Mental Health Tools: From Office To Pocket

A Saturday night phone call gave no indication it heralded months of bureaucracy, finger pointing, expense -- and the dismal realization that even the smallest healthcare provider is liable and harmed when a business associate suffers a HIPAA breach.

"This is a lot of burden on a very small practice. They didn't cause the breach, but they definitely suffer the consequences because of it," said Art Gross, president and CEO of HIPAA Secure Now, in an interview.

On one end of the phone was Dr. Bill Jones (pseudonym), who employs six people at his oral surgery practice. On the other was a patient's parent, a self-described computer geek who had spent the evening doing his customary bimonthly online search of family members' names -- only to discover that his son's health information from Jones's web-based admissions form was readily available to anyone with more than basic computer skills. Although a Google search didn't disclose the boy's information, Jones's more-computer-savvy son successfully located the patient's data with a more-sophisticated search, Jones told InformationWeek.

[How connected? Read Healthcare Big Data Debate: Public Good Vs. Privacy.]

As a small practice with no full-time IT professionals on staff, Jones relied on a solution provider to maintain his workstations and network, design his website, and support an electronic registration form patients could complete prior to visiting the office for dental surgery. The office also installed an electronic health record (EHR) software package earlier that year. The form included information such as name, date of birth, address, and insurance provider, and thousands of people used the feature since the practice began offering this capability in fall 2006, Jones said.

When he learned of the breach, Jones had no way to reach the service provider and take down the site until 8 a.m. on Monday. Initially, the two organizations worked together to figure out and resolve the problem, said Jones.

"On Monday, the company found 50 patients affected over about six months. The database had become live and searchable. They found the error. They shut it down. We still haven't relaunched it. Thousands of patients use it a year. We typically see a patient for a particular problem; treat that problem, and then the patient's released back to their regular dentist. There are thousands of patients so it's a very, very small percentage [affected] but it's still a very major problem. The very frustrating thing is I didn't have direct control of it."

Figure 1: (Source: AJ Cann/Flickr)

Even though the breach occurred at a technology service provider that signed a business associate contract and was HIPAA certified, Jones quickly learned that his practice was not indemnified. Once notified of the breach, the Office of Civil Rights (OCR) wrote to the dental surgery and asked it to provide proof of the security steps it had taken both before and after its business associate's breach within 20 days, said Gross. The list of required items included:

Jones, who is self-insured for malpractice, immediately contacted the insurer who led the investigation into the breach and ordered a HIPAA security analysis -- which the practice had begun working through even before it received OCR's letter.

Prior to the breach, all employees had undergone HIPAA and HITECH training, said Jones. The dental surgery office, which does not accept Medicare but is accredited with the Joint Commission, has a large three-ring

Next Page

binder of compliance rules and conducts training annually. Attorneys laughed at the provider's binder, Jones said ruefully. Its annual training initiatives and other safeguards did not typically include the formal documentation processes OCR demanded.

"I think we're as well prepared as most practices are but we weren't prepared for what happened here," said Jones.

OCR requires documentation; small practices don't necessarily take attendance for online training sessions, for example, or formally list processes they practice, Gross said. Also, small practices might not have the internal capabilities to verify that business associates comply with the terms of their contracts or fail to address details such as notification timing, he added.

The government gives organizations 60 days after discovery of a breach to notify patients: After a billing company found a breach in its system, it alerted one practice on day 52, giving the healthcare provider only eight days to react, prepare, and share a message with patients, said Gross, discussing other small practices affected by business associate breaches.

"I think you'll get those details if the covered entity or the business associate went to a lawyer, but a lot of these business associate agreements are standard boilerplate business associate agreements, and some of the details are not defined," he said. "A lot of organizations are just signing these documents without knowing what it is, especially on the associate side. I think you're seeing a lot of signatures of business associate agreements without attention to detail."

While still wondering how OCR will penalize his practice after it completes the review, Jones already has learned from this experience, he said. The dental surgery, which stopped working with its first solution provider after finger-pointing began, offered two years of LifeLock monitoring to all 50 affected patients; about half took the service, said Jones. The father of the patient who discovered the breach requested more.

"He wanted 10 years, which we eventually decided to do. And then he signed a letter of understanding and agreed not to pursue any further action against the practice," said Jones. "I can understand some dismay there. I can understand how he felt."

In addition, the practice upgraded all its computers to Windows 8, including the few previously still on Windows XP. It also is working closely with its insurer, attorneys, a local solution provider, and HIPAA Secure Now on the audit and improvements to training, technology, documentation, and practices, and added encryption and vulnerability testing, said Jones. 

The owners of electronic health records aren't necessarily the patients. How much control should they have? Get the new Who Owns Patient Data? issue of InformationWeek Healthcare today.