Author: Andrea Flaute, Associate Member, University of Cincinnati Law Review
The conflict between technology and privacy does not stop at the hospital door. The emergence of a technology driven society has created a desire and push to incorporate all parts of life into electronic format, including personal health records (PHR). Although the enactment of the Health Insurance and Portability Accountability Act pre-dates the technology boom, the privacy protections it contains compliment the electronic records provisions included in the Health Information Technology for Economic and Clinical Health Act. Thus, we have legislation that, on paper, comprehensively addresses the privacy of PHR while also encouraging the integration of those records into the desired electronic format. While the regulation of this complex crossroad allows the healthcare industry to make significant strides in meeting the needs and desires of it’s patients, it also opens the door to significant compliance strains and increased protection responsibility. Adequately preserving the privacy of electronic PHR, particularly against cyber attacks and breaches, has become an issue facing all hospitals and health care providers that have implemented electronic records of any sort. Congress needs to enact a comprehensive remedy that addresses these security concerns to avoid unnecessary risks.
Congress enacted the Health Insurance and Portability Accountability Act (HIPAA) in 1996 to keep up with technological advances that make electronic transmission, access, and storage easier. Among its many justifications for enacting the legislation, Congress realized it needed to protect the privacy of medical information with a comprehensive set of standards that bridged the patchwork protections amongst state legislation. Most compliance efforts surrounding the Act focus on Title II, known as the Administrative Simplification provisions. In order to improve the efficiency and effectiveness of our health care system, the provisions require the Secretary of Health and Human Services (HHS) to promulgate national standards for electronic health care transactions. General references to being “HIPAA Compliant” typically refer to operating within the confines of Title II.
Realizing that advances in electronic technology could erode the privacy of health information, HHS established the Privacy Rule. The Privacy Rule set national standards for the protection of individually identifiable health information by three types of entities: health plans, health care clearinghouses, and health care providers who conduct standard health care transactions electronically. It requires appropriate safeguards to protect the privacy of personal health information (PHI) no matter the medium in which they are stored. The Privacy Rule also limits and conditions the uses and disclosures of information without patient authorization, giving patients extensive rights over their health information.
While the HIPAA Privacy Rule protects all PHI, HHS promulgated the Security Rule to specifically protect electronic PHI. This rule established national standards to protect individuals’ electronic PHI when it is created, received, used, or maintained by a provider. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. HHS’s Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules through investigation and compliance education.
The Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and meaningful use of health information technology. HITECH contains incentives related to health care information technology in general (e.g., creation of a national health care infrastructure) and contains specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers. Specifically, HITECH authorizes incentive payments through Medicare and Medicaid to healthcare providers when they use EHRs securely to achieve specified improvements in care delivery.
An important aspect of HITECH is the required criteria that hospitals and clinicians must meet to be considered “meaningful users.” Meaningful users qualify for certain incentives aimed at promoting the use of EHR systems. The criteria ranges from the essentials of creating any medical record, including the entry of basic data, to more complex objectives aimed at building up the healthcare infrastructure. These objectives were implemented in stages to account for the challenges that the adoption of a new system posed to providers, but are all now required prerequisites for the financial incentives offered under HITECH.
The drafters anticipated a massive expansion in the exchange of electronic PHI; as a precautionary measure HITECH also widened the scope of privacy and security protections available under HIPAA and strengthened the civil and criminal enforcement of the HIPAA rules by increasing potential legal liability for non-compliance.
The Electronic Health Record Era
With HIPAA and HITECH working together to promote and incentivize “going electronic,” more than 80% of hospitals eligible for the meaningful use incentives program have incorporated an EHR into their organizations. “For such a long time we had such disparate systems, meaning you had one system that did pharmacy, one [that] did orders, [and] one that did documentation,” says Jeff Sturman, partner at Cumberland Consulting Group. The implementation of EHRs has streamlined and centralized the way providers care for their patients and the practice of medicine in general.
The benefits of the transition to EHRs are undoubtedly prominent; especially as paper-based processes are quickly becoming inefficient in today’s fast-paced medical setting. But, these benefits come with a hefty price tag. A complete overhaul of any records system is necessarily complex, time-consuming, and expensive—even more so when that overhaul involves installing and transitioning to all new technology, learning intricate software, and training personnel. It is not uncommon for large healthcare systems to spend several years and hundreds of millions of dollars to implement an EHR system.
