Data Protection Remains Shaky

suspension-bridge-183935_640Data remains exposed in significant numbers in the healthcare industry. The monthly Protenus Breach Barometer shows that the trend of at least one breach per day in a month is continuing. To be specific, Protenus and showed 37 breaches being disclosed for the first time in May. The number is significant, demonstrating the ongoing challenge for the healthcare industry. The not so old adage of it is not a matter of if you get breached, but when you get breached is only proving to be more and more accurate.

A couple of findings from the report stand out.  First, three breaches were not reported for over 1000 days from the date of discovery. This is a substantial period of time during which a breach remained unreported. Why did it take so long for these organizations to report? What breakdown in auditing and monitoring of systems occurred? The delay in reporting could be attributed to the high number of insider breaches reported in May. A common concern about insider breaches is the difficulty in detecting. An insider can slowly leak data out of a system or otherwise mask activity. Additionally, despite widespread reports that insiders are a top threat, outside issues such as ransomware garner many of the headlines and the spotlights. Drawing attention away from insiders is dangerous though. As noted, insiders understand a system, have approved access to data, and have many opportunities to extract data. No organization should feel safe. It is not a matter of a lack of trust, so much as recognizing reality.

The concern about insider threats leads to the second standout item from the May report, namely that insiders caused 15 of the 37 breaches reported. As reported by Protenus, 10 of the insider breaches were the result of an error. While not a good, there is a silver lining that errors should be one-time events and without malicious intent. The other five insider breaches were the result of malicious conduct. Such conduct includes obtaining information for personal gain, selling information to known criminals, and other conduct in the same vein. The common theme of the malicious intent breaches is the desire to profit or personally gain from taking the information. If an individual has a strong desire to create a personal benefit, it will be difficult to stop ahead of time. However, organizations can do a better job of rooting out the internal bad actors. Organizations should be routinely auditing and monitoring systems, records and other aspects of protected health information. Further, automated systems can be deployed to enhance what individual efforts. Using a combination of tools can speed up the time of discovery, which in turn can enhance mitigation efforts.

As can be seen, the Breach Barometer should be mandatory monthly reading for many entities. Until security efforts can be improved, it is instructive to learn lessons from the monthly summary of breach reports. Optimistically, it is hoped that those lessons are from others and not from within one’s own organization.

Posted in Compliance, Health IT, HIPAA, Regulations | Tagged , , , , , | 1 Comment

Is Value Based Care a Tortoise or a Hare?

maxresdefaultRecently, my son has been listening to an adaptation of the classic story the tortoise and the hare. For those who may not remember the story, or have not listened to/read it recently, it is the parable for slow and steady wins the race. In the story, the hare (the fast animal) challenges the tortoise (the slow, plodding animal) to a race. As expected, the hare races off to an early lead, while the tortoise starts with and maintains a slow and steady pace. The hare quickly runs out of energy and falls asleep. The tortoise keeps the same pace and finishes the race ahead of the hare.

What does this story have to do with shifting healthcare to a value based care system? Expectations and hype (the hare) cannot be allowed to overcome practical, thoughtful adoption (the tortoise). No change, especially fundamental change, can be expected to occur overnight. It takes time for reform to seep in, be implemented and be refined.

A recent joint survey by Quest Diagnostics and Inovalon shows slow, but growing acceptance and recognition that value based care is here to stay in healthcare. In comparison to the 2016 version of the survey, more physicians (and health plan executives) see that the tools are in place for value based care.

Specifically, newer physicians are more apt to think that the American healthcare system is becoming value based. Thirty-one percent (31%) of physicians with 20 years or less of practice think that there is a value based care system. The shift in viewpoints is important because those physicians with fewer years of experience are the ones who will need to work within the new system for the longest.

An increasing percentage of both physicians (2017: 43% v.s 2016 29%) and health plan executives (2017: 53% vs. 2016: 44%) think that physicians already have the tools to succeed with value based care. However, as pointed out in the survey, misperceptions about the current benefit provided by electronic health records fuel the rosy view among health plan executives. Somewhat surprisingly, 54% of physicians believed that EHRs have everything that physicians need. However, 70% of physicians also did not see a clear link between EHRs and improved patient outcomes. The disconnect is not easily explained by the survey results, but a quick scan of common complaints voiced elsewhere supports the lack of connection for improving care.

