Physician practices scramble to comply with new privacy reg

Physicians in many small practices are still struggling to comply with Massachusetts’ sweeping new data privacy regulation that went into effect on March 1 – and many doctors aren’t even aware of the changes.

The regulation, 201 CMR 17.0, requires any organization – including health care providers – with access to personal data of Massachusetts residents to maintain a rigorous program to proactively prevent identity theft.

Specifically, organizations must have a comprehensive written information security program (WISP), train all employees on the program, implement a wide array of information-security procedures and certify compliance of all outside service providers. (For more information on the major provisions of the reg, see “The details of the new privacy rules,” on page 10.)

Full compliance was required by March 1, but legal experts say that very few providers – particularly those in small practices – are aware of the regulation at all, much less compliant with it.

Meanwhile, those actively seeking to comply are confronting tough technical, organizational and financial challenges in a time when medical practices are already grappling with federal regulatory schemes, including constantly changing Health Insurance Portability and Accountability Act (HIPAA) rules, meaningful use of electronic health records and “red flag” rules mandating that providers detect and respond to security breaches.

Though nobody expects the state Attorney General’s Office – which has yet to announce enforcement policies under the rules – to audit organizations for compliance in advance of a breach, noncompliance is not an option. The rule calls for penalties in the amount of $100 per Massachusetts resident affected by a breach, up to a maximum penalty of $50,000 per violation.

If your practice’s data is breached, experts expect the attorney general to investigate whether you are in compliance. If your practice doesn’t measure up, you risk heavy fines, lawsuits and state monitoring, not to mention horrific public relations fallout.

“If your database of patient information is hacked and there’s an identity theft, people will think twice about going back to your practice,” says William E. Hannum III, an attorney at Schwartz Hannum in Andover who has been advising businesses on complying with the new regs. “That’s headline-grabbing stuff.”

Difficult to comply

Framingham lawyer Stephen E. Meltzer, who maintains a blog on data privacy and security and lectures frequently on the topic, estimates that 75 to 80 percent of large organizations – including hospitals and large health care organizations – are in compliance. But smaller organizations, which lack the same resources, are not even close.

“About half the people I’ve spoken to saw delays in implementation and decided they’d just wait. The other half don’t even know this exists,” says Meltzer. “I’d say readiness for small business is probably around 10 to 15 percent … And I’d say small physician practices are lumped in with the rest of small business in terms of readiness.”

Those working to comply are finding the process difficult. One complexity is that many of the federal regs deal with data privacy, but may not necessarily mesh well with the Massachusetts reg.

Making matters worse, the new privacy rule provides no specific guidance for health care organizations.

“Trying to make sure it all adds up is very challenging and frustrating,” says Anuj K. Goel, the Massachusetts Hospital Association’s vice president of legal and regulatory affairs.

“People want to do the right thing, but with everything happening already, and the state now adding more and more requirements, this takes time and resources to figure it all out.”

Eduard Goodman, chief privacy officer at Identity Theft 911, an Arizona-based company that’s helping providers comply with the new Massachusetts rule, says the biggest challenge he’s seeing is the intimidation factor.

“In my experience, with physicians there’s an automatic apprehension about a new regulation and anything that affects their day-to-day,” says Goodman, who is also an attorney. “Most doctors just want to be doctors, so the first hurdle is just recognizing that this is a requirement and digging in instead of putting it off.”

Meltzer agrees, saying doctors need to do something to get started. He suggests having a couple of physicians in the group who understand the business start by identifying what data the practice has electronically and on paper.

“Once you get started, just like anything else, it’ll start to make more and more sense,” he says.

Tips for compliance

Here are some tips to help physician practices comply with the new rules:

• Make sure all electronic information is

protected.

Goodman says many physicians don’t realize all the places where digital data is stored.

Protecting personal information that is stored electronically means more than securing your computers, network and servers.

Many photocopiers, for example, have built-in hard drives.

“If you didn’t set it up right and you’re leasing it, you’d better [make certain] that whoever you’re leasing it from is taking care and scrubbing that data if you’re not doing it yourself,” Goodman says.

