Data Breach Analysis 2009-2012 - HITECH Experience Reviewed by HITRUST

In the first three years that the HITECH data breach notification rules have been in effect (September 2009 - September 2012), almost 500 breaches affecting more than 500 individuals have been reported.  As of this spring, over 57,000 data breaches affecting fewer than 500 individuals have been reported.

HITRUST Analysis of U.S. Healthcare Breach Data (infographic) (report)

Courtesy of HITRUST (Health IT Trust Alliance)

The key takeaways:

• Most data breaches are accounted for by theft or loss (2/3 of breaches, over 4/5 of breached records); the balance are accounted for by unauthorized access or disclosure, incorrect mailing, hacking and improper disposal 
• Hacks are on the rise, and given the likely underreporting of all breaches and the ease with which theft and loss of devices and records are detected, chances are that security improvement efforts are not being targeted appropriately
• The weak link for most data breaches are laptops, paper records and mobile media (3/4 of breaches, 2/3 of records); the balance are from desktop computers, network servers and system applications
• The trend in number of data breaches over time is encouraging, but there have been upticks in late 2011 and early 2012 
• Hospitals, health plans and business associates are getting better at securing their data over time; physician practices are getting a little worse, particularly in smaller practice which, since they are often linked to community hospital EHRs, expose the hospitals as well
• Government sector breaches account for a large percentage of the whole (check out the OIG report on CMS data breaches under HITECH for a glimpse of one sliver of this problem)

The full report is worth reading.  Also: see more from HealthBlawg on HIPAA, HITECH and data breaches.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

Gimme My Damn Data - The ICD Edition

The latest news story to examine the issue of patient access to implantable cardiac defibrillator data (a variation on the theme of “gimme my damn data”) is an in-depth, Page One Wall Street Journal story featuring Society for Participatory Medicine members Amanda Hubbard and Hugo Campos. They have garnered attention in the past – one example is another piece on Hugo on the NPR Shots blog about six months back. The question posed by these individuals is simple — May I have access to the data collected and/or generated by the medical device implanted in my body? — but the responses to the question have been anything but. It is important to note that not every patient in Amanda’s or Hugo’s shoes would want the data in as detailed a format as they are seeking to obtain, and we should not impose the values of a data-hungry Quantified Self devotee on every similarly-situated patient. Different strokes for different folks.

The point is that if a patient wants access to this data he or she should be able to get it. What can a patient do with this data? For one thing: correlate activities with effects (one example given by Hugo is his correlation of having a drink of scotch with the onset of an arrhythmia — correlated through manual recordkeeping — which led him to give up scotch) and thereby have the ability to manage one’s condition more proactively.

We can get copies of our medical records from health care professionals and facilities within 30 days under HIPAA — and within a just a few days if our providers are meaningful users of certified electronic health records (it ought to be quicker than that … some day). In some states now, and in all states sometime soon (we hope), we can get copies of our lab results as soon as they are available to our clinicians.

Data from implantable medical devices is not covered by HIPAA until it is sent to the patient’s physician (on a periodic basis and usually in edited form — other data is typically retained by the device manufacturer) and entered into the patient’s medical record. It is, rather, governed by FDA rules, and the recent attention to this issue has prompted an FDA spokesperson to say that it would review a plan to give data directly to patients, but that data should be directed to physicians who can interpret it for patients. This is where the action will be in the future: the FDA could develop a framework to allow sharing of this data directly with patients. (The data is collected wirelessly in patients’ homes from the implantable devices.)

Not surprisingly, earlier this year, a Medtronic exec referred to the data in question here as “the currency of the future.” There is clearly a market for the secondary use of patient data — on a de-identified, or anonymized basis — for a variety of purposes, and this is the “big data” we are all hearing about so much lately. (The HIPAA enforcers at HHS recently released guidance on the de-identification of patient data for secondary use — i.e., use for research purposes.) There is value to be extracted from big data, and the question is: Who owns the value? Who owns the data? Suffering as I do from the professional disability of being a lawyer, I am reminded of Moore v. Regents of the University of California, the 1990 California Supreme Court case that found that Mr. Moore, a cancer patient who sought to share in the profits for the commercial cell line developed from cancer cells in a tumor removed from his body, had no property rights in his discarded body parts. Moore could perhaps be read to support the device manufacturers’ perspective that there is no value in the data coming from the implantable device until it is processed by the manufacturer.

