Prescription for Data Protection
This month, security provisions implementing the Health Insurance Portability and Accountability Act (HIPAA) take effect. They are only the latest in a series of implementing provisions, all of which raise complicated legal issues that companies must understand if they are to avoid liability for noncompliance. These issues include how to know when security measures are sufficient under the risk analysis and risk management sections of the regulation and how to respond when law enforcement demands patient information that the privacy regulation protects.
Sufficient security. Under the final security regulation, a company covered by HIPAA must ensure the confidentiality, integrity, and availability of all electronic protected health information that it creates, receives, maintains, or transmits. The regulations do not make a distinction among types of information—such as between routine appointment schedules and drug-screening results, for example. For all types of electronic information, companies are charged with protecting against any unauthorized disclosures or other reasonable threats or hazards to the security or integrity of such information.
HIPAA does not require companies to absolutely protect against every risk. Further, the security regulation allows companies to choose cost-effective security measures by balancing their costs against the losses expected if such measures were not in place.
Risk assessment. The first step toward compliance is a risk assessment. The regulations require that companies perform a proper risk analysis to identify the potential risks to the confidentiality, integrity, and availability of the electronic protected health information they control.
After risks and threats are identified, the question becomes how to take steps legally sufficient to protect against these “reasonably anticipated” threats, hazards, and improper uses or disclosures.
Reasonable steps. Each organization must determine for its unique set of circumstances what specific steps would be reasonable and appropriate. These measures must be documented and kept current.
The rule offers possible solutions, called “addressable specifications.” They include specific technologies, such as encryption, or specific procedures, such as access control. The statute notes that if implementing the addressable security measure is not reasonable, the company must document why implementing the measure recommended in the HIPAA regulation would not be reasonable or appropriate and then implement an equivalent alternative measure or explain why nothing is needed.
In other words, an addressable specification can result in one of three actions by the company: implementing the specification, implementing a substitute security measure, or not implementing any security measure because none is necessary. However, each action must be backed by documentation explaining why that course was selected.
For example, the transmission security standard requires companies to make sure that sensitive information that a patient might not want revealed is given extra protection. The standard does not specify any particular remedy. For example, the standard does not mandate that a company use encryption in a specific circumstance, though it lists encryption as one possibility.
A company transmitting electronic health information consisting of AIDS test results over the Internet should find, after a thorough risk analysis, that encryption is reasonable and appropriate under the transmission security standard. Another company transmitting appointment reminders for noncelebrity podiatry patients may find that encryption is not necessary.
Security does not have to adopt every possible security measure to protect against every imaginable harm. Rather, the company should devote its resources to protecting primarily against risks that carry a high probability of occurring and that would cause a high degree of damage if they did occur.
Putting all of this information together, a company should know that it has selected reasonable and appropriate security measures based on a good risk analysis of reasonably anticipated threats. However, the security regulation is not an absolute protection rule, a best available technology rule, or a best practices rule.
More instructive guidance will come only by observing trends in future litigation. Meanwhile, a few early lessons can be learned from the ways in which some organizations have implemented HIPAA security standards.
One example is the Alabama Department of Health and Mental Retardation. Because of the sensitive information it held, the organization knew it needed to implement security policies for a high-risk environment. The department implemented encryption to protect the transmission of data and took steps to prevent disclosure of patient medical histories.
The department also had to protect patient names. Under Alabama law, which HIPAA does not preempt, a healthcare provider cannot divulge the identity of a mental-health patient.
Some overall changes were made to existing policy. For example, the department tightened the access to patient data by allowing it only on a need-to-know basis. Additionally, the organization drafted a policy to prevent patient information from being inadvertently posted on the Internet or sent out in company e-mail.
The department drafted a data backup plan, a policy to protect client records, and a plan on how to respond to security breaches. To meet the requirement that all policies be kept up to date, the department developed internal audit controls.
In addition, when the department conducted its risk assessment, it found that the use of cell phones created a vulnerability. The phones were not secure and sometimes patient information was transmitted through them.
In searching for a solution, the organization considered banning cell phones. However, in some circumstances, such as in the case of field trips for the patients, the cell phones are the only way for the staff members to communicate in case of an emergency.
