Tag: HITECH

It’ll Never Happen To Me…

Posted on | by SOS Blog | 2 Comments on It’ll Never Happen To Me…

This week one of our customers experienced a “happy ending” to a very unhappy story. We thought we would share it with you.

They were sure they had a good backup. When their server hard drive crashed, they were distressed but not terrified. Instead of dealing with the loss of all their data, it merely meant that they would need to get a new server and have someone spend time rebuilding the hard drive from installation CDs and all of the backed up data.

That’s when reality set in. Their consultant technician installed our software onto their new server from a CD and went to restore the data. The data folder was empty. He was unable to recreate his client’s practice management data from a usable backup. That is also when the customer’s panic started.

I don’t know if you have ever considered this scenario for your organization. After all, your IT specialist set up a tape or external drive backup for you and the system automatically backs up every day. Sometimes there is a strange error message on the monitor when you remove the tape or you get an email that says an error has occurred, but you don’t really have time to pursue it.

Have you ever tried restoring from one of your recent backups? Do you know that the data are usable? If someone in your organization has never restored one of your current backups to your system and made sure the restored data worked, then your backup process is incomplete and you are at risk for the same kind of upset our customer experienced this week.

Happy ending to this story. . . a hard drive retrieval company was able to pull data off the crashed drive. . . at a cost of $7500! Since that certainly played havoc with the budget, this happy ending is really a mixed one.

If you want reminders about backup procedures and our best thinking about what to consider take a look here and here and here and here. We have not written about this as recently as I thought, but data backup is a subject that we try to remind ourselves and our customers about regularly. Please think about and take action about yours.

Also from the ‘It’ll Never Happen To Me’ department. . . I attended a webinar on the HIPAA and HITECH breach notification requirements a couple of weeks ago. This was done by a company named IDExperts that specializes in guiding companies through the risk assessment process after a breach has occurred. They also have a software product that will walk you through the post-breach risk assessment and track the histories of all breaches. Their take on data security and the risks involved are like this: if you were interested enough to attend the webinar, the question is not if you will experience a data breach, but when. Statements like that always jar me. Since we are not a Covered Entity and have no PHI of our own, I am not too concerned about us experiencing a breach; our procedures are solid and any electronic PHI temporarily in our possession only resides on encrypted computers. Obviously the worry is not small for health care providers, especially large ones.

The concern about security and privacy of PHI has recently been complicated by the fact that HHS has decided to reconsider the final rule on breach notification. After privacy and security groups were distressed and complained to HHS about the methods for deciding whether the release of data presents a risk to involved patients, HHS decided to reconsider the final rule. There is speculation that the rule will be made tougher than it was. Up to this time, the organization that experienced the breach has been responsible for determining the severity of the risk to patients caused by the data loss and whether HHS needed to be notified off the breach. HHS did not indicate when a new rule could be expected.

Who in your organization is responsible for verifying that your backups are usable? When was the last time a test restore of crucial data was done? Would you have any idea how to do this; if not, who does? What is your plan of action if protected health information is accidentally released when it should not have been? Are you convinced it’ll never happen to you?

Please share your comments and your experience so all our readers can benefit from best practices on data backup and protection.

Information Overload: TMI

Posted on | by SOS Blog | Leave a Comment on Information Overload: TMI

Almost two months passed between my post last week and the last one before that. The combination of family illnesses followed by vacation and recovery from travel put me in a position of being so far behind in the reading I usually do that I could not possibly catch up. My personal inclination was to duck my head and try to ignore the overwhelming sea of information.

I found myself strongly empathizing with practitioners, administrators, and behavioral health care personnel of all stripes who spend their days trying to provide quality mental health services to their patients…and then spend their nights worrying about what has occurred that day that might get in the way of or assist them in doing their job, but not having the time or the energy to pursue that information. Certainly, the information is readily available on the Internet, but who has time.

There have been numerous discussions of the effects of too much information (TMI) on our functioning. In July, 2008 Nicholas Carr wrote an article in The Atlantic called Is Google Making Us Stupid? This year he has written a book length exposition of that subject called The Shallows: What the Internet is Doing to Our Brain. His thesis is that our brains are literally being changed by the way the Internet is organized. He posits that jumping from one place to another by way of hyperlinks results in shallow pursuit of topics rather than the in-depth exploration of a subject allowed by books. In my brief exploration about his book, I found an extremely articulate review and commentary by Venkatesh Rao who mentioned and hyperlinked to the blog of Jason Kottke, a writer whose name I had heard but had never read. I have demonstrated for you an example of Carr’s thesis. I got distracted from obtaining support for my original thought by the way the Internet presents information and by the ease of pursuing that linked information.

Back to my original thought…here I am adding one more place where there is a bit more information for you to take a look at…or not. You might find this a convenient place to check for information about behavioral health care and its place in the world-at-large, or you might drop in occasionally just to see if there is anything that interests you.

For those of you checking in for something interesting, here are a couple of tidbits.

