Hospitals Should Scrutinize Portable Electronics

Hospitals and hospitalists should ex­pect more aggressive enforcement of protected health information reg­ulations following a $1 million settlement paid by Massachusetts General Physicians Organization Inc. over documents on 192 patients left on the subway by a MassGen employee, a top hospitalist says.

The payment – part of an agreement between MassGen and the U.S. Health and Human Services Department over “potential violations” of HIPAA rules – came at the same time as HHS issued its first civil money penalty for violations of the privacy act. The $4.3 million civil money penalty involved Cignet Health Care, a Maryland-based clinic, which

********* TEXT BREAK *********HHS found had violated 41 patients’ rights by failing to provide them with ac­cess to their own medical records.

Dr. Chad Whelan, director of the di­vision of hospital medicine at Loyola University Chicago, Maywood, said the two high-dollar enforcement moves by HHS indicate more aggressive enforce­ment of HIPAA is coming.

<[stk -3.7]>“Given the large fines and the high-pro­file institution [MassGen] affected, it sure seems like they are sending a message,” he said in an interview. “I would fully expect more stringent enforcement in the coming years, and we will likely see more payouts.”<[etk]>

<[stk -3]>To safeguard themselves, physicians and hospitals need to take a hard look at their policies regarding electronic storage and transmission of protected health infor­mation across multiple electronic devices, especially smartphones and tablet-style electronic devices, Dr. Whelan said.<[etk]>

“The beautiful thing about computers, smartphones, and electronic medical records is that [they make it] amazingly easy to store, access, and share informa­tion,” he said. “The terrifying thing about computers, smartphones, and elec­tronic medical records is that [they make it] amazingly easy to store, access, and share information.

<[stk -1]>“Medical centers and hospitalists must be aware of this tension between im­proving care through information access and sharing and the risk to confidential­ity through easier information access and sharing. These settlements are the first shot across the bow to all of us that HHS is certainly taking a long, hard look at this balance,” he said.<[etk]>

<[stk -3]>Office of Civil Rights director Georgina Verdugo said as much in a statement in­volving the MassGen settlement. “We hope the health care industry will take a close look at this agreement and recognize that the OCR is serious about HIPAA en­forcement. It is a covered entity’s respon­sibility to protect its patients’ health information,” Ms. Verdugo said.<[etk]>

The MassGen incident involved hard copies of protected health information from the hospital’s Infectious Disease Associates outpatient practice, and in­cluded patients with HIV and AIDS, ac­cording to HHS. The documents involved included a patient schedule with names for all of the patients, plus billing encounter forms with identifying infor­mation such as name, date of birth, health insurer, and policy number for 66 of the same patients.

A MassGen employee left the infor­mation on a subway while commuting to work, and it was never recovered. One of the patients involved filed a complaint with HHS, which investigated and found that MassGen had “failed to implement reasonable, appropriate safeguards to protect the privacy of [protected health information] when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating pro­visions of the HIPAA Privacy Rule.”

MassGen said in a statement that it will implement a corrective action plan over the next 3 years designed to en­hance protection of protected health in­formation when it is physically removed from the hospital’s property for work purposes. The organization also said it will issue new or revised policies and procedures dealing with laptop encryp­tion and USB drive encryption.

“After these policies and procedures are issued, we will be providing manda­tory training on them,” the hospital said. “All members of our workforce must participate in the training and certify that they have completed it.”

It’s very unusual for an employee to intentionally violate HIPAA, but it’s the inadvertent violations that can cause trouble. “It is far more likely that a well-meaning employee simply forgets the ba­sics of patient protection on a device and then accidentally misplaces the device, leaving it open for anyone with basic computer skills to access,” he said.

Traditional concern has been focused on data stored on portable computer
hardware, such as hard drives, CDs, and laptops, he said. But “with the increased availability of electronic medical records, it will only become easier to have infor­mation about patients in portable for­mats. With paper, it was difficult to carry records of hundreds of patients around. Now, it is remarkably easy.”

<[stk -3]>The rise of extremely portable devices such as smart phones and iPads poses new risks, Dr. Whelan said. “How many peo­ple have patient information stored or ac­cessible through these omnipresent devices? Certainly, patient information that has been sent through e-mail is easi­ly accessed through a smartphone. Hos­pitals need to develop policies around encryption and support end users in en­crypting the multiple devices they may use to levels that are acceptable to HHS.”<[etk]>

I have checked the following facts in my story: (Please initial each.)

·Drug names and dosages n.a.

<[stk -3]>In order to better safeguard protected data, hospitals need to have enterprise-wide programs in data information man­agement, but also need to help employees make certain any data-storage or trans­mission devices they use are HIPAA-com­pliant, Dr. Whelan said. <[etk]>

<[stk -3]>“Hospitalists should be involved in both policy development and process imple­mentation to assure that the benefits of electronic data storage are not lost in or­der to reduce the risk of HIPAA viola­tion,” he added.