Even when ignoring cost, the crucial drawback to the implementation of an EHR system continues to be security breaches. Because EHRs are so comprehensive, they have become a target for identity thieves and hackers: EHRs contain medical and financial information in one centralized location. The Security Rule requires specific actions to be taken to protect against such privacy breaches. In the ever-evolving age of technology, however, most IT professionals agree these safeguards are not enough to combat advanced cyber attacks. A 2010 report by the Healthcare Information and Management Systems Society found that, since 2008, more than 110 healthcare organizations have reported the loss of sensitive patient data—affecting over 5.3 million individuals. Not only do these breaches cost healthcare providers millions of dollars to rectify, they often leave victims in financial ruin. There is also a concern of “legitimate patient’s medical record having altered or incorrect information as a result of misuse or negligence, which may prevent them from obtaining proper medical treatment and insurance benefits.”
The risk of security breaches is no doubt a significant concern. However, the threat of breaches should never be understood to outweigh the widespread benefits provided by these centralized systems. EHR systems provide unparalleled access for patients and providers in addition to providing tools that are revolutionizing the way society approaches the practice of medicine. Making the transition to EHR systems seems inevitable when looking at the current landscape of the healthcare industry. Patients, in general, want electronic access and control over their records; and the federal government believes so much in the benefits of these systems it has set aside billions of dollars to implement them.
Keeping these systems equipped with current software and protections is as important, if not more important than implementing them in the first place. One of the primary purposes of both HIPAA and HITECH is to protect PHI. Failing to continually update EHR systems, thus exposing patients’ PHI to security breaches, directly undermines that primary purpose and defeats the extensive effort and money spent adopting the system. The protection of patient PHI should always be a top priority for the healthcare industry and it follows that providers should take all measures within their control to ensure that protection. But the burden cannot be placed squarely on the shoulders of those most drastically affected.
A two-fold remedy is the most logical response to this delicate problem. On one hand, there should be incentives for hospitals to keep their systems up to date or non-compliance consequences aimed at protecting the integrity of the system. On the other hand, there should be stricter punishments to increase the deterrent effect for criminals targeting healthcare providers and their systems. HITECH has given healthcare providers a financial incentive to switch to EHR systems but has not provided a means to ensure those systems stay up-to-date with the latest protections. Software systems like EPIC, MEDITECH, and Keane-First Data provide updates, but for a cost. As technology constantly changes and the costs associated with frequently updating equipment and software quickly add up, especially for large health systems, it is understandable why some providers cannot or will not remain complaint with HIPAA and HITECH regulations voluntarily. But failure to remain compliant leaves patients, many of whom have no choice in seeking medical treatment, vulnerable to a variety of threats that have long-lasting implications. EHR systems are a great resource, but data privacy risks need to be addressed, not by choice, but by law.
HITECH has given healthcare providers a financial incentive to switch to EHR systems right now but has not provided a means to ensure those systems stay up-to-date with the latest protections. As technology constantly changes and the costs associated with frequently updating equipment and software quickly add up, it is understandable why some providers cannot remain complaint with HIPAA and HITECH regulations. But failure to remain compliant leaves patients vulnerable to a variety of threats that have long-lasting implications. EHR systems are a great resource, but data privacy risks need to be addressed, not by choice, but by law. Congress must craft a remedy to constrain the threats and illegal actions that are currently being taken against patients and their highly sensitive information.
 The Health Insurance and Portability Accountability Act (hereinafter “HIPAA”) 45 C.F.R §160-164
 Allan Collins and Richard Halverson, Rethinking Education in the Age of Technology: The Digital Revolution and Schooling in America (2009)
 Health Information Technology for Economic and Clinical Health Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5, § 123 Stat. 226 (2009) (hereinafter “HITECH”), available at http://www.gpo.gov/fdsys/pkg/PLAW-111publ5/pdf/PLAW-111publ5.pdf
 Steven L. Clause, Darren M. Triller, Colleen P.H. Bornhorst, Robert A. Hamilton, and Leon E. Cosler, Conforming to HIPAA Regulations and Compilation of Research Data, 61 Am. J. Health-Syst. Pharm. 1025 (2004)
 Denise L. Anthony, Ajit Appari, and M. Eric Johnson, Institutionalizing HIPAA Compliance: Organizations and Competing Logics in U.S. Health Care, 55 J. Health Soc. Behav. 108 (2014)
 Thomas C. Rindfleisch, Privacy, information technology, and health care, Communications of the ACM, August 1997 at 92.
