Privacy advocates worry that as patient records move from paper to the digital environment, security breaches will occur more frequently and affect more patients. 

The American Recovery and Reinvestment Act of 2009, popularly known as the stimulus bill, contained several provisions encouraging adoption of electronic medical records.  Many health policy experts support health information technology, believing that electronic health records will enhance quality of care (through minimizing medication errors and creating opportunities for greater continuity of care) and decrease administrative costs. Along with these benefits, however, is a growing risk of privacy breaches.

Breaches affecting millions of individuals have plagued the financial sector in recent years, raising the threat of identity threat.  Security breaches of electronic health records could be even more devastating, risking public disclosure of sensitive personal information as well as misuse of financial information contained in the record.  Therefore, the stimulus bill, in addition to providing incentives for adoption of electronic medical records, also contained additional privacy protections.

Previously, the confidentiality of medical records was protected under state law, and also by the security and privacy standards under the Health Insurance Portability and Accountability Act (HIPAA).  HIPAA applies to most health care providers,[1] health plans and health care clearinghouses, and requires that covered entities prevent unauthorized disclosure of individuals' protected health information (PHI), and protect the security, integrity and availability of electronic PHI.  If an individual's PHI was improperly disclosed, HIPAA required that the covered entity mitigate harm caused by the breach, but did not require that the individual be notified.  Most state laws also did not mandate that patients be notified of confidentiality breaches.  Many states do, however, require notification of security breaches of electronic information including data that can give rise to identity theft (such as the social security number), and depending on the circumstances, some breaches of patient information could come under those laws.

The provisions of the stimulus bill intended to enhance protection of the privacy and security of health records are contained in Title XIII, known as the Health Information Technology for Economic and Clinical Health (HITECH) Act.   Among other new safeguards, the HITECH Act requires that health care providers covered by HIPAA, health plans and health care clearinghouses must notify patients when there is a breach of unsecured PHI.  The breach notification requirements were technically in effect starting September 23, 2009, but the Department of Health and Human Services (HHS) has announced that it will not impose sanctions on HIPAA covered entities until after February 22, 2010[2].  This gives health care providers additional time to develop procedures to assure reporting of breaches as required.

The main features of the breach notification requirement are:

• § It applies only to breaches of unsecured PHI. PHI in paper form is considered "secured" only if it is physically destroyed (shredded), but electronic PHI is secure if it has been encrypted and the encryption key is kept on another device. So if a laptop, PDA or flash drive containing PHI is lost, but the PHI was encrypted, patient notification is not required.
• § It is not considered a "breach" if PHI is unintentionally accessed by or disclosed to a person who is ordinarily authorized to access PHI, and the PHI is not further disclosed. An example of this is a physician inadvertently accessing a record of the wrong patient, if the physician closes the record when the error is realized.
• § Notification is required only if the breach of PHI "poses a significant risk of financial, reputational or other harm to the individual."[3] If a breach of unsecured PHI has occurred, the provider must perform and document a risk assessment showing that relevant factors were considered. For example, if the only PHI disclosed was the patient's name, then the only personal information disclosed is that the individual was treated by that health care provider. If the provider is an internist, the risk of reputational harm may be limited, but if the provider is a psychiatrist, the risk is greater. If the internist lost a PDA containing not only unencrypted patient names, but also diagnoses, the risk of reputational harm is greater. If the PDA contained patient social security numbers, there is a risk of financial harm. The provision in HHS's rules requiring notification only if there is a significant risk of harm is controversial, and some privacy advocates are seeking legislation to eliminate this exception.
• § If notification is required, the patient must be notified directly. Also, if the breach involved more than 500 residents of a state, a notice must be published in a local newspaper.
• § HHS must also be notified of breaches of PHI: immediately, if the breach involved more than 500 individuals, or annually for smaller breaches.

If a patient must be notified of the breach, the notice must describe what occurred, what information was affected, how individuals can protect themselves from potential harm resulting from the breach, what the covered entity is doing to investigate and prevent future breaches, and contact procedures to get additional information.  When contact information for more than ten patients is inadequate or out of date, so that actual notice cannot be given, then notice must be posted on the covered entity's website or published in the local newspaper, and must contain a toll-free number for patients to get additional information.

These provisions will likely pose great compliance challenges for health care providers.  First, ignorance is not bliss when it comes to privacy breach notifications.  Providers are deemed to have knowledge of a privacy breach when the provider would have become aware of the breach, if the provider were exercising reasonable diligence.  Since notice must be given within 60 days of the date that the provider actually learns of the breach, or should have known of it.  Second, when the breach involves large numbers of individuals, giving the required notice will be expensive.  The costs will involve not only the expense of mailing the notice, but also having staff available to respond to calls from patients requesting additional information.  Finally, the adverse publicity resulting from a large breach that requires media notification is potentially very damaging to the provider's reputation.

For all of us as patients, however, the breach notification law may be an important protection.  California has had a law requiring notification of breaches of health information, and that may account for why privacy breaches frequently come to light in that state.  Even with the best security, problems can arise - but if the breach notification law motivates providers to improve protections of confidential information, that will benefit us all.

[1] Health care providers are covered under the HIPAA Privacy Standards if they submit electronic claims for health care services.

[2] HHS published its interim final rule on the breach notification requirement on August 24, 2009 (74 Fed. Reg. 42740).

[3] 45 C.F.R. § 164.402.

About the Author

Patricia King is a health care attorney in Illinois, and principal of the web-based business Digital Age Healthcare LLC (http://www.digitalagemd.com/).