The department’s policy now says that cell phones are not to be used except in certain circumstances, such as field trips, and that staff members cannot mention restricted information such as a patient’s name unless there is an emergency. For example, if a patient falls ill on a field trip, it is critical for the staff member in charge to contact the department and obtain medical records on the patient to provide the best care.
Another issue was that of laptop computers. Many clinicians use laptops. The department required these users to follow company security policy when using their personal computers.
The policies require that users log off or use a password-protected screen saver if they leave the computer unattended. They also prohibit leaving laptops in unsecured areas and require that staff use encryption on laptops.
Another risk the department analyzed was group therapy. In group therapy, patients, under the supervision of a clinician, discuss their mental health or substance abuse problems with other patients with similar problems. This type of therapy carries a substantial risk of breach of confidentiality because other patients may discuss what was said during the session.
The department cannot absolutely control what its patients may divulge, but it developed a new policy to reduce the risk. The department implemented several new measures to protect client privacy. For example, each patient in group therapy must now sign a consent form. It emphasizes that the department cannot guarantee patient confidentiality.
The clinician now begins and ends each session with the reminder that what is said in the group, stays in the group. In addition, the department posted signs in therapy areas emphasizing the private nature of the sessions and that patients must not disclose anything said in the sessions.
Disclosures. The privacy regulation specifies the situations in which covered entities may use or disclose personal health information without any form of consent from the individual. Several of these situations involve disclosure to law enforcement authorities.
The statute allows companies to disclose protected health information for a law enforcement purpose to a law enforcement official under certain specified conditions. For example, companies must report certain types of wounds or physical injuries, such as gunshot wounds. In addition, requested information must be given in compliance with a court order, warrant, or judicially or grand-jury-issued subpoena or an administrative subpoena or summons.
Also, information must be given for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. However, in these cases, only certain information, such as blood type and distinguishing physical characteristics, is authorized.
Other instances in which covered entities must provide protected information include when they are asked about victims of a crime, for information on next of kin, for details about a crime on the company’s premises, or for other data necessary to report crime in emergencies.
Each of these categories has detailed criteria that must be met. Plus, even if all required criteria are met, organizations may not release the information if another law, either state or federal, prohibits the disclosure or requires something more, such as a court order or the patient’s consent.
HIPAA preempts federal or state law that is contrary to the statute unless the federal or state law provides more privacy protection than HIPAA. Examples of such laws include AIDS and HIV confidentiality laws, statutes covering information on sexually transmitted and communicable diseases, mental health confidentiality laws, and alcohol and drug abuse confidentiality laws.
These laws give more privacy protection than does HIPAA because they often require a signed authorization or a signed informed consent, or require a court order rather than a subpoena. They also impose stiff criminal or civil penalties for noncompliance.
This law-enforcement-related disclosure issue may end up being a difficult call for companies, because they may receive requests for information from law enforcement officials who are unaware that their requests violate either HIPAA or other laws. Companies that refuse such requests may face obstruction of justice charges even though they are attempting to follow the law.
For example, in Wisconsin, a nurse was prosecuted for refusing to provide information to law enforcement because of HIPAA. The nurse was charged with obstructing an officer and contempt of court for refusing to allow a sheriff’s deputy to serve a patient with a restraining order.
The nurse based his actions on HIPAA and claimed that he could not release the information because law enforcement officials did not have a written authorization, a valid court order, or permission of the patient to release this information. The case has yet to come to trial.
To address this issue, healthcare providers should consult legal counsel for advice on each case. Law enforcement officials will most likely allow a reasonable amount of time to talk to an attorney for legal advice.
If the company can say that it was following its counsel’s legal advice, it may be more difficult for a U.S. attorney to prove that the action was intended as obstruction of justice or as a “knowing” violation of HIPAA. Companies should also make and have key employees keep a checklist outlining what can or cannot be done on the issues of disclosure for law enforcement.
The biggest problem for companies that must comply with HIPAA is that they can only guess at the meaning of terms such as “reasonable and appropriate” until court cases set the boundaries. But with a good, well-documented risk analysis, they can be reasonably confident that their security measures are compliant.
Jonathan P. Tomes is a partner at Tomes & Dvorak in Kansas City, Kansas, and a principal of EMR Legal, Inc., a HIPAA consulting firm.