 HIPAA §160.102; HIPAA §164.534
 Summary of the HIPAA Privacy Rule; What is Covered by the Privacy Rule, U.S. DEP’T OF HELATH & HUMAN SERVS., http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html (last visited November 10, 2015)
 The Security Rule, U.S. DEP’T OF HEALTH & HUMAN SERVS., available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/ (last visited November 10, 2015)
 Id. Examples of some broad physical safeguards include the requirement that entities have policies and procedures to protect electronic information systems, and related buildings and equipment, from natural and environmental hazards was well as unauthorized intrusion. See HIPAA §164.302-§164.316
 Office for Civil Rights; When a patient feels his or her HIPAA rights have been violated, they have the right to submit a complaint to the provider or to OCR. Once a complaint is received, it is reviewed for a possible criminal violation or a possible Privacy or Security Rule violation. If there is a criminal violation, the complaint is referred to the Department of Justice for further investigation. If there is a Privacy or Security Rule violation, the OCR will investigate further and 1) find no violation, 2) obtain voluntary compliance, corrective action, or other agreement, or 3) issue formal findings of violation; Enforcement Process, U.S. DEP’T OF HEALTH & HUMAN SERVS., available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/process/index.html (last visited November 10, 2015)
HITECH Act Enforcement Interim Final Rule, U.S. DEP’T OF HEALTH & HUMAN SERVS., available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html (last visited November 10, 2015)
 The “Meaningful Use” Regulation for Electronic Health Records, The New England Journal of Medicine, available at http://www.nejm.org/doi/full/10.1056/NEJMp1006114#t=article
 Id. Examples of basic data entries include patients’ vital signs and demographics, active medications and allergies, up-to-date problem lists of current and active diagnoses, and smoking status.
 Id.; Examples of complex objectives include performance of drug-formulary checks, incorporating clinical laboratory results, providing reminders to patients for needed care, and identifying and providing patient-specific health education resources
 David Blumenthal, M.D., M.P.P., Launching HITECH, 5 N. Engl. J. Med. 382 (2010); Like HIPAA, HITECH does not allow individuals to bring a cause of action against a provider for violations. However, in addition to the complaint process, it does allow a state attorney general to bring an action on behalf of his or her residents. Pub. L. No. 111-5, § 123 Stat. 226, section 13410(e).
This number is up from only 16% of eligible hospitals in 2009. Akanksha Jayanthi, 10 Biggest Technological Advancements for Healthcare in the Last Decade, Becker’s Health IT & CIO Review, available at http://www.beckershospitalreview.com/healthcare-information-technology/10-biggest-technological-advancements-for-healthcare-in-the-last-decade.html (last visited November 10, 2015)
 Data Protection for the Healthcare Industry, SafeNet, available at http://www.safenet-inc.com/uploadedFiles/About_SafeNet/Resource_Library/Resource_Items/White_Papers_-_SFDC_Protected_EDP/SafeNet%20Data%20Protection%20Healthcare%20White%20Paper.pdf?utm_source=AoDP-blog&utm_medium=blog&utm_content=Data-Protection-for-Healthcare&utm_campaign=HITECH-act-post
Akanksha Jayanthi, 8 Epic EHR Implementations with the Biggest Price Tags in 2015, Becker’s Health IT & CIO Review, available at http://www.beckershospitalreview.com/healthcare-information-technology/8-epic-ehr-implementations-with-the-biggest-price-tags-in-2015.html (last visited November 10, 2015)
 Data Protection for the Healthcare Industry
 Data Breach Results in $4.8 Million HIPAA Settlements, U.S. DEP’T HEALTH AND HUMAN SERVS.,available at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/jointbreach-agreement.html (last visited November 10, 2015)
 Data Protection for the Healthcare Industry