EHR Data Security: Reviewing the Legal Responsibilities For Wound Care Providers

  Rules contained in the HIPAA Act of 1996 protect the privacy and security of individually identifiable health information. The HITECH Act provides additional security safeguards. HIPAA covers protected health information (PHI) in any medium while HITECH covers only electronic protected health information (e-PHI). HIPAA contains two distinct rules for privacy and security. Both rules place important restrictions on the use of PHI in any form and place important responsibilities on covered entities (as well as their business associates) for the proper maintenance and protection of PHI in any form. Wound care providers are responsible for safeguarding PHI under these two federal statutes. It’s not the responsibility of the electronic health record (EHR) vendor to take needed steps to comply with HIPAA or HITECH.

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
RELATED CONTENT
Avoiding Legal Pitfalls for Home Health Services in Wound Care
HIPAA and HITECH in 2013: What You Don’t Know Can Hurt You
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

HIPAA Privacy

  HIPAA Privacy establishes a set of national standards for the use and disclosure of “individually identifiable” information in any form, including financial information. Under HIPAA, patients have legal rights to access their health information and learn about disclosures of their information. Their healthcare providers are responsible for respecting these rights.

HITECH Act

  HITECH was enacted in 2009 to provide incentives for the adoption of “Meaningful Use” of interoperable EHRs. It provides incentive payments to providers who adopt and use “certified EHR systems” and penalizes those who do not adopt EHR by 2015, enforced by way of reductions in Medicare payments. Along with advancing the goal of Meaningful Use, HITECH provides important privacy protections and security provisions. These statutory requirements complement HIPAA privacy and security rules for e-PHI. Specifically, HITECH creates obligations on the part of covered entities to report data breaches affecting 500 or more individuals and their e-PHI. It also provides civil and criminal penalties for data breaches under certain circumstances. Breach-reporting requirements of HITECH can, under certain circumstances, require the covered entity to notify the US Department of Health and Human Services of data breach and notify all individuals affected.

HIPAA Security

  HIPAA Security is the privacy rule’s lesser-known sibling. Although it does not generate as much discussion, it has been in effect for an identical period of time. HIPAA Security establishes national standards to protect any PHI created, received, used, or maintained by a covered entity or its business associates. These safeguards fall into three general categories: administrative, physical, and technical. It is important to remember that HIPAA Security requires all covered entities (virtually all medical providers) to implement its specifically enumerated security safeguards. In other words, clinicians must have specific administrative, technical, and physical safeguards that, if properly applied, can help avoid security gaps. Compliance with HIPAA Security is the responsibility of the healthcare provider.

  HIPAA Security includes two provisions that require organizations to perform security audits. They are:
    • Section 164.308(a)(1)(ii)(c) - Information system activity review (required), which states organizations must “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident-tracking reports.”
    • Section 164.312(1)(b) - Audit controls (required), which states organizations must “implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use e-PHI.”

  In addition, the Office of the National Coordinator for Health Information Technology’s EHR certification criteria for Meaningful Use includes audit requirements. Section 170.302(r) - Audit log - requires the ability to record actions related to electronic health information in accordance with the standard specified in §170.210(b) and enable a user to generate an audit log for a specific time period and to sort entries in the log according to any of the elements specified in the standard at §170.210(b).

HIPAA Security Safeguards

  Generally speaking, administrative safeguards refer to policies and procedures that exist in practice to protect security, privacy, and confidentiality of PHI. There are administrative safeguards that are required by both HIPAA Privacy and HIPAA Security. The administrative safeguards required under HIPAA Security include (but are not limited to): identifying relevant information systems, conducting risk assessment, implementing a risk-management program, acquiring information technology (IT) systems and services, creating and deploying policies and procedures, and developing and implementing a sanctions policy.

  Assessing the risk of unauthorized use or disclosure is an important step in the overall plan for maintaining security.Generally speaking, physical safeguards for PHI and health IT refer to measures to hardware and the facilities that store PHI. Some safeguards for electronic and paper-based systems are similar, but some are specific to health IT. Policies and procedures must be put in place to physically safeguard health IT. These elements include, but are not limited to:

    • Facility access controls – Limitations for physical access to facilities where health IT is housed while ensuring authorized personnel are allowed access. As an aside, vendors must comply with requirements. Vendors who backup or store any of health IT data must limit physical access to the facility housing servers. Providers should determine that these requirements have been followed if data services are outsourced.
    • Workstation use – Specifications for the appropriate use of workstations and the characteristics of the physical environment of workstations that can access PHI.
    • Workstation security – Restrictions on access to workstations with PHI.
    • Device and media controls – Receipt and removal of hardware and electronic media that contain PHI into and out of the facility and movement of these items within a covered entity, including disposal, reuse of media, accountability, and data backup and storage.

