Skip to content
  • About
  • Contact
  • Contribute
  • Book
  • Careers
  • Podcast
  • Recommended
  • Speaking
  • All
  • Physician
  • Practice
  • Policy
  • Finance
  • Conditions
  • .edu
  • Patient
  • Meds
  • Tech
  • Social
  • Video
    • All
    • Physician
    • Practice
    • Policy
    • Finance
    • Conditions
    • .edu
    • Patient
    • Meds
    • Tech
    • Social
    • Video
    • About
    • Contact
    • Contribute
    • Book
    • Careers
    • Podcast
    • Recommended
    • Speaking

Protecting the security of electronic patient data

David Harlow
Tech
January 12, 2010
Share
Tweet
Share

Originally published on HCPLive.com

If your patient records aren’t already stored digitally, they are likely to be digitized soon. There is a tremendous push by the federal government—as well as by some private payors and self-insured employers—to get all healthcare providers wired in the near future, in order to better coordinate patient care, improve outcomes, and “bend the cost curve” all at the same time. There are some financial incentives in play to achieving “meaningful use” of “certified” EHR systems; those terms are to be defined in federal regulations later this year, but the outlines of those definitions are already pretty clear.

Once all that patient data—or as it is known in HIPAA-speak, protected health information (PHI)—is stored electronically, it becomes exposed to potential data breaches. In late September, two sets of federal regulations took effect that address the way in which PHI should be maintained, and the steps that should be taken to prevent a data breach and to notify the government and affected individuals in the event there is a data breach.

Compliance with these rules— issued under authority of the HITECH Act by the US Department of Health and Human Services (HHS) with respect to healthcare providers, and by the Federal Trade Commission (FTC) with respect to EHR vendors and other similar third parties—requires affected practices and businesses to assess and update their data privacy and security policies and procedures, as well as train all affected staff accordingly.

The exposure in case of violation is significant, both in terms of fines and penalties and in terms of bad publicity—certain data breaches require notice to potentially affected individuals via the general media in addition to notices required to be filed with the regulators. The new rules—I call them Son of HIPAA— are layered on top of existing HIPAA privacy and security rules: the FTC’s Red Flags Rule, regarding identity theft protections to be put in place by any “creditor” (which includes healthcare providers not paid in full at the time of service), and state privacy rules. While HHS and FTC took some pains to harmonize the new rules so that patients will not be bombarded with multiple data breach notifications about the same incident, for example, the other applicable rules out there have not been harmonized.

The key concept in the new breach notification rules is that encryption of patient data will eliminate the need to notify patients and the federal regulators in case of an inappropriate release of data. Such a release, if the data is encrypted (ie, unusable, unreadable, or indecipherable), is not considered a breach. Encryption is not required, though, and each affected entity must engage in a cost-benefit analysis before deciding whether to encrypt all affected data.

Another important aspect of the rule is the concept of harm—the regulators decided that not every data breach should trigger all of the notice requirements, just breaches that “pose a significant risk of financial, reputational, or other harm to the individual.” For example, if an employee of a healthcare provider accesses a patient record inappropriately, but immediately realizes his or her mistake, and exits the record quickly and does not retain any PHI, that is not a reportable data breach.

Finally, “business associates” under HIPAA are now required to implement policies and procedures to maintain privacy and security of PHI, parallel to those that have been required of “covered entities” under HIPAA since the beginning. All business associate agreements and notice of privacy practices (NPPs) will have to be updated to account for the new requirements before February. Healthcare providers that wish to distinguish themselves should consider revising their NPPs to highlight the ease with which they will make copies of records available to patients. This is a bone of contention for many patients, and ensuring that patients’ rights to their records are easily exercised () could be a way to build goodwill among patients and potential patients.

By necessity, this is an extremely brief introduction to a very involved set of regulations. My hope is that you now have a sense of how important it is to be sure that your operations are fully compliant with the regulatory requirements before full enforcement and random field audits begin in February 2010.

David Harlow is a health care lawyer and consultant who blogs at HealthBlawg.

Submit a guest post and be heard.

