We will be performing site maintenance on AAOS.org on February 8th from 7:00 PM – 9:00 PM CST which may cause sitewide downtime. We apologize for the inconvenience.


Published 12/1/2010
Rosemarie Nelson, MS

Managing patient data security

From HIPAA to managing a breach

The Health Information Technology for Economic and Clinical Health (HITECH) Act was created to fund and support a paperless national health information network through the adoption of electronic health records (EHR).

More than stimulus funds
In addition to providing incentive dollars for meaningful use of a certified EHR, the HITECH Act significantly strengthened aspects of the Health Insurance Portability and Accountability Act (HIPAA) security rule, including the penalties imposed under the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR).

Without a doubt, HITECH is the largest and most consequential expansion and change to the federal privacy and security rules ever. The 15 change areas include new federal privacy and security provisions that will have major financial, operational, and legal consequences for all medical practices, hospitals, health plans, and their “business associates.”

In announcing the modifications, HHS Secretary Kathleen Sebelius said, “To improve the health of individuals and communities, health information must be available to those making critical decisions, including individuals and their caregivers. While health information technology will help America move its healthcare system forward, the privacy and security of personal health data is at the core of all our work.”

HIPAA requires all healthcare covered entities (CEs)—and that includes orthopaedic surgeons—and their business associates (BAs)—consultants like me—to safeguard the privacy of patient health information. The HIPAA law also requires CEs and BAs to implement required security measures to protect patient health information.

The OCR is authorized to audit compliance. The security audits will check that organizations have completed a risk assessment and implemented appropriate administrative, technical, and physical safeguards.

Your next steps should be to perform an assessment, establish a baseline scorecard, and track compliance progress. New penalties for violating HIPAA and HITECH Act security regulations are enormous. CEs and BAs face up to $1.5 million in fines for multiple violations of a single requirement in a calendar year, as well as untold damage to their (yours and my) reputations.

Breach notification
According to HITECH, a breach is “the unauthorized acquisition, access, use or disclosure of protected health information which compromises the security or privacy of such information, except where the unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”

The breach notification rule says that CEs, as well as their BAs, must notify individuals within 60 days if protected health information is breached. Discovery is the first day an employee, an agent of the medical practice, or a BA becomes aware of the breach. Notification must be in writing to the last known address or next of kin, if the individual is deceased. The CE must use substitute notification methods (such as a posting on the group’s Web page) if it lacks sufficient information to provide a written notice.

The CE must also notify HHS and local news media if the breach involves more than 500 individuals. CEs must also maintain a log of all data security breaches and annually submit it to HHS.

Encryption is a process that renders data unreadable to anyone who does not have the decoding key. Breaches do not have to be reported if the data involved are unreadable. Data encryption, however, must be validated and meet Federal Information Processing Standards 140-2 issued by the National Institute of Standards and Technology (NIST FIPS 140-2).

It is not enough to just encrypt. You must implement policies for periodic checks. Review your record retention and destruction policies. Full disk encryption may be valid against third parties, but not against unauthorized “insiders” sharing a computer; file or folder encryption may be better. By the way, a password-protected file is not enough.

Restrict access
Have you considered where the results of database queries reside? Can the data be saved or copied “locally”? Where is your backup—in the cupboard or the cloud? These are all critical questions to ask.

The OCR listed 108 incidents at or above the 500-patient threshold as of Nov. 15, 2010. More than half of the incidents were from theft of computers or storage devices (Fig. 1). Three privacy breaches were by a hacker and three were due to e-mail, including one simple misdirection.

The patient is in control
Patients can create restrictions on certain disclosures of their personal health information (PHI). A patient who pays in full out-of-pocket can restrict a medical practice from disclosing his or her PHI to a health plan. The restriction is limited to payment and “healthcare operations” and would not apply when disclosures are made for treatment purposes. The PHI restricted by the patient must pertain solely to a healthcare item or service purchased by that individual.

What does this mean to you? Your practice must implement processes to separate information in patients’ records when patients request this restriction and have paid fully on their own. Review your payer contracts because they may require physicians to provide access to, or copies of, patients’ medical records. You will have to amend the contract to exclude the restricted information.

Accounting for disclosure—the HER
Medical professionals in practices that use EHRs must provide an accounting of all disclosures of PHI for up to a 3-year period. This includes disclosures for treatment, payment, and healthcare operations, which is a new requirement. The practice must also account for BA disclosures or provide the patient requesting the accounting a list and contact information for all the practices’ business associates.

If you implemented your EHR after Jan.1, 2009, you must provide accounting beginning no later than Jan. 1, 2011, or the actual date the EHR was implemented. If you implemented your EHR prior to Jan. 1, 2009, you have until Jan. 1, 2014, to meet this new requirement.

Business associates
Who are these BAs? Examples include entities with which practices share PHI, such as, but not limited to, consultants, lawyers, or patient-record storage firms. BAs must meet the following requirements:

  • Fully implement administrative, physical, and technical safeguard requirements set forth in the HIPAA Security Rule
  • Execute certain policies, procedures, and documentation requirements
  • Develop and implement written privacy and security policies and procedures, governing handling of PHI, including designation of a security officer
  • Comply with new privacy and security provisions created in HITECH

Pay attention to enforcement
The penalties for violations have increased significantly. The previous cap was at $25,000 per year. The new legislation allows for a maximum annual penalty for identical violations at $1.5 million for the most egregious cases. And, with a wider reach, the state attorneys general can enforce the law.

What should you do?
Call your EHR and network support vendors. Ensure your systems track and report all disclosures of PHI and optimize encryption techniques. Evaluate your backup and storage policies and procedures. Perform a security risk assessment. Contact your business associates to ensure they comply. Update your business associate agreements to include the new HITECH requirements. Visit the
AAOS online practice management center for additional information and resources.

Rosemarie Nelson, MS, is a principal consultant with the Medical Group Management Association Health Care Consulting Group. She can be reached at rnelson@mgma.com

An orthopaedic practice security plan
Every medical practice needs to perform a security risk assessment, which includes establishing written policies, monitoring those policies for compliance, and developing a remediation plan. The following are some examples of policy issues that need to be addressed in a practice security plan:

  • Access control list and role-based privileges
  • Sharing log-on and passwords
  • Physical and logical access controls
  • Sanctions for intentional unauthorized access to personal health information (PHI)
  • Automatic timeout for all applications
  • Securing network and application servers
  • Securing and logging backup medium and medium re-use
  • Incident response plan
  • Download of PHI to portable devices
  • Frequency of review of audit log of users’ access to PHI
  • E-mail and PHI
  • Securing smart phones and laptops
  • Data encryption, archiving, and deletion
  • Data integrity control audit
  • Annual review of all business associates’ agreements and compliance
  • Password management (routine resetting)
  • Inactivating or deleting the accounts of individuals who are no longer with the organization
  • Performing a security risk analysis
  • Telecommuting and data stored locally by the user
  • Workstation use, including data and application downloads (to prevent invasion of malicious software)

For more information, visit the AAOS online practice management center.