The e-PHI Conundrum: What Constitutes a Breach?

Twitter icon
Facebook icon
LinkedIn icon
e-mail icon
Google icon

Lisa A. GallagherTucked within the American Reinvestment and Recovery Act (ARRA) of 2009 (intended to jump-start the stalled US economy with an infusion of nearly $1 trillion) was a provision to provide $25.8 billion for modernization of the nation’s health-care information highways and the electronic patient health records traversing them. Toward that end, the US DHHS was authorized to write a number of rules governing how such records were henceforth to be handled by those individuals and organizations creating, storing, and/or disseminating them.

It is now 30 months later, and the DHHS has yet to complete the task—but of the few regulations thus far implemented, the one that seems most responsible for generating complaints of confusion is that pertaining to security-breach notifications.

Lisa A. Gallagher, BSEE, CISM, CPHIMS, is senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). She says, “If you are an entity covered by HIPAA, the new security-breach–notifications rule requires you to inform the patient when there is a breach of his or her information. This rule also requires that, if the breach involves the records of 500 or more individuals, it must be reported both to the patients and to the DHHS. Unfortunately, no one really seems clear about what the threshold of information disclosure is that constitutes a breach, as measured by the amount of risk to the patient that the disclosure poses.”

The DHHS appears not to know, either, as evidenced by the lack of guidance that it has offered on this matter. Some speculate that the DHHS is having difficulty formulating advice that won’t result in patients being notified of disclosures too frequently. “Notification fatigue is a concern here,” Gallagher says. “The DHHS probably would prefer that patients only receive notification of breaches that pose an actual risk of harm; however, there has been a great deal of back and forth on this, with patient-privacy advocates arguing that it’s only patients who can determine whether the risk is serious, and therefore, they should be notified each and every time there is a disclosure, no matter how small the breach.”

The Global ViewKhoi BuiAccording to the NJ HIMSS Security, Privacy and Compliance Taskforce,¹ health-care providers should approach the protection of electronic patient health information (e-PHI) globally, rather than from a traditional, siloed perspective of just one or two departments or areas of operations. Gallagher agrees, and she says that the single most important step that an imaging center or imaging provider can take to protect e-PHI on a global basis is periodically to conduct a comprehensive, organization-wide security-risk analysis.

Such an analysis can be performed either as a do-it-yourself exercise or under the auspices of a hired consultant. “The right approach depends on the organization,” Gallagher says. “Some have the expertise for it internally. Others don’t, and therefore, they should seek outside help, but by whatever means the analysis is conducted, it must involve looking everywhere for disclosure breaches.”

This, she says, must be followed by the ongoing monitoring of employee behavior and, when necessary, by retraining errant staffers or imposing sanctions on them. “Culture change is the key,” she says. “Health-care providers need to focus on the idea that protecting patient data is part of caring for the patient.”

Sometimes, breaches that expose patient information to the world are caused by the most innocent behaviors. Gallagher gives as an example communication involving Facebook. “Breaches through Facebook are uncommon, but it’s something that, nonetheless, can happen,” she says. “The reason it can happen is that employees are prone to finding ways of making their job or their workflow easier. For instance, two radiologists consulting on a case might talk about it while socializing with each other on Facebook. Worse, they might be using Facebook not just to interact casually, but to collaborate formally—because, perhaps, the collaboration tools they have at their disposal aren’t working for them, but this one is.”

Along the same lines, even in-office email represents a potential breach point under the new rules. Email has, of course, been subject to HIPAA regulations for many years now, with the requirements that electronic correspondence referencing a patient’s name, address, phone number, or other identifying information be safeguarded