At a glance…
Compromising resident data-health, insurance, and financial-could result in undetected identity theft. Policies must be developed and enforced to guard Protected Health Information.
Nearly all long-term care provider organizations use one or more computer systems to support their clinical and business operations. Indeed, all nursing facilities are required to encode and transmit sensitive personal health data for all residents using the Minimum Data Set (MDS); all home health agencies must encode and transmit similar information for all Medicare residents using the OASIS system. Nearly all providers must encode and transmit claims and financial data, often required by payors and state regulatory agencies. Compromise of these data to unscrupulous parties invites identity theft that would be very difficult to detect and correct.
If the data that leads to such theft came from a computer controlled by an organization or a business partner, there are now severe consequences to the organization-and the business partner! A new act packaged with the stimulus bill specifies the notification requirements, the penalties for breaches, and extends the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to business partners. The act also provides a safe harbor if organizations take specific precautions.
To protect everyone whose medical/health records are stored on computers, the Health Information Technology for Economic and Clinical Health (HITECH) Act of the American Recovery and Reinvestment Act of 2009 (AARA), commonly referred to as the stimulus bill, requires notification of all parties whose information has been compromised by unauthorized release. If the entities subject to the regulations apply the technologies and methodologies specified by the National Coordinator for Health Information Management and the Centers for Medicare & Medicaid Services they will not be required to provide the notifications otherwise required by the regulations in the event the information is breached. The reason for not requiring notification is simple-the data will be in a form that will be unusable, unreadable, or indecipherable to unauthorized parties through encryption and other safeguards. The standards for encryption are those that are consistent with the National Institute of Standards and Technology (NIST.) NIST has published the Guide to Storage Encryption Technology for End User Devices. A second methodology is to destroy the paper or electronic media in a manner that Protected Health Information (PHI) cannot be read or reconstructed. Destruction should be performed using techniques consistent with NIST standards. NIST has published Guidelines for Media Sanitization. Both documents are available for free download from NIST at http://www.nist.gov/index.html.
If a breach of data occurs that has not been secured as above, the covered entity must notify all affected individuals not later than 60 days after the breach is discovered. If more than 500 individuals' PHI has been compromised, the media and the Secretary of the Department of Health and Human Services (HHS) must be notified of the breach. If the breach occurs by a business partner, the covered entity must still make the notifications. Clearly, complying with the encryption and destruction standards would save massive complications for providers
PHI must be secured both at rest and in use. Remember the definition of PHI includes data on paper that is stored or created electronically. Data in use includes access by users and transmission to other entities. Data breaches could consist of breaking into the computer network; unauthorized viewing of PHI; losing or stealing a laptop, thumb drive, or PDA; interception of data on an unsecured wireless network; misplacing a backup media; an e-mail or fax going astray; and any number of other scenarios. To mitigate risk, PHI must be secure at all times. The HITECH Breach Rules were effective September 23, 2009. The text of the HHS rule is available at http://edocket.access.gpo.gov/2009/E9-9512.pdf. HHS has said it will not enforce sanctions for noncompliance until 180 days after the publication of the rule (August 24, 2009). Breaches discovered after the September 23 date must result in notification of affected individuals.
Applied to LTC computer systems
The HITECH Act does not require encryption of PHI. However, it does require notification if breached data is not strongly encrypted or destroyed in compliance with specified standards. These safe harbor provisions may be met by the covered entity's computer system and security practices to provide cover from severe civil monetary penalties. Willful neglect (newly introduced in the HITECH Act) carries up to a $1.5 million penalty. The following considerations should be addressed by organizations that wish to take advantage of the safe harbor provision.
Today's nursing home and home care information technology (IT) approaches encompass several alternate architectures, often more than one in a facility. Some are based on very old (in data processing terms) technology that may not be capable of meeting the specified encryption standards. Other new technology may engender other risks since data is constantly in motion, and is at rest outside of the facility or agency. Administrators and IT staff must assess the risks of their systems, plan for mitigation, and ensure business associates do their parts. Taking advantage of the benefits of the safe harbor provision may require changes in operations and possibly replacement of components or whole systems.