The e-PHI Conundrum: What Constitutes a Breach?

Twitter icon
Facebook icon
LinkedIn icon
e-mail icon
Google icon
Lisa A. GallagherTucked within the American Reinvestment and Recovery Act (ARRA) of 2009 (intended to jump-start the stalled US economy with an infusion of nearly $1 trillion) was a provision to provide $25.8 billion for modernization of the nation’s health-care information highways and the electronic patient health records traversing them. Toward that end, the US DHHS was authorized to write a number of rules governing how such records were henceforth to be handled by those individuals and organizations creating, storing, and/or disseminating them. It is now 30 months later, and the DHHS has yet to complete the task—but of the few regulations thus far implemented, the one that seems most responsible for generating complaints of confusion is that pertaining to security-breach notifications. Lisa A. Gallagher, BSEE, CISM, CPHIMS, is senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). She says, “If you are an entity covered by HIPAA, the new security-breach–notifications rule requires you to inform the patient when there is a breach of his or her information. This rule also requires that, if the breach involves the records of 500 or more individuals, it must be reported both to the patients and to the DHHS. Unfortunately, no one really seems clear about what the threshold of information disclosure is that constitutes a breach, as measured by the amount of risk to the patient that the disclosure poses.” The DHHS appears not to know, either, as evidenced by the lack of guidance that it has offered on this matter. Some speculate that the DHHS is having difficulty formulating advice that won’t result in patients being notified of disclosures too frequently. “Notification fatigue is a concern here,” Gallagher says. “The DHHS probably would prefer that patients only receive notification of breaches that pose an actual risk of harm; however, there has been a great deal of back and forth on this, with patient-privacy advocates arguing that it’s only patients who can determine whether the risk is serious, and therefore, they should be notified each and every time there is a disclosure, no matter how small the breach.” The Global View Khoi BuiAccording to the NJ HIMSS Security, Privacy and Compliance Taskforce,¹ health-care providers should approach the protection of electronic patient health information (e-PHI) globally, rather than from a traditional, siloed perspective of just one or two departments or areas of operations. Gallagher agrees, and she says that the single most important step that an imaging center or imaging provider can take to protect e-PHI on a global basis is periodically to conduct a comprehensive, organization-wide security-risk analysis. Such an analysis can be performed either as a do-it-yourself exercise or under the auspices of a hired consultant. “The right approach depends on the organization,” Gallagher says. “Some have the expertise for it internally. Others don’t, and therefore, they should seek outside help, but by whatever means the analysis is conducted, it must involve looking everywhere for disclosure breaches.” This, she says, must be followed by the ongoing monitoring of employee behavior and, when necessary, by retraining errant staffers or imposing sanctions on them. “Culture change is the key,” she says. “Health-care providers need to focus on the idea that protecting patient data is part of caring for the patient.” Sometimes, breaches that expose patient information to the world are caused by the most innocent behaviors. Gallagher gives as an example communication involving Facebook. “Breaches through Facebook are uncommon, but it’s something that, nonetheless, can happen,” she says. “The reason it can happen is that employees are prone to finding ways of making their job or their workflow easier. For instance, two radiologists consulting on a case might talk about it while socializing with each other on Facebook. Worse, they might be using Facebook not just to interact casually, but to collaborate formally—because, perhaps, the collaboration tools they have at their disposal aren’t working for them, but this one is.” Along the same lines, even in-office email represents a potential breach point under the new rules. Email has, of course, been subject to HIPAA regulations for many years now, with the requirements that electronic correspondence referencing a patient’s name, address, phone number, or other identifying information be safeguarded and that providers have in place an information-storage strategy for that purpose. In Gallagher’s view, the potential for an email breach is yet another reason for periodically conducting security-risk assessments at the global level. “What can happen,” she says, “is that an organization has a certain framework and tools tit put in place for information exchange, but you cannot make the assumption that every employee is following and staying within that framework. When you do an internal audit, you often are surprised to find that information is being used or shared outside of that set of rules or framework.” Among the e-PHI regulations not yet finalized is one that will eventually oblige providers to maintain a log of information-disclosure incidents. “HIPAA already has an accounting-of-disclosures requirement,” Gallagher says, “but it allowed that certain types of disclosure incidents did not have to be reported—mainly those of a routine nature occurring in the course of treatment, payment, and operations. Now, however, the Health Information Technology for Economic and Clinical Health section of the ARRA will require logs to show every disclosure, even those arising out of treatment, payment, and operations. The purpose of that is to allow the patient to know to whom his or her data were disclosed over a named period of time.” The confusing part of this draft rule² derives from the proposed requirement that patients also be permitted to learn the identity of specific individuals within the organization who were able to access the information. As the rule is now envisioned, “Providers will be obliged to keep a record of when and how many times a physician, nurse, radiologic technologist, or laboratory person looks at—technically, uses—the patient’s data as part of routine care,” Gallagher says. HIMSS was one of a number of industry organizations that planned to give the DHHS an analysis of the good, bad, and ugly about this and other proposed regulations during the public comment period, which ended August 1. Rich Smith is a contributing writer for