Another perspective would be that each patient has a property right in the data generated by his or her body or implants. There have been a couple of discussions on e-patients.net and elsewhere about the notion of a “green button” or a “rainbow button” that would serve as a mechanism for patients to decide how to share their own data (in those cases, the discussion was focused on EHR data, but the principles ought to be the same here). If I want to share my EHR or device data with all, so that it may be aggregated with other patient data and used in research and the development of evidence-based medicine protocols, then I should be able to do so.  If I want to donate that data gratis, or if I want to see a small license payment collected by an intermediary (a la the Copyright Clearance Center), if I want to permit it to be used with full identifiers, or as a de-identified record, I should be able to do that.

The quest of patients with implanted devices to gain rights to data should not have to be so quixotic. The information in question is subject to a different regulatory scheme than EHR data, but that is an accident of history, technology and politics.  There is no fundamental distinction between a series of MRI images, or a blood test result, and a set of data downloaded from an implantable medical device.

It is possible that we have turned a corner on this issue. It is far from resolved, but the FDA is addressing it — or at least acknowledging it — publicly.

How close are we to resolving this issue? What obstacles do you see ahead? What other sorts of data have remained inaccessible to patients? Where is the next battlefield?

This post first appeared on e-patients.net, the blog of the Society for Participatory Medicine. I chair the Society's public policy committee.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

OCR releases HIPAA privacy rule guidance on de-identifying PHI

Just two and a half years after hosting a workshop on the HIPAA Privacy Rule's de-identification standard, OCR has issued its "Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule." Like they say, it's not rocket surgery -- and there are few surprises here. One area worth reviewing is the expert determination section -- for those of you using, or considering the use of, expert opinions to guide your de-identification programs. Reproduced below is a table describing some of the principles used by experts in determining whether information has been de-identified:

 

Table 1. Principles used by experts in the determination of the identifiability of health information.

Principle	Description	Examples
Replicability	Prioritize health information features into levels of risk according to the chance it will consistently occur in relation to the individual.	Low: Results of a patient’s blood glucose level test will vary
		High: Demographics of a patient (e.g., birth date) are relatively stable
Data source Availability	Determine which external data sources contain the patients’ identifiers and the replicable features in the health information, as well as who is permitted access to the data source.	Low: The results of laboratory reports are not often disclosed with identity beyond healthcare environments.
		High: Patient name and demographics are often in public data sources, such as vital records -- birth, death, and marriage registries.
Distinguishability	Determine the extent to which the subject’s data can be distinguished in the health information.	Low: It has been estimated that the combination of Year of Birth, Gender,and 3-Digit ZIP Code is unique for approximately 0.04% of residents in the United States.  This means that very few residents could be identified through this combination of data alone.
		High: It has been estimated that the combination of a patient’s Date of Birth, Gender, and 5-Digit ZIP Code is unique for over 50% of residents in the United States.  This means that over half of U.S. residents could be uniquely described just with these three data elements.
Assess Risk	The greater the replicability, availability, and distinguishability of the health information, the greater the risk for identification.	Low: Laboratory values may be very distinguishing, but they are rarely independently replicable and are rarely disclosed in multiple data sources to which many people have access.
		High: Demographics are highly distinguishing, highly replicable, and are available in public data sources.

One element of the expert determination worth noting is the notion that a determination should perhaps be time-limited.  Since that which is de-identified today may not be de-identified tomorrow (thanks in part to the rapid growth in the volume of data that is made available to the public on the internet).  Here is the relevant FAQ:

How long is an expert determination valid for a given data set?

