Skip to content
  • About
  • Contact
  • Contribute
  • Book
  • Careers
  • Podcast
  • Recommended
  • Speaking
  • All
  • Physician
  • Practice
  • Policy
  • Finance
  • Conditions
  • .edu
  • Patient
  • Meds
  • Tech
  • Social
  • Video
    • All
    • Physician
    • Practice
    • Policy
    • Finance
    • Conditions
    • .edu
    • Patient
    • Meds
    • Tech
    • Social
    • Video
    • About
    • Contact
    • Contribute
    • Book
    • Careers
    • Podcast
    • Recommended
    • Speaking

Protecting the security of electronic patient data

David Harlow
Tech
January 12, 2010
Share
Tweet
Share

Originally published on HCPLive.com

If your patient records aren’t already stored digitally, they are likely to be digitized soon. There is a tremendous push by the federal government—as well as by some private payors and self-insured employers—to get all healthcare providers wired in the near future, in order to better coordinate patient care, improve outcomes, and “bend the cost curve” all at the same time. There are some financial incentives in play to achieving “meaningful use” of “certified” EHR systems; those terms are to be defined in federal regulations later this year, but the outlines of those definitions are already pretty clear.

Once all that patient data—or as it is known in HIPAA-speak, protected health information (PHI)—is stored electronically, it becomes exposed to potential data breaches. In late September, two sets of federal regulations took effect that address the way in which PHI should be maintained, and the steps that should be taken to prevent a data breach and to notify the government and affected individuals in the event there is a data breach.

Compliance with these rules— issued under authority of the HITECH Act by the US Department of Health and Human Services (HHS) with respect to healthcare providers, and by the Federal Trade Commission (FTC) with respect to EHR vendors and other similar third parties—requires affected practices and businesses to assess and update their data privacy and security policies and procedures, as well as train all affected staff accordingly.

The exposure in case of violation is significant, both in terms of fines and penalties and in terms of bad publicity—certain data breaches require notice to potentially affected individuals via the general media in addition to notices required to be filed with the regulators. The new rules—I call them Son of HIPAA— are layered on top of existing HIPAA privacy and security rules: the FTC’s Red Flags Rule, regarding identity theft protections to be put in place by any “creditor” (which includes healthcare providers not paid in full at the time of service), and state privacy rules. While HHS and FTC took some pains to harmonize the new rules so that patients will not be bombarded with multiple data breach notifications about the same incident, for example, the other applicable rules out there have not been harmonized.

The key concept in the new breach notification rules is that encryption of patient data will eliminate the need to notify patients and the federal regulators in case of an inappropriate release of data. Such a release, if the data is encrypted (ie, unusable, unreadable, or indecipherable), is not considered a breach. Encryption is not required, though, and each affected entity must engage in a cost-benefit analysis before deciding whether to encrypt all affected data.

Another important aspect of the rule is the concept of harm—the regulators decided that not every data breach should trigger all of the notice requirements, just breaches that “pose a significant risk of financial, reputational, or other harm to the individual.” For example, if an employee of a healthcare provider accesses a patient record inappropriately, but immediately realizes his or her mistake, and exits the record quickly and does not retain any PHI, that is not a reportable data breach.

Finally, “business associates” under HIPAA are now required to implement policies and procedures to maintain privacy and security of PHI, parallel to those that have been required of “covered entities” under HIPAA since the beginning. All business associate agreements and notice of privacy practices (NPPs) will have to be updated to account for the new requirements before February. Healthcare providers that wish to distinguish themselves should consider revising their NPPs to highlight the ease with which they will make copies of records available to patients. This is a bone of contention for many patients, and ensuring that patients’ rights to their records are easily exercised () could be a way to build goodwill among patients and potential patients.

By necessity, this is an extremely brief introduction to a very involved set of regulations. My hope is that you now have a sense of how important it is to be sure that your operations are fully compliant with the regulatory requirements before full enforcement and random field audits begin in February 2010.

David Harlow is a health care lawyer and consultant who blogs at HealthBlawg.

Submit a guest post and be heard.

 

Prev

How sleeping late can lead to depression in teenagers

January 12, 2010 Kevin 2
…
Next

Why I had to fire my primary care doctor

January 12, 2010 Kevin 35
…

Tagged as: Health IT, Patients, Public Health & Policy

Post navigation

< Previous Post
How sleeping late can lead to depression in teenagers
Next Post >
Why I had to fire my primary care doctor

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

More by David Harlow

  • a desk with keyboard and ipad with the kevinmd logo

    The legal landscape of health care social media

    David Harlow
  • a desk with keyboard and ipad with the kevinmd logo

    Why an ACO is essentially an American product

    David Harlow
  • a desk with keyboard and ipad with the kevinmd logo

    Pharmacies selling prescription information to data mining companies

    David Harlow

More in Tech

  • How Mark Twain would dismantle today’s flawed medical AI

    Neil Baum, MD and Mark Ibsen, MD
  • 9 domains that will define the future of medical education

