The trusted source for
healthcare information and
Research institutions face exorbitant fines if accidentally release PHI
Privacy rule now has sharp teeth
Medical and research institutions have a great deal more to fear these days from aninadvertent release of protected health information (PHI).
"The biggest impact is going to be the fees [imposed by the federal government] when there's an unapproved disclosure of protected health information," says Christina L. Gilchrist, PhD, CRA, director of research at WellSpan Health in York, PA.
"Those fines are pretty severe," she adds. "We all want to be as careful as we can with our patients' information, and that has a lot of implications on security measures that need to be implemented."
The privacy rules put in place by HIPAA were reinforced with hefty fines when Congress passed the American Recovery and Reinvestment Act of 2009 and its Title XIII, the Health Information Technology for Economic and Clinical Health (HITECH) Act. HITECH strengthened criminal and civil enforcement of HIPAA.
Recent evidence suggests the government will be enforcing the rules aggressively.
For example, the U.S. Department of Health and Human Services (HHS) imposed a $4.3 million civil penalty under HITECH on Cignet Health of Prince George's County, MD, in February, 2011. The Office for Civil Rights (OCR) found that Cignet violated 41 patients' rights by denying their requests for access to medical records. Also, Cignet did not cooperate with OCR's investigations, according to an OCR media report, dated Feb. 22, 2011.
Health care and research organizations are required to make electronic records available to patients electronically, although they can charge to recoup costs, Gilchrist says.
The fines for violations for a privacy rule breach in which the entity did not know there was a violation can range from $100 to $50,000 for each violation with a cap of $1.5 million for identical violations during a calendar year. If the violation was due to reasonable cause then the fines range from $1,000 to $50,000 per violation, also with a cap of $1.5 million.
HHS defines a breach as "an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual."
As research facilities and medical centers fully transition to electronic databases, the potential for a privacy breach increases unless organizations take steps to prevent this problem.
"It is so easy to access protected health information now with electronic medical records," Gilchrist says. "For the purposes of research, easy access does not mean you should be accessing it, collecting it, or keeping it unless you have explicit permission from the institutional review board."
Electronic medical records also make it easier for an organization to have an accidental disclosure, she notes.
"If I'm a nurse on the floor, and I log into the computer to see a patient's record, and I don't log out, then theoretically a visitor walking by could see some protected health information," she adds.
Gilchrist offers these suggestions for how research sites can stay compliant with the regulations:
Create linking documents: Researchers have legitimate reasons for collecting some PHI, but once data are collected, many people associated with the research project no longer need to have access to this information as it's broken down individually.
However, no one wants to make the PHI irretrievable, so the solution is to create linking documents.
For example, the medical record number is by far the most commonly-used PHI data, Gilchrist says.
"A lot of people don't think about it as protected health information," she explains. "But the regulations say if the information can reasonably be used to identify someone then it's a PHI."
The solution is to create a linking document that assigns a study number code to the medical record number. Then lock that linking document away for use in the event a particular subject needs to be re-identified, Gilchrist says.
"If we see something where we have a moral and ethical obligation to contact that particular person, then that would be a legitimate reason for accessing that linking document," she adds.
Use encryption on all computers: "All of our laptops now are encrypted," Gilchrist says. "We also have an encryption program for any media device like a pen drive, so if I put a pen drive into my laptop to take information off of it, then the pen drive itself is encrypted, and I can't access data without a password."
Research institutions walk that fine line between making available necessary data for research versus safeguarding against privacy breaches.
"We're trying to make access to data for studies simple while making access to the identifiable information difficult," Gilchrist says.
"I've been working with our health information management team to discuss a potential option that will encrypt all of our identifiable information," she explains. "Then researchers would have access to it based on their role and security clearance level and their need to know."
Ensure business associates know their responsibilities: Under HITECH rules, business associates of research sites also are held responsible for PHI breaches. They could receive the same fines and penalties for breaches.
"One of the biggest recent changes is institutions rewriting business associate agreements," Gilchrist says. "We have to let them know they are responsible to the federal government and regulatory authorities and that when they sign our business agreements they are assuming that responsibility."
Business associates previously were not held accountable because they were not considered "covered entities" under HIPAA. Now they can be fined or otherwise receive civil and criminal penalties, including letting patients receive financial compensation for a violation of their privacy.
Included as business associates are employees and independent contractors.
Write SOPs for handling a privacy breach: Medical and research organizations are required to make a notification of breach when an incident occurs. Each CR site should have its own standard operating procedures (SOPs) addressing how to handle these situations.
For instance, if a researcher loses his or her pen drive with study data on it, including PHI, the research site would have to investigate the incident and determine if the breach involved unsecured PHI.
"Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance," HHS guidance states.
If an investigation determines the breach included unsecured PHI, then the CR site would have to notify all the individuals impacted by this breach, conduct a full investigation, and advise HHS and others, Gilchrist says.
First, the site would need to send a written notice by first class mail to subjects impacted by the breach. The notice would need to tell them that their private health information was accidentally breached.
"I'd have to let them know everything we're doing to mitigate it and our plan for preventing further breaches," Gilchrist says.
Secondly, the CR site would need to notify the media in the event there's a breach involving more than 500 residents within a jurisdiction, she says.
"You have to notify prominent media outlets serving that state or jurisdiction," she adds.
The third step is to notify the Secretary of the Department of Health and Human Services, again if the breach involved more than 500 people.
"If there are fewer than 500 people then we just keep a log of the breaches and after 60 days from the end of the calendar year, you can provide a notification at that time," Gilchrist says.
"Send the elements of what happened, your mitigation plan, and corrective action plan to HHS and the individuals," she says. "You give a description of what happened, dates of discovery, say what the individual should do, what the research site will do to mitigate the harm, and list a single point of contact for more information."