Protecting your patients’ data

The federal mandate requiring that all medical records be converted to an electronic format by 2015 has heightened concerns about protecting the confidentiality of patient data. Even an unintentional security breach can land doctors in serious legal trouble, whether they are storing data or sharing it with third parties.

Complicating the issue is the emergence of health information exchanges, which tend to vary from community to community in terms of their structure and security measures. Some simply relay data within a network, while others transmit and store patient information. Either way, it’s unlikely that an exchange will be 100 percent protected against hackers, so it’s important for physician practices to weigh the risks and benefits of participation.

“There are pro-privacy people on one side who believe that the risk of any disclosure of patient information is so horrific it must be prevented at any cost and others who say the need to exchange information is so great that there must be some tolerance of the risk of exposing patient privacy,” says Craig Schneider, director of healthcare policy at the Massachusetts Health Data Consortium in Waltham.

The key, he notes, is finding a balance between those sides.

So how do physicians find the right balance and manage risk when it comes to protecting patients’ electronic health information? Experts say that there are some “rules of the road” that can help doctors navigate this changing landscape and avoid pitfalls.

Learn the law

Familiarizing yourself with the applicable federal and state laws is a good place to start when considering patient privacy issues. While doctors presumably know about additional consent requirements that cover specific types of health care information in Massachusetts, such as AIDS testing and substance abuse treatment, they might not be as up to speed on laws addressing security breaches.

“The federal government has increasingly imposed penalties for improper disclosure of information and we’re seeing it on the state level as well,” says David Szabo, a partner at Edwards Angell Palmer & Dodge in Boston. “There is increased concern [from] the government about protecting data such as Social Security and credit card numbers as well as following proper security practices.”

In the event that information is lost or improperly accessed, Szabo notes that data breach notification laws might apply. If a patient record is breached because it is on a portable device that was lost, that might need to be reported both to the individuals whose data was on that device as well as to government agencies, he says.

Szabo recommends that medical practices review their insurance policies, as some policies are now being written to cover privacy risks.

“If a practice is making an investment in information technology, it’s a good time to consider whether they have the right kinds of insurance coverage for the types of liability they might be exposed to,” he says.

Dr. Larry Garber, medical director for informatics at the Fallon Clinic in Worcester, says there are several relatively simple steps – many of which are included in HIPAA – that can increase the security of patient data, including ensuring that personal computers are in a physically secure place, automatically logging off users after a period of inactivity, requiring passwords to access data and utilizing encryption programs when sending information.

However, he points out that underlying those measures is the need to educate employees about privacy policies.

Szabo agrees, noting that risks are created when employees are tempted to use information systems for unintended purposes.

“An example is a case involving a supervisor in a medical group who improperly accessed other employees’ electronic medical records. It sounds like a law school exam question: How many issues can you find in that situation? These systems weren’t designed so supervisors could see if employees were really out sick or actually had a doctor’s appointment when they were supposed to be at work,” he says.

Dr. Terry O’Malley, medical director for non-acute care services at Partners HealthCare System in Boston, says that practices need to have clear policies in place which are then enforced.

“If someone misuses access to data, then [he or she] should be fired. You need to have a book about the policies, but then demonstrate that you enforce them,” he says.

Exchanging information

An increasing number of physicians have the option of using health information exchanges, which move and sometimes aggregate electronic information within a network, such as a community, region or health care system.

According to Schneider, every state currently has at least one health information exchange grant recipient. “We are at the fledgling stage of this, but they will be growing rapidly over the next few years.”

These exchanges can create privacy issues. Schneider recommends that, when deciding whether to participate, physicians consult their state medical society or local hospital where they have admitting privileges to determine “if they endorse the protocols of the health information exchange,” he says.

According to Garber, another thing for physicians to consider is the use of risk-sharing contracts.

With risk-sharing contracts, the practice is paid a fixed amount of money by a health plan to care for a certain population of patients. If at the end of the year the patients’ bills are less than the amount the practice received, then the practice makes money. Otherwise the practice loses money, Garber explains. He said that this payment structure is becoming more common.

When physicians share the financial risk for patients, says Garber, they are then allowed to see all of the claims and bills for those patients.

“If one of those patients goes to see a specialist in Boston or gets a test outside of our system, I’ll see those claims each week as we load them into our electronic records. I’ve even had patients go to Florida in the winter where they’ve needed care in an emergency room. When they return, they don’t even have to tell me about it because I’ve already received that information in a standardized format,” he says.

Risk-sharing contracts delegate some of the payer’s administrative functions to the provider organization, notes Garber. At the same time, this moves the patient consent process, which typically would be handled by the provider organization involved in a health information exchange, back to the payer when a patient signs up for insurance.

However, Garber notes that this does not reduce either organization’s responsibilities to maintain the privacy and security of patient data.

“There are numerous ways to securely connect these organizations, including a formal health information exchange, a direct VPN (virtual private network) connection, or secure encrypted e-mail. Direct (www.directproject.org) uses the latter and multiple EMR vendors have, or are planning to provide, support for it within their EMR.”

Garber maintains that for practices that are large enough to negotiate good risk-sharing contracts with health plans, it is a worthwhile structure.

“We can take phenomenal care of those patients because we have more complete information about them,” he says. MMLR

Questions or comments can be directed to the editor at: reni.gertner@mamedicallaw.com