    Harvey Castro, MD, MBA
  • Key strategies for smooth EHR transitions in health care

    Sandra Johnson
  • Why flashy AI tools won’t fix health care without real infrastructure

    David Carmouche, MD
  • Why innovation in health care starts with bold thinking

    Miguel Villagra, MD
  • How self-improving AI systems are redefining intelligence and what it means for health care

    Harvey Castro, MD, MBA
  • Most Popular

  • Past Week

    • Why Medicaid cuts should alarm every doctor

      Ilan Shapiro, MD | Policy
    • When the diagnosis is personal: What my mother’s Alzheimer’s taught me about healing

      Pearl Jones, MD | Conditions
    • 2 hours to decide my future: How the SOAP residency match traps future doctors

      Nicolette V. S. Sewall, MD, MPH | Education
    • Key strategies for smooth EHR transitions in health care

      Sandra Johnson | Tech
    • Reassessing the impact of CDC’s opioid guidelines on chronic pain care [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why removing fluoride from water is a public health disaster

      Steven J. Katz, DDS | Conditions
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • The silent toll of ICE raids on U.S. patient care

      Carlin Lockwood | Policy
    • “Think twice, heal once”: Why medical decision-making needs a second opinion from your slower brain (and AI)

      Harvey Castro, MD, MBA | Tech
    • Why we fear being forgotten more than death itself

      Patrick Hudson, MD | Physician
    • Bureaucracy over care: How the U.S. health care system lost its way

      Kayvan Haddadan, MD | Physician
  • Recent Posts

    • How the shingles vaccine could help prevent dementia

      Marc Arginteanu, MD | Conditions
    • How to survive a broken health care system without losing yourself [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why some doctors age gracefully—and others grow bitter

      Patrick Hudson, MD | Physician
    • Why removing fluoride from water is a public health disaster

      Steven J. Katz, DDS | Conditions
    • What the research really says about infrared saunas

      Khushali Jhaveri, MD | Conditions
    • How the cycle of rage is affecting physicians—and how to break free

      Alexandra M.P. Brito, MD and Jennifer L. Hartwell, MD | Conditions

Subscribe to KevinMD and never miss a story!

Get free updates delivered free to your inbox.


Find jobs at
Careers by KevinMD.com

Search thousands of physician, PA, NP, and CRNA jobs now.

Learn more

View 3 Comments >

Founded in 2004 by Kevin Pho, MD, KevinMD.com is the web’s leading platform where physicians, advanced practitioners, nurses, medical students, and patients share their insight and tell their stories.

Social

  • Like on Facebook
  • Follow on Twitter
  • Connect on Linkedin
  • Subscribe on Youtube
  • Instagram

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

ADVERTISEMENT

  • Most Popular

  • Past Week

    • Why Medicaid cuts should alarm every doctor

      Ilan Shapiro, MD | Policy
    • When the diagnosis is personal: What my mother’s Alzheimer’s taught me about healing

      Pearl Jones, MD | Conditions
    • 2 hours to decide my future: How the SOAP residency match traps future doctors

      Nicolette V. S. Sewall, MD, MPH | Education
    • Key strategies for smooth EHR transitions in health care

      Sandra Johnson | Tech
    • Reassessing the impact of CDC’s opioid guidelines on chronic pain care [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why removing fluoride from water is a public health disaster

      Steven J. Katz, DDS | Conditions
  • Past 6 Months

    • Why tracking cognitive load could save doctors and patients

      Hiba Fatima Hamid | Education
    • What the world must learn from the life and death of Hind Rajab

      Saba Qaiser, RN | Conditions
    • The silent toll of ICE raids on U.S. patient care

      Carlin Lockwood | Policy
    • “Think twice, heal once”: Why medical decision-making needs a second opinion from your slower brain (and AI)

      Harvey Castro, MD, MBA | Tech
    • Why we fear being forgotten more than death itself

      Patrick Hudson, MD | Physician
    • Bureaucracy over care: How the U.S. health care system lost its way

      Kayvan Haddadan, MD | Physician
  • Recent Posts

    • How the shingles vaccine could help prevent dementia

      Marc Arginteanu, MD | Conditions
    • How to survive a broken health care system without losing yourself [PODCAST]

      The Podcast by KevinMD | Podcast
    • Why some doctors age gracefully—and others grow bitter

      Patrick Hudson, MD | Physician
    • Why removing fluoride from water is a public health disaster

      Steven J. Katz, DDS | Conditions
    • What the research really says about infrared saunas

      Khushali Jhaveri, MD | Conditions
    • How the cycle of rage is affecting physicians—and how to break free

      Alexandra M.P. Brito, MD and Jennifer L. Hartwell, MD | Conditions

MedPage Today Professional

An Everyday Health Property Medpage Today
  • Terms of Use | Disclaimer
  • Privacy Policy
  • DMCA Policy
All Content © KevinMD, LLC
Site by Outthink Group

Protecting the security of electronic patient data
3 comments

Comments are moderated before they are published. Please read the comment policy.

Loading Comments...