 

Prev

How sleeping late can lead to depression in teenagers

January 12, 2010 Kevin 2
…
Next

Why I had to fire my primary care doctor

January 12, 2010 Kevin 35
…

Tagged as: Health IT, Patients, Public Health & Policy

Post navigation

< Previous Post
How sleeping late can lead to depression in teenagers
Next Post >
Why I had to fire my primary care doctor

ADVERTISEMENT

More by David Harlow

  • a desk with keyboard and ipad with the kevinmd logo

    The legal landscape of health care social media

    David Harlow
  • a desk with keyboard and ipad with the kevinmd logo

    Why an ACO is essentially an American product

    David Harlow
  • a desk with keyboard and ipad with the kevinmd logo

    Pharmacies selling prescription information to data mining companies

    David Harlow

More in Tech

  • The promise and perils of AI in health care: Why we need better testing standards

    Max Rollwage, PhD
  • 3 tips for using AI medical scribes to save time charting

    Erica Dorn, FNP
  • Would The Pitts’ Dr. Robby Robinavitch welcome a new colleague? Yes. Especially if their initials were AI.

    Gabe Jones, MBA
  • Generative AI 2025: a 20-minute cheat sheet for busy clinicians

    Harvey Castro, MD, MBA
  • Why public health must be included in AI development

    Laura E. Scudiere, RN, MPH
  • Here’s what providers really need in a modern EHR

    Laura Kohlhagen, MD, MBA
  • Most Popular

  • Past Week

    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
    • How New Mexico became a malpractice lawsuit hotspot

      Patrick Hudson, MD | Physician
    • Why doctors are reclaiming control from burnout culture

      Maureen Gibbons, MD | Physician
    • A world without vaccines: What history teaches us about public health

      Drew Remignanti, MD, MPH | Conditions
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
    • How the 10th Apple Effect is stealing your joy in medicine

      Neil Baum, MD | Physician
  • Recent Posts

    • From Founding Fathers to modern battles: physician activism in a politicized era [PODCAST]

      The Podcast by KevinMD | Podcast
    • From stigma to science: Rethinking the U.S. drug scheduling system

      Artin Asadipooya | Meds
    • The gift we keep giving: How medicine demands everything—even our holidays

      Tomi Mitchell, MD | Physician
    • The promise and perils of AI in health care: Why we need better testing standards

      Max Rollwage, PhD | Tech
    • From burnout to balance: a neurosurgeon’s bold career redesign

      Jessie Mahoney, MD | Physician
    • Healing the doctor-patient relationship by attacking administrative inefficiencies

      Allen Fredrickson | Policy

Subscribe to KevinMD and never miss a story!

Get free updates delivered free to your inbox.


Find jobs at
Careers by KevinMD.com

Search thousands of physician, PA, NP, and CRNA jobs now.

Learn more

View 3 Comments >

Founded in 2004 by Kevin Pho, MD, KevinMD.com is the web’s leading platform where physicians, advanced practitioners, nurses, medical students, and patients share their insight and tell their stories.

Social

  • Like on Facebook
  • Follow on Twitter
  • Connect on Linkedin
  • Subscribe on Youtube
  • Instagram

ADVERTISEMENT

  • Most Popular

  • Past Week

    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
    • How New Mexico became a malpractice lawsuit hotspot

      Patrick Hudson, MD | Physician
    • Why doctors are reclaiming control from burnout culture

      Maureen Gibbons, MD | Physician
    • A world without vaccines: What history teaches us about public health

      Drew Remignanti, MD, MPH | Conditions
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • Why are medical students turning away from primary care? [PODCAST]

      The Podcast by KevinMD | Podcast
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • Why “do no harm” might be harming modern medicine

      Sabooh S. Mubbashar, MD | Physician
    • Here’s what providers really need in a modern EHR

      Laura Kohlhagen, MD, MBA | Tech
    • How the 10th Apple Effect is stealing your joy in medicine

      Neil Baum, MD | Physician
  • Recent Posts

    • From Founding Fathers to modern battles: physician activism in a politicized era [PODCAST]

      The Podcast by KevinMD | Podcast
    • From stigma to science: Rethinking the U.S. drug scheduling system

      Artin Asadipooya | Meds
    • The gift we keep giving: How medicine demands everything—even our holidays

      Tomi Mitchell, MD | Physician
    • The promise and perils of AI in health care: Why we need better testing standards

      Max Rollwage, PhD | Tech
    • From burnout to balance: a neurosurgeon’s bold career redesign

      Jessie Mahoney, MD | Physician
    • Healing the doctor-patient relationship by attacking administrative inefficiencies

      Allen Fredrickson | Policy

MedPage Today Professional

An Everyday Health Property Medpage Today
  • Terms of Use | Disclaimer
  • Privacy Policy
  • DMCA Policy
All Content © KevinMD, LLC
Site by Outthink Group

Protecting the security of electronic patient data
3 comments

Comments are moderated before they are published. Please read the comment policy.

Loading Comments...