The Privacy Rule does not explicitly require that an expiration date be attached to the determination that a data set, or the method that generated such a data set, is de-identified information.  However, experts have recognized that technology, social conditions, and the availability of information changes over time.  Consequently, certain de-identification practitioners use the approach of time-limited certifications.  In this sense, the expert will assess the expected change of computational capability, as well as access to various data sources, and then determine an appropriate timeframe within which the health information will be considered reasonably protected from identification of an individual.

Information that had previously been de-identified may still be adequately de-identified when the certification limit has been reached.  When the certification timeframe reaches its conclusion, it does not imply that the data which has already been disseminated is no longer sufficiently protected in accordance with the de-identification standard.  Covered entities will need to have an expert examine whether future releases of the data to the same recipient (e.g., monthly reporting) should be subject to additional or different de-identification processes consistent with current conditions to reach the very low risk requirement.

It is also worth noting that the guidelines suggest that a data use agreement is not required to be put in place in connection with the sharing of data de-identified in accordance with an expert determination. However, use of such agreements is common, whether or not data has been de-identified, and may contain other provisions of value to the parties.

(I was also tickled to learn the identity of the seventeen ZIP code tabulation areas -- identified by the first three digits of their ZIP codes-- that include fewer than 20,000 residents each per the 2000 Census, and therefore must be listed as 000 in order for a record containing one of them to be condidered de-identified.) 

When it comes to HIPAA compliance, these guidelines provide a greater measure of certainty regarding the privacy rule for folks in the secondary use of health data market. It remains to be seen whether the market has anticipated the content of these guidelines or whether there will be an uptick in the secondary use market, and further growth of "big data" in health care and/or an increase in the proliferation of health management tools (including mHealth apps using this population health data), as a result of the guidelines' release.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Upcoming Speaking Engagements - Fall 2012

This conference season has already been a busy one: I organized HealthCamp Boston 2012, which was an exciting one-day unconference that took place right before Medicine 2.0, where I spoke.  I hope that local HealthCamp attendees can keep in touch, and maybe this time around we won't wait three years for the next HealthCamp Boston.  Unfortunately, I couldn't make it to Medicine X or Health 2.0 on the left coast this year, but I hope to see some of you in Boston at the Connected Health Symposium later in October.

Here are some of my upcoming speaking engagements:

The Effect of ACOs on the Health Care and HIT Ecosystems
Let's Talk HIT Speaker Series
Scratch Marketing + Media
Cambridge, MA
October 18, 2012
An informal presentation and discussion - join us if you are local.

Health Care Social Media: The Lawyers Don't Always Say "No"
MGMA 2012 - Medical Group Management Association Annual Conference
San Antonio, TX
October 21-24, 2012

Keynote Speaker on Health Care Social Media and on Accountable Care Organizations
Louisiana Hospital Association
23rd Annual Health Law Symposium
Baton Rouge, LA
November 7-8, 2012

Moderator of Legal Panel Discussion
Healthcare IT News and HIMSS
The Privacy and Security Forum
Boston, MA
December 13-14, 2012

I hope to see some of you at these events - please let me know if you'll be attending.

If you'd like to learn more about my speaking, keynoting and retreat facilitation, please start with this page about my speaking.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

Square Peg in a Round Hole: Data Privacy & Security Laws & Standards Meet Medicine 2.0

Here's the slidecast of my presentation at Medicine 2.0:

Square Peg in a Round Hole: Data Privacy & Security Laws & Standards Meet Medicine 2.0 from David Harlow

The moderator of the ethical and legal issues panel on confidentiality and privacy, Kevin Clauson, has posted a summary of the session as well -- check it out.

For more on Medicine 2.0, see my posts on Medicine 2.0 - Day 1 and Medicine 2.0 - Day 2.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

OCR Releases HIPAA Privacy and Security Audit Protocol

Having completed an initial 20 HIPAA privacy and security compliance audits since last fall, and with 95 additional audits in the pipeline, OCR has just released its HIPAA privacy and security audit protocol, together with information about the audit pilot program.  As always, information like this is extremely valuable to the regulated community.  Covered entities and business associates should avail themselves of the information contained in the audit protocol and related materials so that they may prepare themselves for the eventuality of an audit or investigation -- whether as part of the current audit plan or otherwise -- and focus their compliance efforts.

