians and staff who are used to simply plugging in a USB device in a practice computer without taking any precautions.
Information transmitted from the practice to another entity – clearing houses, insurance companies, etc. – are generally already encrypted nowadays by default. Apart from that, medical practices should stay abreast of the news concerning security of protected health information in order to steer clear of the law.