If healthcare reimbursement is to rely on patient data, providers must take care to protect information from breaches.
“Who’s going to hack our data?” — I fielded this question recently from a care provider at a medical and dental practice where I serve as chief compliance officer, in addi­tion to my full-time position as executive director of the Elec­tronic Health Network Accreditation Commission (EHNAC).
No doubt the provider was thinking about data breaches at Anthem, Premera Blue Cross, and Excellus Health Plan, as well as other major breaches in the first 9 months of 2015, which affected an eye-popping 109 million individuals.1 While those breaches certainly made huge headlines, the theft, loss, unau­thorized disclosure, or hacking of patient data is reported al­most daily to the Office of Civil Rights (OCR), the federal agen­cy charged with compiling and publishing data on breaches that affect more than 500 individuals.2
“If you don’t protect your data, you may not have a practice,” I replied to the physician. I explained that a single significant breach affecting the data of more than 500 patients requires reporting to the OCR and local media, and would potentially subject the practice to significant fines, as well as erosion of patient trust and credibility with shareholders.
After hearing all of this, the physician quickly understood the importance of data security. “You’re right,” is all he said.
BREACHES ARE BECOMING WIDESPREAD
Six major breaches of more than 1 million records each repre­sented the lion’s share of affected records. However, an addi­tional 200 breaches reported to OCR during the first 9 months of 2015 hit more than 3.6 million patient records.1 The offend­ers included a nursing home, a cancer center, a dentist, and medical practices in urology, neurology, radiology and anes­thesiology. Business associates were affected, too, including several billing practices and an attorney. Medical Informat­ics Engineering, an IT software development firm, reported a breach of 3.9 million records in July.
Why are breaches so widespread? The emergence of elec­tronic medical records and increasing use of electronic means to transmit and share data allow not only providers, health plans, payers, and others to share critical patient data and make better care decisions, but it also gives more entry points to criminals.
According to the Ponemon Institute’s 5th annual privacy and security report, criminal attacks are the primary cause of data breaches in healthcare. Breaches have been reported by 90% of healthcare organizations and 60% of their business as­sociates.3 Since 2010, nearly 8 in 10 healthcare organizations have reported more than one breach.3
On the black market, a credit card record is worth $1. How­ever, because of the rich amount of personal information contained in a medical record that can be easily used to com­mit medical fraud, each of these records commands between $5 and $10.
GREAT PROMISE IN USING DATA, BUT HIGH STAKES
For providers of any size, the stakes have never been higher to safeguard data. Even solo practitioners are using portals and mobile apps, contracting with business associates and partici­pating in health information exchanges, accountable care or­ganizations (ACOs) and other initiatives where data sharing is crucial to understanding and interacting with patients and oth­er information sources, such as labs, pharmacies, hospitals, etc.
Make no mistake: the ready exchange of patient data helps providers make quicker, more informed diagnoses; helps pa­tients avoid unnecessary scans and lab tests; and gives the myriad of caregivers who interact with a patient a place to collaborate and to coordinate patient care. But intentional or unintentional breaches can occur at the intersections of each of these data exchange touchpoints.
The fear of a major data breach has elevated the roles of chief information security officer or chief privacy officer, many of whom now report directly to their entity’s governing board. Even smaller organizations and practices should have a com­pliance officer who can put in place policies, procedures, and controls; conduct annual risk assessments; and minimize the risk for a breach. Smaller organizations can use a third-party compliance officer who is well-versed in healthcare.
To understand the promise of coordinated care, look no fur­ther than the Rio Grande Valley ACO in Texas, which concen­trates its efforts on patients with diabetes. In the Rio Grande Valley, nearly 30% of people live with some type of diabetes, a rate 3 times the national average.
Jose F. Pena, MD, CEO and chief medical officer for the ACO, credits a coordinated care approach that optimizes its elec­tronic health record (EHR) system to enable care team mem­bers to use pop-up reminders to track such patient measures as glycated hemoglobin, low-density lipoprotein cholesterol, blood pressure, smoking status, and the use of anti-platelet therapy. This coordinated approach modestly improved in­dividual quality measures but dramatically improved com­pliance with all 5 quality measures (blood pressure, lipids, glucose, aspirin use, and tobacco avoidance), moving from a national average 23% compliance rate in the first year to 48% in the second. A success such as this underlines the impor­tance of getting data security right.
HOW THE INDUSTRY IS RESPONDING
A hospital may use up to 150 information technology systems, many of which need to interact and interface with other sys­tems to push or pull data or compile reports. No hospital has a fully integrated system from a single vendor, so data leakage can occur at the junctures between systems.
As the industry moves from fee-for-service to fee-for-value, interoperability among disparate IT systems has become criti­cal. True interoperability can plug many of the data leakage holes. The CommonWell Health Alliance has been working since 2013 to create interoperability among major EHR sys­tems. Member organizations represent 70% of the acute care EHR market and 24% of the ambulatory care market. Carequal­ity, a public/private collaborative, was formed in 2015 with a similar theme.
The EHNAC/Direct Trusted Agent Accreditation Program (DTAAP) allows accredited health information service providers (HISPs) to send e-mail that is authenticated, encrypted health information directly to known, trusted recipients over the In­ternet. DTAAP meets Meaningful Use Stage 2 standards. Two accredited HISPs can transmit information to one another with confidence, knowing that sensitive data is properly protected.
The nonprofit Health Level Seven International has devel­oped what it calls a next-generation standards framework: FHIR (Fast Healthcare Interoperability Resources) is still being vetted, but is seen as an emerging standard for the develop­ment of interoperable healthcare technology. Truly interoper­able systems have fewer data leakage concerns.
Many organizations are specifying accreditation with EHNAC standards for vendors and business associates. Our standards are supported by not only federal and state or­ganizations but also by dozens of leading companies in the healthcare industry. Requiring EHNAC accreditation demon­strates a commitment to data security that resonates with organization executives as well as patients, customers, and stakeholders. Medical Group Management Association and the American Medical Association have created a toolkit for selecting a practice management system that calls for EHNAC accreditation of those practice management vendors as a key step and quality assurance check for providers.
CONTINUAL EMPHASIS ON DATA SECURITY
Regulations are constantly changing. Organizations need to evaluate and purchase new software. Employee training on data security and privacy rules is required on at least an an­nual, but more importantly, on an ongoing basis. For these reasons and more, protecting an organization’s data should be an ongoing concern, which is why companies have chief pri­vacy and chief security officers. It’s also why even the smallest organizations should have someone in charge of data secu­rity—even if it’s a third-party vendor. When possible, specify that the business associates and vendors you work with are accredited to safeguard your sensitive information.
We all are patients and should recognize that the data we protect could be our own.
1. Breaches affecting 500 or more individuals. Department of Health and Human Services Of­fice for Civil Rights Breach Portal website. https://ocrportal.hhs.gov/ocr/breach/breach_re­port.jsf. Accessed February 12, 2016.
2. Breach notification rule. Department of Health and Human Services website. http://www. hhs.gov/hipaa/for-professionals/breach-notification/index.html. Accessed February 12, 2016.
3. Ponemon Institute/MIFA. 5th annual benchmark study on privacy and security of health­care data. Published May 2015. https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data Accessed February 12, 2016.