Rocket Pace, But To Where?

sea-2312623_640Not a day goes by (or many posts on The Pulse Blog) without a discussion of the rapid increase in data breaches impacting the healthcare industry. Information and statistics in this regard are inescapable. For instance, the so-called “Wall of Shame,” which is the public posting of breaches, recently crossed the 2,000 breach threshold.  The Wall of Shame first came online in 2009 and took almost five years to hit the 1,000 barrier, but just another 3 years to hit 2,000. Clearly, the data show more breaches are happening and more frequently.

The previous statement about more data concerning breaches though is a fairly recent development. While the Wall of Shame has now been around since 2009, there has not been a consistent, comprehensive source for information about healthcare data breaches. Sources are developing though, with the Protenus Breach Barometer being one of my favorites. The Breach Barometer is typically published on a monthly basis and highlights totals of known breaches from the previous month. Tracking the Breach Barometer reveals trends, which were highlighted in the recent mid-year Breach Barometer.

The highlights from the mid-year Breach Barometer are that insider issues and hacking incidents account for the vast majority of incidents. Insider issues can be broken into two large categories: inadvertent mistakes and malicious activities. The inadvertent mistakes could be sending to the wrong address, an email error or some other unintentional act. To some degree, the inadvertent mistakes are unavoidable because no one can be perfect. A key with an inadvertent mistake is to catch the problem early, which can enhance the impact of any resulting mitigating act. While inadvertent mistakes are arguably a part of human nature, preparing individuals with comprehensive, consistent and ongoing education and training may reduce the risk. When individuals are aware of an issue and know how to address it, the likelihood of occurrence can be reduced as well as building in a natural response.

The second side of insider breaches, malicious intent, is harder to control for because, as the name implies, the individual has some bad intent that will motivate attempts to get around defenses. When malicious intent is present, the individual is clearly trying to profit individually or through organized efforts. The bottom line though is a willful disregard for an organization’s policies and the requirements of law and regulation. Awareness of the growing number of malicious intent incidents is the first step in combatting and stopping or preventing. Up until a couple of years ago, stories that individuals were stealing medical information to sell for profit or otherwise taking advantage of trusted information were rare. Unfortunately, that is no longer the case. Multiple times per year a story of a criminal prosecution or other outcome are reported. Further, malicious intent breaches can often take the form of a “small” breach where only one or a few individuals have their information accessed. Many times, such breaches are done because the individuals know each other, or some personal relationship influences a decision. Small breaches were well-documented in a December 2015 ProPublica article, but it is unclear what, if any, change has resulted.

Even though the malicious intent is designed to elude preventive efforts, tools and methods do exist to help address. For instance, organizations would be well advised to regularly monitor and audit medical record access. Such efforts are arguably easier for electronic medical records because a log file is often present and some portions of the review can be automated. However, it is unclear how well such efforts are undertaken. Additionally, specific records, such as a “V.I.P.” patient, could be reviewed when a higher degree of concern could be present. Ensuring access is appropriate is a baseline requirement under HIPAA, so the organizational ask is not going too far.

Hacking, the other major reason for an increased number of data breaches is harder to address. Suffering a hacking attack is largely beyond a single organization’s control. It is a sad but true reality that hackers and other outsiders with bad intent are likely more sophisticated technologically. While the disparity may exist, organizations should not resign themselves to being hacked. Intrusion can be made more difficult by implementing countermeasures, regularly updating and being proactive. Further, no organization should be deluded that it is too small to be attacked. Practices of all sizes, whether single practitioners to multi-state systems, have been attacked and will continue to be attacked.

Despite the increasing frequency of attacks and reports, it is a time for optimism. Why is optimism justified? Because data breaches (though usually just hacking or ransomware) garner major news headlines and are a topic of frequent discussion. Additionally, more sources are quantifying, examining and breaking down the breaches. As such, the explosion of healthcare data is not just the medical information, but how that information is being used and how it is vulnerable. As more analyses are conducted and distributed, all will benefit. A data breach is not suffered by an organization alone and quiet, but, for better or worse, out in the open. The ability to collectively learn from each incident is one of the reasons for optimism about the future. The first step to doing something is to be aware.

What will happen in the future? No answer can be known today. However, my honest feeling is that healthcare as an industry and organizations as individuals do care about protecting healthcare information. No one is satisfied with a reality where more than one breach per day is occurring. Such consistent failings of trust are not acceptable, especially when that reality can be influenced through easily controlled actions. It is easy to complain and highlight the issues without applauding the everyday work that is improving the situation. It is important not to forget the progress that has been made and the efforts that are ongoing. It is impossible to expect that all breaches will be stopped, but we should at least bring the number down and that groundwork exists.

Posted in Healthcare, HIPAA, Physicians, Regulations | Tagged , , , , , | Leave a comment

HIPAA: Healthcare’s Favorite Scapegoat

bandana-2347444_640Stop if you’ve heard either of these or some other variation before: I can’t tell you anything about that patient because of HIPAA or I can’t give you a copy of your medical records because of HIPAA or HIPAA doesn’t let me say anything. Throwing up HIPAA as an excuse to prevent the free and usually justified flow of medical information is all too common place in healthcare. These issues have been forefront of mind because of a recent back and forth on Twitter that included a combination of providers, lawyers, patients and other individuals. The common thread throughout the discussion was that HIPAA is used a barrier with an alarming degree of frequency.

The means by which HIPAA is raised as a barrier may vary, but the underlying premise is always the same: a requested action cannot occur because HIPAA privacy and/or security requirements allegedly prohibit the desired action. A fundamental question is why HIPAA is so frequently used as an excuse. Is misunderstanding or a lack of understanding of HIPAA so widespread? Is the use of HIPAA as an excuse a sign of laziness or not caring about individual rights? Does too much fear exist surrounding the fallout from a potential violation? The exact question and answer will likely never be known (since it is unlikely that anyone will admit the true reasons), but it is also unnecessary to know the question and/or answer.

