DENVER — If federal stimulus money to the tune of $44,000 per physician has warmed more solo and small group practices to the idea of adopting electronic health record systems, the new Health Information Technology for Economic and Clinical Health Act could cool their enthusiasm.
The HITECH law imposes significant responsibility on medical practices in the event of a breach of patients' protected personal health information.
“The statute giveth, and the regulations taketh away,” Gerry Hinkley, a partner specializing in health-information law with a San Francisco law firm, said at the annual conference of the Medical Group Management Association.
HITECH imposes a host of new security obligations on all practices covered by the Health Insurance Portability and Accountability Act (HIPAA).
Most worrisome to the average physician are those that pertain to breaches of health-information security, said Mr. Hinkley.
The law defines “breach” as unauthorized acquisition, access, use, or disclosure of personal health information that compromises the security or privacy of that information and carries significant risk of financial, reputational, or other harm to the subjects of the record in question.
If a breach occurs, the medical practice must notify each patient whose personal health information has been accessed, modified, or inappropriately disclosed because of the breach as soon as possible, but definitely within 60 days of breach discovery. The practice must also post information on its Web site indicating that a breach has occurred.
If the breach potentially affects more than 500 residents of a state, the practice is also obliged to notify local newspapers and other media outlets, as well as the office of the U.S. Health and Human Services Secretary.
“You need to state what happened, when it happened, when it was discovered, the specifics of what was breached, what course of action [the affected] patients have, and what you are doing to mitigate the damage,” said Mr. Hinkley.
He added that these notification rules have technically been in effect since late September, but enforcement won't start until March.
The regulations distinguish between mistaken access to a patient's health record by an authorized person vs. access (especially intentional access) by an unauthorized individual. The former is not considered a breach.
“This is really about prevention of leakage of sensitive health information to unauthorized persons,” he said in defense of the rules.
So if a doctor loses a mobile device or laptop computer that contains patient health records, must he or she call the local media?
That really depends on how well the information has been protected. If the patient files are easily opened, then yes, the lost device would likely constitute a breach. But if the records are well encrypted and password protected, then the information is considered secure and unbreachable, even if the device itself falls into unauthorized hands, Mr. Hinkley noted.
“You really need to talk to your [EHR] vendors about how they encrypt patient data,” Mr. Hinkley advised. He added that electronic communications with patients should, when possible, take place via secure online portals rather than ordinary e-mails or text messages. Material exchanged via e-mail could be considered breachable personal health information, and it's a risk doctors need not take.
HITECH extends a medical practice's responsibility for personal health-information security to all of the practice's business associates, which will include any and all entities with which the practice exchanges potentially sensitive information, including other clinics, vendors, health-information exchanges, regional health-information organizations, e-prescribing gateways, and IT vendors.
“Your business associates are directly responsible to comply with the security rules and can be held accountable to the government for any violations,” Mr. Hinkley said. Business associates are required to quickly report any potential breaches or violations to the practice, but the burden is on the practice to ensure that business associates are in compliance with current rules.
That means that all contracts with business associates—especially new ones—need to contain language addressing personal health-information security, and need to demand compliance with HIPAA and HITECH.
Both HIPAA and HITECH stipulate that the exchange of personal health information among authorized clinical staff must be for “meaningful use.”
Furthermore, only the “minimum necessary” amount of information for that meaningful use should be transferred. Currently, the disclosing party has discretion to determine what is the “minimum necessary” information in a given clinical situation. But there could be serious penalties if that determination is contested.
Both “minimum necessary” and “meaningful use” are very vaguely defined in the existing law, leaving a lot of room for interpretation and risk, Mr. Hinkley said, adding that “if you act unreasonably as far as disclosing more patient information than is necessary for a given case, there's some significant enforcement risk.”