  1. ONC (Office of the National Coordinator for Health Information Technology) has published a final rule in which it establishes a temporary certification program for electronic health records as required under HITECH. As reported by Healthcare & Technology blog, this rule should allow progress toward approval of certifying organizations for EMR products.
  2. iHealthBeat reports on release of final rules for “Meaningful Use”. Many observers believe that the easing of requirements for the meaningful use of an electronic health record required to receive stimulus funds made available under HITECH will make it easier for eligible providers to receive funds. Other observers believe that even the easing of the standards will not make it simple for stimulus funds to be acquired, even for those who have already purchased and implemented EMRs.

It appears that life gets more complicated all the time, even if we have information. Since I do believe that knowledge is power, I will keep trying to pass some of what I come across on to you. Thanks for reading. Please let us know what you are thinking about. Just enter your comments below.

Get Out of HIPAA Jail Free

Posted on | by SOS Blog | 6 Comments on Get Out of HIPAA Jail Free

Consider a couple of nightmares that might easily come true:

1. Your laptop, with a variety of documents and files containing confidential, protected health information on its hard drive, is stolen from your car, hotel, or disappears while you are traveling.

2. Your office is burglarized and all the desktop computers, as well as a server containing your patient database, are stolen.

I ran across the following set of statistics, or very similar ones, repeatedly, most often on web sites of security companies:

  • Every 53 seconds another laptop is stolen in the USA.
  • At least 600,000 laptops are stolen each year in the USA. 
  • Hardly any (3%) stolen laptops are ever recovered. 
  • Laptop computer theft trails only identity theft as the most common crime. 
  • Almost half of all data leaks and breaches are the result of lost or stolen portable computers, according to a study by The Identity Theft Resource Center .
  • Laptops are the number-one item stolen in San Francisco – San Francisco Police Department.
  • The Identity Theft Resouce Center’s recent list of 397 significant data breaches so far for the year of 2009 includes 51 healthcare breaches that compromised almost 9 million records.

Most of the sources of these data are trying to sell a security solution of one sort or another, but the vulnerability of laptops, especially in transit, is obvious. I don’t have any statistics for burglaries of computer systems from offices, but I’ll wager that most of you either know of a victim of such a crime, or have been a victim yourself.

Long before HIPAA, health professionals – especially mental health professionals – had a professional responsibility to safeguard the privacy of their patients/clients and the confidentiality of the personal and clinical information in their custody. HIPAA came along and increased our awareness of the special risks of electronic records and communications, defining Protected Health Information (PHI) at a federal level and providing some rules and guidelines for securing PHI stored or transmitted in electronic form. Now the Health Information Technology for Economic and Clinical Health Act (HITECH) has arrived and adds some pretty sharp teeth to HIPAA’s privacy and security rules.

If you need a push to get you to take privacy and security compliance seriously, consider the following from Section 13402 – Notification In The Case Of Breach. (This section is from HITECH/HIPAA: Notification in the case of breach at lawtechtv.com (a site I would strongly recommend that you visit). The bold italics are mine:

If PHI is secured as per the guidance then providers have a “safe harbor” and the notification requirements are not triggered in case of a breach. Despite the safe harbor, other federal and state PHI laws remain in full force and effect. Any PHI not secured as per the guidance is considered to be unsecured PHI whose breach will trigger the notification requirements. 13402(a): Covered Entities (CE’s) must notify individuals. 
13402(b): Business Associate’s must notify CE’s. 
13402(d): Notification must be no later than 60 days after discovery. 
13402(e): Specific notification methods are required depending on the number of individuals whose PHI was breached. 
13402(f): the notification must contain specific content.
13402(h): unsecured PHI* means PHI that is not secured through: 1) encryption; and/or 2) destruction—as provided by HHS guidance. Methods must render PHI “unusable, unreadable, or indecipherable” to unauthorized individuals (see HIPAA Security Rule  & NIST standards).

If PHI is secured as per the guidance then providers have a “safe harbor” and the notification requirements are not triggered in case of a breach. Despite the safe harbor, other federal and state PHI laws remain in full force and effect. Any PHI not secured as per the guidance is considered to be unsecured PHI whose breach will trigger the notification requirements.

If over 500 individuals’ PHI has been compromised then the media must be notified and the Secretary of HHS as well.

Breach: “the unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such information, except where an authorized person to whom such information is disclosed would not be able to retain such information.”

Do you really want to have to choose between:

  1. Significant civil penalties (between $100 and $50,000 per violation, up to $1.5 million maximum per incident) and …
  2. Publishing in the local media a notice of your failure to protect your patients’ private information?

Of course not! Why not take advantage of the explicitly defined safe harbor? If the hard drive of that missing laptop has been encrypted, using appropriate technology, then there is no notification requirement at all! The same technology can be applied to every hard drive in your organization, especially the servers on which the bulk of the PHI resides. There are numerous commercial disk encryption approaches available, as well as free, open-source solutions such as TrueCrypt, that would provide you with the protection you want and owe to your patients, all penalties aside.

My previous post regarding encryption resulted in no reader response whatsoever. Does this information about your notification responsibilities make it more likely that you will move forward with data encryption? If not, why not?