(Links updated 06/01/2013)

From the OCR website: 

The OCR HIPAA Audit program analyzes processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit mandate. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

• The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
  
  
• The protocol covers Security Rule requirements for administrative, physical, and technical safeguards.

• The protocol covers requirements for the Breach Notification Rule.

OCR reported on the first 20 audits it conducted as well:

OCR Audit Presentation - First 20 Audits

David Harlow
The Harlow Group LLC
Health Care Law and Consulting 

 

Call for Submissions: HealthBlawg Hosts HealthCare SocialMedia Review #2 Next Week

Ladies and gentlemen, boys and girls, the floodgates are open: Please submit your posts for the upcoming sophomore outing of HealthCare Social Media Review -- the blog carnival for health care social media, featuring the most recent fortnight's crème de la crème of blog posts on the topic. (Follow the link for submission instructions via web form or via email to david AT harlowgroup DOT net.)  

We'll focus on privacy and security issues, but other topical submissions are welcome as well.  Just get everything in by 6 pm ET on Monday April 16 (earlier, if you'd like to be kind to your humble HealthBlawger).

Through the alchemy of the interwebs, the posts you submit will be transformed into golden flax, woven together into a seamless thing of beauty -- and you will count yourselves lucky to read it right here next Wednesday morning, April 18.

Tell your friends and neighbors, and we'll reconvene at HealthBlawg just a few short days from now . . . for the one, the only, HCSM Review #2.  

Be there! Aloha!

David Harlow
The Harlow Group LLC
Health Care Law and Consulting  

Context-Relative Informational Norms – Buzzword or Paradigm Shift?

A piece in The Atlantic highlighting Helen Nissenbaum’s approach to privacy has been whipping around the twittersphere over the past couple of days.  The breathless tone of the piece is a little off-putting, but the content, at first glance, is intriguing:

Nissenbaum argues that the real problem "is the inappropriateness of the flow of information due to the mediation of technology." In her scheme, there are senders and receivers of messages, who communicate different types of information with very specific expectations of how it will be used. Privacy violations occur not when too much data accumulates or people can't direct it, but when one of the receivers or transmission principles change. The key academic term is "context-relative informational norms." Bust a norm and people get upset. 

However, after reading this piece (and, admittedly, not having read Nissenbaum’s academic papers), the contention that this is the first and last word on the question of context-sensitive privacy and sharing -- “What you tell your bank, you might not tell your doctor.  What you tell your friend, you might not tell your father-in-law.” -- rings hollow for me (as it has for the Wall Street Journal Ideas Market blog, as well). 

A whole 'nother issue is the issue of whether norms have any lasting value: How long before today's privacy norms -- even assuming there are some shared norms in this arena -- are replaced by tomorrow's norms?  (On a related note, even the status of evidence-based medicine as a gold standard for guiding clinical practice has been questioned; contrarians hold that personalized medicine for an individual may require approaches that run counter to EBM as proven out over a population.)

Facebook and Google+ tout their context-sensitive sharing tools, which allow for limited sharing of posts to segmented audiences, and most of us understand that we barter personal data for the “free” services they provide; furthermore, this barter exchange usually benefits us as individuals as well -- we get better-targeted messages online as a result.  I would certainly prefer to see Facebook and Google+ be a little more transparent about their use of personal data, and other sites and services also need to be transparent.  At least some folks out in the wild are pretty sophisticated about their wants and needs when it comes to health care social media privacy and security, and I’m just not sure that we need a new paradigm fueled by jargon from the ivory tower -- though perhaps further inquiry would lead me to conclude otherwise.  

In the health care and health care social media context, we all need to be aware of our own needs and desires concerning sharing of personal information, and we all need to be aware of the ways in which personal information is shared and used, and re-shared and re-used, by the platforms and repositories that we use.  Armed with this knowledge, we can work to establish our own context-sensitive norms, and work to ensure that they are honored.