Similarly, most physicians don’t realize that their printers have built-in hard drives or flash memory that might be storing sensitive information like Social Security numbers, credit card data and medical information.

“Very rarely do [providers] go the extra yard and consider what they’re doing to secure copiers, smartphones, flash drives and printers,” says Goodman. “These devices aren’t named in the regulation, but they’re covered within [its] scope and are just not getting the attention they deserve from the security perspective.”

• Secure employee records.

While medical practices generally have patient information locked down to comply with HIPAA, employee information often sits out in an unsecure manner and is often on paper, says Hannum.

He urges providers to secure that information and to minimize the amount that’s retained in the first place.

“If you don’t need it, don’t keep it,” he says. “And when you shred it, you can’t just run it through a $20 shredder from OfficeMax. The [regulation] uses terms like ‘pulverize’ – destroyed in a way where it can’t be reconstituted.”

• Seek help from experts.

Finally, says Hannum, engage both a lawyer and an IT consultant to help you get into compliance. Each has critical expertise that the other doesn’t have.

Once you have your WISP in place, it’s crucial to treat it as a living, breathing document, rather than just filing it and calling it a day.

“There needs to be ongoing maintenance,” Hannum says. “This means continuous training of employees, monitoring policies, procedures and IT measures and certifying compliance when engaging with new vendors.”

He also recommends making one employee the practice’s “data security chief.” It might be a good role for someone who already handles human resources, Hannum says. MMLR

Questions or comments should be directed to the editor at: reni.gertner@mamedicallaw.com

The details of the new privacy rules

Here is a look at the major provisions of the new privacy regulation. These rules apply to all businesses that own or license personal information, including health care providers.

The comprehensive written information security

program (WISP)

The rule requires any business that owns or licenses personal information to “develop, implement and maintain a comprehensive information security program” to secure that information.

Any program must:

• Designate an employee to maintain the WISP.

• Identify and assess reasonably foreseeable risks (internal and external).

• Develop security policies for keeping, accessing and transporting records.

• Impose disciplinary measures for violations of the program.

• Prevent access by terminated employees.

• Oversee service providers and contractually ensure

compliance.

• Restrict physical access to records.

• Monitor security practices to ensure effectiveness and make changes if warranted.

• Review the program at least annually.

• Document responsive actions to breaches.

The program must be “consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns or licenses such information may be regulated.”  It also must “contain administrative, technical and physical safeguards that are appropriate to” the specific business, its resources, the amount of information it stores and the need for security of both consumer and employee information.

Breach notification requirements

Under the new law, if the possessor or owner of personal information knows – or has reason to know – that a breach has occurred, it triggers the rule’s notification requirement. This includes any breach of security or unauthorized use or acquisition of personal information. A possessor (who is not an owner) must notify the owner of the breach. The owner must notify the Attorney General, the Office of Consumer Affairs and Business Regulation and the affected Massachusetts resident.

Security procedures for electronic information

Businesses, including health care providers, covered by the new regulations that store personal information electronically must include technical security procedures in their written policies. Procedures must in place to protect computer systems, networks and portable devices, including wireless systems.

A computer security policy must include:

• Secure user authentication protocols, including unique user identification, strong passwords, access restricted to active user accounts and access blocked after multiple unsuccessful login attempts.

• Secure access control measures, restricting access to records that contain personal information to employees who need it to perform their job duties.

• Encryption of information transmitted over public or wireless networks.

• Monitoring of computer systems for unauthorized use or access to personal information.

• Encryption of all personal information stored on laptops or portable devices.

• Firewall systems and security patches for any computer system that contains personal information and is connected to the Internet.

• Security software, including antivirus and malware protection software with up-to-date patches and virus definitions.

• Education and training of employees on the proper use of the systems to secure personal information.

Data destruction procedures

After documents no longer need to be retained, the law requires that paper records be subject to redaction, burning, pulverizing and/or shredding such that personal information cannot be read or reconstructed.

Electronic information must also be destroyed in such a fashion that personal information cannot be read or reconstructed. MMLR

– Reni Gertner