  Technical safeguards are built into the health IT system to protect health information and to control access. This includes measures to limit access to electronic information, to encrypt and decrypt electronic information, and to guard against unauthorized access to that information while it is being transmitted to others. Procedures and policies required to address the following elements of technical safeguards include, but are not limited to:
    • Access control - Allowing access only to persons or software programs with appropriate access rights to data or PHI by using, for example, unique user identification protocols, emergency-access procedures, automatic logoff, and encryption and decryption mechanisms.
    • Audit controls - Recording and examining activity in health IT systems that contain or use PHI.
    • Integrity - Protecting PHI from improper alteration or destruction, including implementation of mechanisms to authenticate PHI.
    • Person or entity authentication - Verifying that a person or entity seeking access to PHI is who or what they claim to be (proof of identity).
    • Transmission security - Guarding against unauthorized access to PHI that is being transmitted over an electronic communications network.

  Having technical safeguards in place can protect against various intended and unintended uses and disclosures of PHI. Regular system checks are required to see who accessed stored PHI and when.

Auditing Functions

  Audit logs are records of sequential activities maintained by the EHR. An audit trail consists of the log records identifying a particular transaction or event. This means there is a record of each staff member who enters a record and the work they do on a chart. An audit is the process of reviewing the audit records and an integral part of security and risk management. Security audits are conducted using audit trails and audit logs that offer a backend view of EHR system use. Audit trails and logs record key activities, showing system threads of access, changes, and transactions. Periodic reviews of audit logs may be useful for:

    • detecting unauthorized access to patient information;
    • establishing a culture of responsibility and accountability;
    • reducing the risk associated with inappropriate accesses (behavior may be altered when individuals know they are being monitored);
    • providing forensic evidence during investigations of suspected and known security incidents and breaches to patient privacy, especially if sanctions against a workforce member, business associate, or other contracted agent will be applied;
    • tracking disclosures of PHI;
    • responding to patient privacy concerns regarding unauthorized access by family members, friends, or others;
    • evaluating the overall effectiveness of policy and user education regarding appropriate access and use of patient information (comparing actual worker activity to expected activity and discovering where additional training or education may be necessary to reduce errors);
    • detecting new threats and intrusion attempts;
    • identifying potential problems; and
    • addressing compliance with regulatory and accreditation requirements.

  Because audit logs are not a visible part of the EHR, this critical function of the system is often overlooked. However, this type of “metadata” (data about data) can become the most critical legal evidence in many court cases. Providers must know the audit capability of the EHR.

HITECH Security Requirements

  An EHR must meet security criteria to be certified for the stage I of Meaningful Use. Interestingly, providers may think they have licensed an EHR that is certified when, in fact, their particular software version does not meet requirements. In February 2012, a Kansas-based hospital sued a large EHR company, alleging the company failed to install a system that met Meaningful Use requirements. In January 2014, a hospital in Montana filed suit against a company for allegedly failing to install an EHR system that meets 2014 criteria for stage I of Meaningful Use. Providers are no longer eligible for EHR incentive payments if they are still using 2011-edition-compliant software, so a significant amount of money could be at stake. However, what is more worrisome is the possibility that an EHR might not meet necessary security requirements. The cost of a major security breach could easily exceed lost incentive payments under Meaningful Use.

  Below are the minimum security protection capabilities required for EHR certification. Some EHRs have additional security capabilities.

    1. Access control: Permit only authorized users to access electronic health information.
    2. Emergency access: Permit authorized users to access electronic health information during an emergency.
    3. Automatic logoff: End an electronic session after a predetermined time of inactivity.
    4. Audit log: a) record actions related to electronic health information; b) enable a user to generate an audit log for a specific time period and to sort entries.
    5. Integrity: Verify electronic health information has not been altered in transmission and detect the alteration of audit logs.
    6. Authentication: Verify that a person seeking access to electronic health information is the one claimed and is authorized to access the information.
    7. Encryption for general information.
    8. Encryption when exchanging electronic health information.
    9. Accounting of disclosures (optional): Record disclosures made for treatment, payment, and healthcare operations.

Keeping PHI Secure

  To uphold patient trust and to comply with HIPAA, covered providers must conduct a security-risk analysis that examines several aspects of medical practice including EHR software and hardware, security of physical setting, education of staff, EHR access controls, and contracts with business associates.

  Most certified EHRs have these features built in or provided as part of a service, although they are not always configured or enabled properly. As the guardian of patient health information, it is up to the provider to learn these features, ensure they are functioning, and update them when necessary. Remember, security-risk analysis and mitigation is an ongoing responsibility. A full analysis should be conducted at least once annually. When working with EHR and Health IT vendors, ask if the features below are available in the EHR:

    • backup and recovery of medical information;
    • encryption to protect PHI in transmission and limit liability for breach purposes under HIPAA;
    • auditing function to record and monitor who has accessed patient records and when;
    • unique IDs, passwords, and user names to help prevent unauthorized access to the system;
    • role-based or user-based access controls to prevent inappropriate or unauthorized access to patient information; and
    • antivirus and antispyware.

  In particular, providers must know how the backup and recovery systems work for EHRs, where EHR data resides with the vendor, whether the vendor complies with security requirements, and how to test the recovery system.

Kevin W. Yankowsky is a partner at Fulbright & Jaworski LLP, health law/health litigation department, Houston, TX. Caroline E. Fife is clinical editor of TWC and chief medical officer at Intellicure Inc.