Risking OCR and Patient Ire, Many CEs Don’t Comply With Patient Access Rules

June 2014 Volume 14 Issue 6
aishealth.com

REPORT ON PATIENT PRIVACY delivers timely news and business strategies for safeguarding patient privacy and data security.

In apparent defiance of final HITECH regulations, many HIPAA covered entities (CEs) are not offering patients the option of receiving an electronic copy of their medical records, let alone in the “form and format” of their choosing, as has been required since January 2013.

Some are imposing fees for copies and applying limits on what they will provide that do not appear to be in line with regulations. Health systems with multiple hospitals have implemented the access requirements inconsistently across their medical centers, meaning some may be in compliance while others are not.

All of this is evident on the websites of covered entities, in their pages that outline the policies and procedures for patients to obtain their protected health information (PHI) — so officials from the Office for Civil Rights (OCR) can readily see it also. An OCR spokeswoman tells RPP “we can and we have” brought enforcement actions against CEs who violate the access requirements.

Patient advocates, medical records providers, privacy experts and others also tell RPP of a multitude of likely unlawful hoops imposed by CEs that people are jumping through to try to get their records.
“Unless you are behind the curtain like I am or unless you start finding the right stones to turn over, you don’t ever get to see the horror show that really exists in various degrees across the country,” says Chris Carpenter, director of operations for Diversified Medical Record Services, Inc. (DMRS), a business associate that processes records requests for hospitals and physicians offices nationwide.

To view the full article, please visit Risking OCR and Patient Ire, Many CEs Don’t Comply With Patient Access Rules

Don’t Let EHR Vendors Own Your Data

“In a recent blog posting, John Moore and Rob Tholemeier of Chilmark Research ask the question: ‘Who’s Data is it Anyway?’ Your electronic health records data is not the property of your vendor and there are things you can do about it, they contend.”

To view the full article, please visit: Don’t Let EHR Vendors Own Your Data

Biggest Data Security Threats Come From Inside

PCWorld shared details about a new report showing that “insiders” are the top source of breaches over the last 12 months: 36% of breaches result from “inadvertent misuse of data by employees.” The article goes on to say that, “Obviously, the issue here is ignorance” due to lack of proper training on how to remain secure at work. Additionally, businesses must be able to see what’s happening with their networks; they must pay attention to what’s happening within the company and going out, as well as what’s happening outside the company and coming in.

Bottom line: People need guidance, prevention is key, and patients must have a way to see who all has accessed their information and when it’s been disclosed.  (Read more about PPR’s comments on Accounting of Disclosures here.)

Read the full article here.

FTC Files Complaint Against LabMD for Failing to Protect Consumers’ Privacy

The public would be surprised how little thought or money healthcare businesses put into data security.  LabMD is probably just one of thousands of healthcare businesses that don’t encrypt patient data and whose employees who use file-sharing apps to download music, etc, exposing patient records online.

We need new laws that require businesses that hold health data to be audited to prove they protect it.

Shouldn’t businesses have to prove they use tough data security protections before they are allowed to handle sensitive health information?

To view the full article, please visit: http://www.ftc.gov/opa/2013/08/labmd.shtm

Re: Health Industry Under-Prepared to Protect Patient Privacy, Says PwC Report

In response to the Security Week article: Health Industry Under-Prepared to Protect Patient Privacy, Says PwC Report

The US is facing an unprecedented privacy crisis. The healthcare industry is extremely negligent about protecting data security and privacy (patient consent). At the same time 3/4 of the healthcare industry further risks patient privacy by selling or intending to sell data for secondary uses. Data theft and sales are driven in large part because, “Digitized health data is becoming one of the most highly valued assets in the health industry.”

  • Sixty-one percent of pharmaceutical and life sciences companies, 40 percent of health insurers, and 38 percent or providers currently share information externally. Of those organizations that share data externally, only two in five pharmaceutical and life sciences companies (43 percent) and one in four insurers (25 percent) and providers (26 percent) have identified contractual, policy or legal restrictions on how the data can be used.
  • Most corporations using patient data lack an effective consent process, “Only 17 percent of providers, 19 percent of payers and 22 percent of pharmaceutical/life sciences companies have a process in place to manage patients’ consent for how their information can be used.”

It’s a double whammy—not only is sensitive health information at high risk of misuse, sale, and breach INSIDE healthcare organizations, it’s also sold to OUTSIDE organizations that lack effective security and privacy measures.

  • “Nearly three quarters (74 percent) of healthcare organizations surveyed said they already do or intend to seek secondary uses for health data; however, less than half have addressed or are in the process of addressing related privacy and security issues.”

PriceWaterhouseCoopers surveyed 600 executives from US hospitals and physician organizations, health insurers, and pharmaceutical and life sciences companies. Data security and privacy practices were abysmal despite new enforcement efforts by the Administration, and despite hundreds of major data breaches compromising the privacy of millions of Americans.

Why aren’t Congress and the public outraged that the privacy and security of health information is so bad? If the banking industry operated like this there would be MAJOR oversight hearings and new laws.

The idea that today’s electronic healthcare systems and data exchanges safeguard health data is simply wrong. Clearly federal and state oversight and penalties for failure to protect the most sensitive personal data on earth need to be increased.

Re: HIPAA Auditor Involved in Own Data Breach

OCR’s contractor, KPMG, breached the privacy of 4,500 patient records when an employee lost an unencrypted flash drive.

You can read the full story at Health Leaders Media, “HIPAA Auditor Involved in Own Data Breach.”

KPMG absolved itself of doing any harm:

  • “KPMG believes that it is possible that the patient data was deleted from the flash drive prior to the time when it was lost,”
  • “KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person.”

Then KPMG prescribed its own remedy:

  • “KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.”

Why didn’t OCR investigate and penalize KPMG? Instead, OCR doubled down and awarded KPMG a $9.2 million contract for HITECH-required HIPAA audits.

This does little to inspire consumer confidence in OCR, which has a long history of not penalizing industry for data security breaches.

Time for Congressional oversight?