The mere fact that the issue exists should be the impetus to drive for change. HIPAA, when properly understood, facilitates many of the outcomes that it is used to prevent. HIPAA does contain a myriad of privacy and security requirements, but those requirements enable common sense usage and are not intended to prevent the delivery or coordination of care as is so often asserted.

One step in removing HIPAA as an excuse is for the impacted parties to be fully aware of what HIPAA does and what it allows. Arming one’s self with a working knowledge of HIPAA promotes the ability to call out a party or individual when that party tries to use HIPAA in the wrong way. Such knowledge is both a means of self-help and promoting awareness. If the erring party is not taking appropriate steps to become educated or misinterprets a requirement, then the correct information can be presented to them. The fact that conversations identifying and diving into these issues are occurring on social media and elsewhere is a positive sign.

It is acknowledged that shining a bright light on the misconceptions surrounding HIPAA is not a cure-all approach. In fact, even when presented with the right and required path to take, resistance can be expected.

That leads into another step, which is to continue making educational and informational materials available. If correct and accurate information about HIPAA becomes readily available and hard to miss, the opportunities to accessing such information and materials also increase. The more chances there are to drink from the fountain of knowledge, hopefully the more individuals will actually do so. The other old axiom of you can lead a horse to water, but you can’t force the horse to drink also applies, but there is always the chance that optimism will prevail.

The Office for Civil Rights and Office for the National Coordinator of Health Information Technology are walking the educational walk. The past few years have seen a relative explosion in the production of resources and tools.  These resources and tools attempt to remedy misconceptions and ensure a well-rounded understanding. As such, the resources consider how HIPAA applies to newer technologies or realities, while staying true to truths that have existed since HIPAA was first enacted. That fact reveals one of the issues though, the resources are not spreading new information, but speaking to certain HIPAA basics.

The frustration over non-compliance can be seen in the publicly announced enforcement actions. Many of those settlements find pervasive and fundamental non-compliance issues. However, the settlements also do not address so-called “smaller” issues such as breaches impacting fewer than 500 individuals or failures to grant access. Those problems are often addressed outside the public eye.

With all of these issues, maybe the time is ripe for a grassroots movement to dispel many of the myths surrounding HIPAA and its perceived role as a barrier in healthcare. Many platforms exist to promote such a movement, none with more potential power than social media.  Social media enables the quick and widespread dissemination of information, calling out of bad actors, and means of pushing for a response. The question here is whether enough of a public issue exists, though that can arguably be driven by putting the issue out. Regardless, if more people create resources that can address HIPAA questions and show how it is misstated, then the excuse will hopefully become harder and harder to use.

For the time being, the scapegoat will remain. It can only be hoped that this unfortunate reality will change soon. In the meantime, continue spreading the message as to how HIPAA really operates.

Posted in Business, Compliance, Healthcare, HIPAA, Regulations | Tagged , , , , | 1 Comment

Don’t Skimp on Training: Know Patient Rights

classroom-1189988_640What is the response when an individual submits a request to receive access to their medical record? The response can often be one of frustration over the time and effort that will go into compiling the record in response to the request. There can also be a desire to recoup costs (or make a little extra). Are all individuals in an organization prepared for responding to requests or obtaining necessary information? A lot of questions can arise when a request for access is made.

In this respect, education and training are key components to building, establishing and maintaining a culture of compliance. As I often like to say, how can an individual be expected to do the right thing, if that person does not know what the right thing is or how to do it. Promoting the beneficial aspects of education leaves aside that HIPAA requires training and education.

When thinking about an education or training program, many individuals may be resistant to following through with mandated training or may not really pay attention. If a training module can be done remotely, how many people would take the opportunity to “watch” it while sitting in front of the television or doing some other activity where attention will be divided. Training does not rank high on the list of preferred activities for many, so it is important to find ways to promote meaningful training.

Training is especially important for physicians because physicians have so many direct interactions with patients who could make requests. At the same time, physicians are among the individuals with the least amount of time to want to devote to training. What incentive could be offered to promote more willingness to do the training? Money or some other compensation would likely be good, but probably not feasible. The Office for Civil Rights may have found another way. As part of continuing efforts to ensure an accurate understanding of access rights, OCR created a continuing medical education approved training module. Like any remote training, the module can be done anywhere, but is presented by some of the top government HIPAA officials and gives CME credit. Any continuing education credits are often in high demand among professionals.

Having identified the hope for the training, will it work? The answer to that question will be hard to determine. However, the mere existence of the training is a positive sign. The more opportunities and avenues there are for physicians and others to be trained on HIPAA requirements the better. For too long HIPAA has been blamed for impeding too many activities, often driven by a lack of understanding about what HIPAA actually does. If tools are available, the list of excuses for not comprehending HIPAA can be shortened. That is a good thing.

Education and awareness alone should be sufficient to drive individuals and organizations to learn about HIPAA. The optimistic view is overshadowed by reality though. If the right thing is not sufficient motivation, the potential negative consequences could be a better motivator. What happens if a patient’s request for access is not fulfilled timely or accurately? If a report is made to OCR, then an investigation could occur. Many investigations are resolved behind the scenes through discussions between OCR and the subject, but sometimes bigger issues can arise and then headlines can be made. No organization would want to face the potential backlash of paying a hefty settlement and seeing its name appear everywhere just because it did not understand the access requirement. A healthy mix of encouragement and fear could be enough to emphasize the importance of good education and training.

Posted in Business, Compliance, HIPAA, Regulations | Tagged , , , , , | 1 Comment