Avoiding the Wall of Shame: Protect PHI

Click here for more information

obelisk
Photo by archer10 (Dennis)

In one of our previous posts, we said that step one in avoiding the “wall of shame” is to identify any Protected Health Information, or PHI, that your organization may have.

Step two is to protect those PHI elements, rendering them unusable, unreadable, or indecipherable to unauthorized individuals.

Isolation of PHI can be multifaceted. First ask yourself, “Do we really need to collect this? Why?” You might be surprised to learn that the real answer is “No”. One method of isolation may be not collecting the data at all.

For those instances where the PHI must be collected, you need to utilize encryption — likely multiple modes of encryption depending upon whether the data is at rest (within a database and/or on computer media), or is in motion (moving between computers). The National Institute of Standards and Technology (NIST) has guidelines that can be used as a starting discussion point for data that is at rest, and for data that is in motion.

You can also come up with a consistent method of sharing de-identified equivalents by removal of information which links medical information to a particular individual. Using a patient chart ID, for example, might sufficiently identify a record without needing to use the patient’s name and address.

You might find that for the majority of occasions where the PHI is really not needed for the task at hand, then de-identified substitutes can be used. While coming up with these equivalents, ask yourself again if the de-identified element alone is enough for all of the tasks without having to collect the actual PHI behind it.

For example, we have clients who regularly need to share lab data (CD4, HIV Viral Load, etc.) among healthcare providers. Some of this same data must also be shared with government entities charged with tracking disease progression, statistics, and outbreaks. The community-based organizations (CBO) may need a way to verify individuals to whom they provide care, while the government entities may only need to know some basic demographic data about the individual (while still isolating each individual).

For the CBOs, we might use a de-identified client code comprised of a few letters of their first and last name in combination with the individual’s date of birth and gender. The CBOs could then use an agreed upon method of comparing that client code against physical identification that the individual provides at the time they receive services — maybe requiring the individual show a government issued ID.

For the government entities who need the lab information, we might just associate some auto-incremented serial number with those same individuals when the lab and demographic information are passed along.

The key to PHI isolation and protection here is to identify those elements that must be collected, identify with whom to share those elements, and identify what form that sharing takes place.

Need help clarifying, isolating and protecting your PHI data? Give us a call.

Avoiding the Wall of Shame: Identify PHI

Click here for more information

Protect
Photo by Unhindered by Talent

In one of our previous posts, we referenced the “wall of shame” maintained by the U.S. Dept of Health and Human Services, which lists organizations who reported lost, stolen, or improperly disclosed patient records.

What can you do to protect your organization from inadvertently screwing up like this, and making it onto this lineup?

First, know what is worth protecting. In reference to “wall of shame” avoidance, you need to know what constitutes Protected Health Information, or PHI.

What is PHI

PHI, as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), means any information recorded in any form/medium (or shared orally) that meets both of the following criteria:

  • Is created or received by a health care provider, health plan, employer, or health care  clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
    • That identifies the individual; or
    • With respect to which there is a reasonable  basis to believe the information can be used to  identify the individual.

So, depending upon what service your organization provides, and even possibly where you are located, what you need to protect will vary.

Location, Location, Location

Why would location matter? Take, for example, one of our clients who provide healthcare services to individuals with HIV or AIDS in a dense urban setting where tens of thousands of people live within a single ZIP Code. Inadvertent disclosure of just a five digit ZIP Code from this dense urban area would not alone constitute a HIPAA breach.

Take a similar provider providing HIV/AIDS services in a sparsely populated, rural region, and all bets are off. ZIP code alone might be enough to identify that person.

Not sure what to protect? Contact us.

Wall of Shame

Click here for more information

Wall of Shame
(Photo by Sarah G...)

Since 2009, almost 21 million patients have had their medical records stolen, unlawfully disclosed, or just lost, according to the Office for Civil Rights (OCR) of the U.S. Dept of Health and Human Services (HHS). The result is a “wall of shame” (and possible fines) for these healthcare organizations — a wall your organization should avoid getting posted on at all costs.

The wall is a by-product of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 — part of the umbrella of the American Recovery and Reinvestment Act (ARRA). HITECH fulfills a promise made by President Obama with the goal of modernizing portions of the American healthcare system.

During a speech at George Mason University, President Obama said:

“To improve the quality of our health care while lowering its costs, we will make the immediate investments necessary to ensure that, within five years, all of America’s medical records are computerized. This will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests…But it just won’t save billions of dollars and thousands of jobs; it will save lives by reducing the deadly but preventable medical errors that pervade our health-care system.”

There are a number of carrot and stick incentives inside HITECH to encourage rapid adoption of Electronic Health Records (EHR) by hospitals. Due to these incentives, the Congressional Budget Office (CBO) has increased its projected EHR adoption rate from 65% to an estimated 90% among physicians by the year 2019. This increased projection estimate is a direct result of HITECH.

EHR is a fantastic idea, but as with most things digital, ease of use/access within EHRs means that electronic health record information can also be easily copied, stolen or disclosed in an unauthorized manner. So provisions are needed to protect the privacy and security of patient information.

HITECH addresses some of this by giving HHS some enforcement teeth. Via section 13402 of the Act, HHS is required to issue regulations (and possible fines) for breach notification by entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates. Via section 13402(e)(4) of HITECH, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. So, 21 million breaches may be a conservative estimate.

How can you avoid getting your organization on the “wall of shame”? Stay tuned here for a future follow-up with suggestions, or contact us for more information.