Many users of social media tools for health care purposes have already internalized context-relative informational norms that must be layered on top of existing privacy and security concerns unique to the health care arena.  To those who have not: the HealthBlawger hopes that this post will alert those who have not to avail themselves of the plethora of resources available to them: other health care social media privacy and security content here on HealthBlawg, the Mayo Clinic Center for Social Media (disclosure: I sit on its external advisory board), among many others -- please share any favorites in the comments. These resources should help folks fine-tune individual and institutional approaches to the use of these powerful tools.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

HealthCare SocialMedia Review - A New Blog Carnival - To Launch In April

While the HealthBlawger is generally loath to republish press releases, the source for the presser reproduced below is, well, the HealthBlawger himself.  With such impeccable provenance, we need make no further apologies ....

HealthCare SocialMedia Review - A New Blog Carnival - To Launch In April

On April 4, 2012, the inaugural edition of a new blog carnival, HealthCare SocialMedia Review, will be posted on HealthWorks Collective by HWC curator Joan Justice, one of the co-founders of HCSMR. “We were inspired by other blog carnivals, including Grand Rounds and Health Wonk Review, and decided it was time to bring the blog carnival treatment to the world of health care social media,” said Justice.

David Harlow (aka HealthBlawg), health care lawyer, HWC advisory panel member and the other co-founder of HCSMR, continued:

The #hcsm tweetchat moderated by Dana Lewis and the community built by Lee Aase through the Mayo Clinic Center for Social Media are two examples of the many ways in which those of us who are involved in health care social media are able to interact, share best practices and new developments, and learn from each other.  By adding a blog carnival to the mix, we hope to increase the sharing of long-form thoughts on the opportunities and challenges associated with health care social media.

Justice noted, “All are welcome to submit blog posts for consideration to each edition’s host.  HCSM will be posted every other week -- alternating weeks with Health Wonk Review.  And for the uninitiated: a blog carnival is an anthology, an on-line journal club for bloggers, hosted by a different blogger each time.”

Details on hosting, submission guidelines, Justice and Harlow bios and more are available on the HCSMR home page.

Connect with HCSMR on Facebook, Google+ and Twitter to keep up to date.

For further information contact:

Joan Justice joan AT socialmediatoday.com or @healthcollectiv
David Harlow david AT harlowgroup.net or @healthblawg  

# # #

Health care social media is of consequence in its own right, but also as a tool to implement or leverage other initiatives, across the spectrum of health care innovation today, including participatory medicine, accountable care organizations, mHealth and others.  We look forward to your participation in the HealthCare SocialMedia Review blog carnival as contributors, hosts and engaged readers/commenters.  See you April 4, at the inaugural edition, on HealthWorks Collective.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting   

Data Breach: How Much Will One Cost You?

The going rate for a compromised medical record seems to be $1000 (well, at least that's the asking price) as seen in papers filed in the eleven class action lawsuits against Sutter Health following the theft of a desktop computer last fall.  The computer contained unencrypted protected health information on about 4.24 million members.  The eleven class action suits are likely to be consolidated for ease of handling by the courts.

For an outfit whose most recently reported year-end financials show just under $900 million in income on just over $9 billion in revenue, a $4.24 billion claim certainly qualifies as a big deal.  The data breach claims against Sutter Health were filed last year following its self-reporting of the computer theft, and are in the news again due to the potential consolidation.

The company had reportedly begun to encrypt its data last year, starting with more vulnerable mobile devices, and moving on to desktop computers, but had not gotten to the desktop in question by the time of the breach.  It remains to be seen how these facts end up affecting the final damages awarded in this case.

The takeaway for other covered entities and business associates out there: If the OCR HIPAA audits aren't enough of a motivation to get cracking with beefed-up data privacy and security protections, the potential exposure of Sutter Health in this class action suit should be reason enough to get started on this work as soon as possible, and to make it a high priority. Suits like these may be grounded both in state law and in indirect theories flowing from HIPAA/HITECH breaches (since there is no private right of action under HIPAA). The exposure is there, and a number's been put out there to quantify it. However expensive and inconvenient data encryption and other privacy and security measures may be, they are surely worth avoiding $1,000-a-head lawsuits and months of negative publicity.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting