Wall of Shame

Click here for more information

Wall of Shame
(Photo by Sarah G...)

Since 2009, almost 21 million patients have had their medical records stolen, unlawfully disclosed, or just lost, according to the Office for Civil Rights (OCR) of the U.S. Dept of Health and Human Services (HHS). The result is a “wall of shame” (and possible fines) for these healthcare organizations — a wall your organization should avoid getting posted on at all costs.

The wall is a by-product of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 — part of the umbrella of the American Recovery and Reinvestment Act (ARRA). HITECH fulfills a promise made by President Obama with the goal of modernizing portions of the American healthcare system.

During a speech at George Mason University, President Obama said:

“To improve the quality of our health care while lowering its costs, we will make the immediate investments necessary to ensure that, within five years, all of America’s medical records are computerized. This will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests…But it just won’t save billions of dollars and thousands of jobs; it will save lives by reducing the deadly but preventable medical errors that pervade our health-care system.”

There are a number of carrot and stick incentives inside HITECH to encourage rapid adoption of Electronic Health Records (EHR) by hospitals. Due to these incentives, the Congressional Budget Office (CBO) has increased its projected EHR adoption rate from 65% to an estimated 90% among physicians by the year 2019. This increased projection estimate is a direct result of HITECH.

EHR is a fantastic idea, but as with most things digital, ease of use/access within EHRs means that electronic health record information can also be easily copied, stolen or disclosed in an unauthorized manner. So provisions are needed to protect the privacy and security of patient information.

HITECH addresses some of this by giving HHS some enforcement teeth. Via section 13402 of the Act, HHS is required to issue regulations (and possible fines) for breach notification by entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates. Via section 13402(e)(4) of HITECH, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. So, 21 million breaches may be a conservative estimate.

How can you avoid getting your organization on the “wall of shame”? Stay tuned here for a future follow-up with suggestions, or contact us for more information.

4 thoughts on “Wall of Shame”

  1. Dear Lisa, Thank you, this was very useful. In fact the day anneuncoment was made, news mentioned withdrawn and many people who heard that asked me if the rule doesnt apply any more! I had to tell them, IFR is still in effect.If you have noticed the details of breaches which were fined by a state entity, the causes were not just theft or loss of a computer, but more than that. I reviewed three cases and reason i found are eye openers; some examples:1.Policies and procedures not updated: Many of providers policies and procedures were as old as 2003 and not reviewed2.Inability to limit access as per roles: Provider had a system – PCI (patient care Information) – which is considered a PHI system and the privacy officer stated that, their IS personnel told her that they do not have any means of blocking or limiting what information can be accessed once logged in.3.Inadequate safeguards to prevent unauthorized access: The Director of the hospital stated that they decided to audit the access of only i) VIP patient records, ii)patients with unusual diagnoses and iii) patients with “no information” request (patients who requested that their information was kept confidential and not disclosed without their permission). The Director went on to state that, the measures they have would not have discovered what the employee was doing.4.Inadequate Audit logs: Privacy officer stated that she started doing the audit only in June last year and she doesn’t have a schedule of audit in place yet.5.Inadequate alert on unauthorized access: The Director of Clinical Informatics stated that, their computer system do not have a system to alert anyone to inappropriate or unusual access to clinical records.6.Inadequate measures to secure medical records: Director of Informatics stated that, he has not talked to the vendor (who supplies their PHI system), on patient confidentiality, safeguard for records and tracking of unusual activity by users.In fact, none of the entities who were fined, had loss of a computer as a reason for breach, but causes of breach were any of the above or more.What is your take on these cases of california?

  2. Jannett, it’s going to take prosecution and transparency for these types of cases to come to light, and to be rectified. It sounds like multiple people in charge have taken their eye off the ball on these cases to which you refer.

  3. I don’t find this critique to be thhfuotugl or informed. Meaningful use criteria include a number of things than can’t be guaranteed to work out of the box. For instance, Incorporate clinical lab-test results into EHRs as structured data . EMRs do this, they come with lab interfaces. Making it work in practice depends on a cooperative integration effort with the primary labs that service the practice. If a physician practice doesn’t make that effort, or won’t pay for that integration, it is not the fault of the vendor or the regulating agency. How about Implement five clinical decision support rules, including diagnostic test ordering, along with the ability to track compliance with those rules. The type of rules will depend on the practice type, obviously. My clinic might implement automatic reminders to order HgbA1C. An ophthalmology practice would choose differently. The EMR vendors should help to integrate and get these capabilities up to speed. Some will do this better than others. But if a physician practice doesn’t do their part, the vendor and the regulating agency can’t be held responsible, and shouldn’t be.

Leave a Reply

Your email address will not be published. Required fields are marked *