I recently spoke with Chad P. Brouillard, Attorney at Foster & Eldridge, LLP, about achieving the balance between E-Discovery mandates and health provider-specific privacy obligations.
In part one of the two part interview, we discussed the implications of HIPPA and HITECH. We also looked at a few recent cases and the data breach lessons learned in each of them.
In today’s part two, we talk about what compliance and regulation changes are happening in the health care industry, and what steps a health facility can take to make sure that patients’ information is secure.
Amber Scorah: What compliance and regulation changes are happening in the health care industry that you are aware of?
Chad Brouillard: Well, I think that in essence, the change really started once security rule enforcement got transferred over to OCR in HHS. The security rule had been on the books for a while and then got amped up under HITECH in 2009. I think these agencies have basically been looking at the first rounds of reporting coming in as to what are the most usual data breach cases, and once they have this data, I think that naturally leads to them analyzing it and figuring out how to be more proactive—when, how, and where to effectively do audits of security rule.
I think before 2009 the mechanism of enforcement of these rules wasn’t as much there. I think that we’re going to see more audit frequency and fine amounts, because they have more information and want to target certain areas. That’s my belief, at least, now they know where to proactively address these problems. I think we’re not only going to see a lot more covered entities, but some auditing of business associates as well.
Some interesting background material: since the compliance date in April of 2003 outlining the HIPPA rules, HHS reported that they received over 70,000 HIPPA complaints and they reported resolving over 60,000 of those through investigation; enforcement occurred only over about 16,000 of them. Of those 16,000 or so, about half of them were resolved with no violations. So, the remainder of that total, about 40,000 cases, were closed without enforcement. So that speaks to the type of data that they’ve been generating since April 2003, and now since 2009 I think they’re really starting to target certain areas.
Amber Scorah: Finally then, what steps can a health facility take to make sure that patients’ information is secure?
Chad Brouillard: I think those cases we talked about at the beginning really illustrate what the current vulnerabilities are.
First off, you’re required under the rules to have a completed risk analysis, and a lot of times, in all of the cases that I’ve cited, they didn’t have one to present to HHS or the AG’s office. I think every health care institution knows now that they really have to have a risk analysis about security issues at the first and foremost.
Also, they need to make sure that they not only have this risk analysis, but once they’ve analyzed their security vulnerabilities they’re implementing sufficient risk management measures to address. One of the things we’ve seen coming up again and again in these cases is the need for security training of work force members. It’s not enough just to have a policy and it’s not enough just to have some risk management measures, whether we’re talking about physical safeguards, administrative safeguards, technical safeguards. We also have to make sure that to the extent it extends our work force and end users that they’re educated.
It’s very clear from the above cases that devices, whether they’re laptops, flash drives, storage devices, or other types of media, need to have encryption and controls in place. That’s what we’re seeing commonly with these theft cases. The thefts might seem incidental to the PHI, but it automatically triggers data breach reporting and notification requirements, because of the number of patients that might be contained in a hard drive or flash drive – we’re talking about several gigabytes or terabytes worth of storage. You have to make sure that your data at rest is locked down with encryption, and I think that’s a good point as well.
Finally, hooking onto the M-health issue, I think that every hospital or health care facility needs to seriously think about smart phone and tablet use. I think a lot of times that type of activity goes on ad-hoc and outside of the governance and retention strategy, which is very concerning because you might have patient information that is not retained and is bad for E-Discovery purposes. But also the transmission and the security of the devices might be left to the end user. So, if you have a smart phone which is not locked down and not encrypted and is stolen on the subway, potentially the thief now has access to countless numbers of patient protected health information.
The other tangent from that, is that because the providers have smart phones and tablets at ready use while delivering health care, I think the temptation sometimes is to communicate with their colleagues and patients directly in such a way that they would be transmitting protected health information in a less than secure manner, not using encryption. It’s not only data at rest, but also data in transmission that falls under the security rules.
Health care facilities really need to analyze whether we are allowing physicians to use smart phones while delivering care, and if so, are we providing those phones, are they within our governance structure, or are we allowing them to bring in their own personal devices? And, if so, what are the policies regarding that and how do we make sure that they’re securing these devices properly? Then finally, how do we make sure that they’re communicating patient information and transmitting it in a secure manner? All of this needs to be at the forefront when you’re taking steps at your facility to make sure that your patients’ information is secure.
Chad P. Brouillard, Esq. is a speaker at the upcoming IQPC eDiscovery Conference – West Coast, September 10-12, 2012 in San Francisco. For more information or to register, email firstname.lastname@example.org or visit www.e-discoveryevent.com.