Searching for a silver lining though, the fact that over half of physicians think that EHRs already have everything that is needed shows the remaining capability. As EHRs are slowly refined and modified to fit within practice workflows, the benefit for value based care should become more readily apparent. A common talking point is that technology takes multiple iterations before it begins to approach promised usability. EHRs, a digital technology, are no different from the technical perspective, but not in the use perspective. While people complain if their iPhone or other modern device does not perform as advertised at first, the medical industry cannot afford to have tools that impede or subvert practice.

Ultimately, the Quest/Inovalon survey is hopeful. Views of value based care and the supporting role that health IT can play are trending upward. Additionally, the views are changing at a measured pace, which suggests that unfounded expectations are hopefully coming down to reality. Dreaming is good, but can cause frustration. It is important to think of the tortoise’s approach that one foot in front of the other at a pace that can be maintained for a long time is often the way to win the race.

Posted in EHR, Health IT, Healthcare, Healthcare Reform | Tagged , , , , | 1 Comment

Communication Breakdown: Fax Failure

55305.jpg-optHealthcare entities have received another warning from the Office for Civil Rights (“OCR”) concerning yet another aspect of HIPAA compliance. OCR’s settlement with St. Luke’s-Roosevelt Hospital Center (“St. Luke’s”) focuses on controlling when and how PHI is released. St.Luke’s disclosure of sensitive PHI, in two instances, turned into a $387,200 fine and settlement.

What exactly happened? That is an interesting question as there is a noticeable difference in detail between the official Resolution Agreement and the description in OCR’s press release.  The Resolution Agreement blandly states that an individual complained following disclosure of sensitive information by St. Luke’s to the complainant’s employer, which information contained HIV, AIDS, and mental health information.  The Resolution Agreement goes on to state that another individual’s records were also faxed to the wrong place and both instances occurred contrary to express instructions from the individuals.

In contrast, the press release provides greater detail as to the type of sensitive information of the complainant’s that was disclosed to the complainant’s employer.  The information contained the items already described as well as information about different types of abuse. As indicated, that information was faxed to the complainant’s employer instead of being mailed to a designated P.O. Box as requested. Further, the other improper transmission occurred prior to the event described by the complainant.

The fact that the second issue occurred first, helps demonstrate why OCR found the incident identified by the complainant more troubling. The chronologically first event involved sensitive information of another individual and happened nine (9) months prior to the complainant’s incident. In the intervening months, St. Luke’s did not to address vulnerabilities and prevent the recurrence of an impermissible disclosure. Clearly, organizations must be careful in how PHI is not only handled but how it is sent out.

However, the settlement raises a number of questions. It is probably a safe bet that PHI is sent to the wrong place all of the time by providers or other covered entities, but fines do not usually follow. Why was St. Luke’s set up as an example? Did the nature of the information involved, i.e. HIV/AIDS, mental health, and abuse, influence the decision? Did the multiple incidents in a nine month period influence OCR in its thinking? Did further incriminating facts exist that were not included in either the Resolution Agreement or the press release? All of those questions will remain unanswered unless St. Luke’s volunteers the information.

In the absence of additional information, examination of the details reports can provide some illumination. The dual heavy emphasis on the PHI being of an especially sensitive nature and being sent to an employer seem to have factored significantly in OCR’s decision to impose an arguably hefty fine. Individuals should be secure in the trust given to healthcare organizations and such trust is especially important when it concerns disclosure of PHI. PHI cannot be sent just anywhere, especially when instructions are provided as to how and where disclosure should be made. Such concerns become heightened when information involves traditionally stigmatized issues.

In light of the somewhat vague nature of the settlement, what takeaways are being imparted? First, requests on how to disclose PHI must be honored. Individuals ask that PHI be sent to specific places for a reason. It is easy to assess that sending very personal information to an employer does not place high on any individual’s list of priorities. Second, sensitive information will result in stricter scrutiny. Such scrutiny arises for the reasons already discussed. Third, OCR continues to cherry pick issues of non-compliance and subsequent violations deriving from the same conduct will likely face worse penalties.

As has often been the case recently, the healthcare industry has been warned. Entities should ignore such warning at their own peril.

Posted in Compliance, Health IT, HIPAA, Regulations | Tagged , , , , | Leave a comment