Hospitals and hospitalists should ex­pect more aggressive enforcement of protected health information reg­ulations following a $1 million settlement paid by Massachusetts General Physicians Organization Inc. over documents on 192 patients left on the subway by a MassGen employee, a top hospitalist says.

The payment – part of an agreement between MassGen and the U.S. Health and Human Services Department over “potential violations” of HIPAA rules – came at the same time as HHS issued its first civil money penalty for violations of the privacy act. The $4.3 million civil money penalty involved Cignet Health Care, a Maryland-based clinic, which

********* TEXT BREAK *********HHS found had violated 41 patients’ rights by failing to provide them with ac­cess to their own medical records.

Dr. Chad Whelan, director of the di­vision of hospital medicine at Loyola University Chicago, Maywood, said the two high-dollar enforcement moves by HHS indicate more aggressive enforce­ment of HIPAA is coming.

<[stk -3.7]>“Given the large fines and the high-pro­file institution [MassGen] affected, it sure seems like they are sending a message,” he said in an interview. “I would fully expect more stringent enforcement in the coming years, and we will likely see more payouts.”<[etk]>

<[stk -3]>To safeguard themselves, physicians and hospitals need to take a hard look at their policies regarding electronic storage and transmission of protected health infor­mation across multiple electronic devices, especially smartphones and tablet-style electronic devices, Dr. Whelan said.<[etk]>

“The beautiful thing about computers, smartphones, and electronic medical records is that [they make it] amazingly easy to store, access, and share informa­tion,” he said. “The terrifying thing about computers, smartphones, and elec­tronic medical records is that [they make it] amazingly easy to store, access, and share information.

<[stk -1]>“Medical centers and hospitalists must be aware of this tension between im­proving care through information access and sharing and the risk to confidential­ity through easier information access and sharing. These settlements are the first shot across the bow to all of us that HHS is certainly taking a long, hard look at this balance,” he said.<[etk]>

<[stk -3]>Office of Civil Rights director Georgina Verdugo said as much in a statement in­volving the MassGen settlement. “We hope the health care industry will take a close look at this agreement and recognize that the OCR is serious about HIPAA en­forcement. It is a covered entity’s respon­sibility to protect its patients’ health information,” Ms. Verdugo said.<[etk]>

The MassGen incident involved hard copies of protected health information from the hospital’s Infectious Disease Associates outpatient practice, and in­cluded patients with HIV and AIDS, ac­cording to HHS. The documents involved included a patient schedule with names for all of the patients, plus billing encounter forms with identifying infor­mation such as name, date of birth, health insurer, and policy number for 66 of the same patients.

A MassGen employee left the infor­mation on a subway while commuting to work, and it was never recovered. One of the patients involved filed a complaint with HHS, which investigated and found that MassGen had “failed to implement reasonable, appropriate safeguards to protect the privacy of [protected health information] when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating pro­visions of the HIPAA Privacy Rule.”

MassGen said in a statement that it will implement a corrective action plan over the next 3 years designed to en­hance protection of protected health in­formation when it is physically removed from the hospital’s property for work purposes. The organization also said it will issue new or revised policies and procedures dealing with laptop encryp­tion and USB drive encryption.

“After these policies and procedures are issued, we will be providing manda­tory training on them,” the hospital said. “All members of our workforce must participate in the training and certify that they have completed it.”

It’s very unusual for an employee to intentionally violate HIPAA, but it’s the inadvertent violations that can cause trouble. “It is far more likely that a well-meaning employee simply forgets the ba­sics of patient protection on a device and then accidentally misplaces the device, leaving it open for anyone with basic computer skills to access,” he said.

Traditional concern has been focused on data stored on portable computer
hardware, such as hard drives, CDs, and laptops, he said. But “with the increased availability of electronic medical records, it will only become easier to have infor­mation about patients in portable for­mats. With paper, it was difficult to carry records of hundreds of patients around. Now, it is remarkably easy.”

<[stk -3]>The rise of extremely portable devices such as smart phones and iPads poses new risks, Dr. Whelan said. “How many peo­ple have patient information stored or ac­cessible through these omnipresent devices? Certainly, patient information that has been sent through e-mail is easi­ly accessed through a smartphone. Hos­pitals need to develop policies around encryption and support end users in en­crypting the multiple devices they may use to levels that are acceptable to HHS.”<[etk]>

I have checked the following facts in my story: (Please initial each.)

·Drug names and dosages n.a.

<[stk -3]>In order to better safeguard protected data, hospitals need to have enterprise-wide programs in data information man­agement, but also need to help employees make certain any data-storage or trans­mission devices they use are HIPAA-com­pliant, Dr. Whelan said. <[etk]>

<[stk -3]>“Hospitalists should be involved in both policy development and process imple­mentation to assure that the benefits of electronic data storage are not lost in or­der to reduce the risk of HIPAA viola­tion,” he added.

Hospitals and hospitalists should ex­pect more aggressive enforcement of protected health information reg­ulations following a $1 million settlement paid by Massachusetts General Physicians Organization Inc. over documents on 192 patients left on the subway by a MassGen employee, a top hospitalist says.

The payment – part of an agreement between MassGen and the U.S. Health and Human Services Department over “potential violations” of HIPAA rules – came at the same time as HHS issued its first civil money penalty for violations of the privacy act. The $4.3 million civil money penalty involved Cignet Health Care, a Maryland-based clinic, which

********* TEXT BREAK *********HHS found had violated 41 patients’ rights by failing to provide them with ac­cess to their own medical records.

Dr. Chad Whelan, director of the di­vision of hospital medicine at Loyola University Chicago, Maywood, said the two high-dollar enforcement moves by HHS indicate more aggressive enforce­ment of HIPAA is coming.

<[stk -3.7]>“Given the large fines and the high-pro­file institution [MassGen] affected, it sure seems like they are sending a message,” he said in an interview. “I would fully expect more stringent enforcement in the coming years, and we will likely see more payouts.”<[etk]>

<[stk -3]>To safeguard themselves, physicians and hospitals need to take a hard look at their policies regarding electronic storage and transmission of protected health infor­mation across multiple electronic devices, especially smartphones and tablet-style electronic devices, Dr. Whelan said.<[etk]>

“The beautiful thing about computers, smartphones, and electronic medical records is that [they make it] amazingly easy to store, access, and share informa­tion,” he said. “The terrifying thing about computers, smartphones, and elec­tronic medical records is that [they make it] amazingly easy to store, access, and share information.

<[stk -1]>“Medical centers and hospitalists must be aware of this tension between im­proving care through information access and sharing and the risk to confidential­ity through easier information access and sharing. These settlements are the first shot across the bow to all of us that HHS is certainly taking a long, hard look at this balance,” he said.<[etk]>

<[stk -3]>Office of Civil Rights director Georgina Verdugo said as much in a statement in­volving the MassGen settlement. “We hope the health care industry will take a close look at this agreement and recognize that the OCR is serious about HIPAA en­forcement. It is a covered entity’s respon­sibility to protect its patients’ health information,” Ms. Verdugo said.<[etk]>

The MassGen incident involved hard copies of protected health information from the hospital’s Infectious Disease Associates outpatient practice, and in­cluded patients with HIV and AIDS, ac­cording to HHS. The documents involved included a patient schedule with names for all of the patients, plus billing encounter forms with identifying infor­mation such as name, date of birth, health insurer, and policy number for 66 of the same patients.

A MassGen employee left the infor­mation on a subway while commuting to work, and it was never recovered. One of the patients involved filed a complaint with HHS, which investigated and found that MassGen had “failed to implement reasonable, appropriate safeguards to protect the privacy of [protected health information] when removed from Mass General’s premises and impermissibly disclosed PHI potentially violating pro­visions of the HIPAA Privacy Rule.”

MassGen said in a statement that it will implement a corrective action plan over the next 3 years designed to en­hance protection of protected health in­formation when it is physically removed from the hospital’s property for work purposes. The organization also said it will issue new or revised policies and procedures dealing with laptop encryp­tion and USB drive encryption.

“After these policies and procedures are issued, we will be providing manda­tory training on them,” the hospital said. “All members of our workforce must participate in the training and certify that they have completed it.”

It’s very unusual for an employee to intentionally violate HIPAA, but it’s the inadvertent violations that can cause trouble. “It is far more likely that a well-meaning employee simply forgets the ba­sics of patient protection on a device and then accidentally misplaces the device, leaving it open for anyone with basic computer skills to access,” he said.

Traditional concern has been focused on data stored on portable computer
hardware, such as hard drives, CDs, and laptops, he said. But “with the increased availability of electronic medical records, it will only become easier to have infor­mation about patients in portable for­mats. With paper, it was difficult to carry records of hundreds of patients around. Now, it is remarkably easy.”

<[stk -3]>The rise of extremely portable devices such as smart phones and iPads poses new risks, Dr. Whelan said. “How many peo­ple have patient information stored or ac­cessible through these omnipresent devices? Certainly, patient information that has been sent through e-mail is easi­ly accessed through a smartphone. Hos­pitals need to develop policies around encryption and support end users in en­crypting the multiple devices they may use to levels that are acceptable to HHS.”<[etk]>

I have checked the following facts in my story: (Please initial each.)

·Drug names and dosages n.a.

<[stk -3]>In order to better safeguard protected data, hospitals need to have enterprise-wide programs in data information man­agement, but also need to help employees make certain any data-storage or trans­mission devices they use are HIPAA-com­pliant, Dr. Whelan said. <[etk]>

<[stk -3]>“Hospitalists should be involved in both policy development and process imple­mentation to assure that the benefits of electronic data storage are not lost in or­der to reduce the risk of HIPAA viola­tion,” he added.