HIT and Privacy Year in Review

2011 saw developments in a variety of areas related to privacy and health information technology (HIT).

Adoption of health information technology soared in 2011.  According to HHS, more than 100,000 primary care practitioners registered for electronic health record (EHR) incentive programs through the 62 regional extension centers developed by the Office of the National Coordinator for Health Information Technology. The percentage of organizations where doctors  use smartphones in their practice grew to 81 percent, up from 72 percent the previous year. Physicians have embraced tablet computers, particularly the iPad. The percentage of doctors using a tablet computer for their work went from zero to 27 percent in about a year. Doctors in practice 31 or more years were as likely to use a tablet as those with less than ten years’ practice.  Apps for viewing medical images were one factor that led most users to adopt the iPad over Android-based tablets.

The increased use of mobile devices added to the risks of data breach. Increased use of mobile devices prompted an increase in data breaches. In December, 2011, the Ponemon Institute published its an update to its 2010 survey. Respondents from 72 healthcare organizations reported a 32 percent increase in security breaches in 2011. Nearly all (96 percent) had experienced at least one data breach. Although clinicians at 81 percent of organizations used mobile devices to access EHR, 49 percent stated that their organizations were not doing anything about the risks created by mobile devices.  Most mobile devices are unencrypted and, therefore, not secure. Some hospitals will not permit any mobile access via a device that does not meet their security requirements, more have acceded to practitioners’ demand for access without imposing conditions. Mobile devices are easily lost or stolen, and whoever finds (or steals) a device may find unencrypted protected health information quite valuable.

Payments under the EHR incentive programs skyrocketed.  Payments under the Medicare incentive program in May, the first month, totaled $75 million. In November, 2011,  CMS paid out  $76 million to practitioners and nearly $315 million to hospitals. in Medicare EHR incentives. As of the end of November, CMS had paid more than $920 million in Medicare EHR incentives. From January through November, 2011, state agencies paid nearly $909 million—$234 million to practitioners and nearly $675 million to hospitals— under the  Medicaid EHR incentive program. HHS recently announced creation of a database to identify all providers and practitioners who receive EHR incentive payments and track their progress in implementing their systems.

A doctor was sanctioned for posting on social media. A Rhode Island emergency room physician lost her job and was fined and reprimanded by the state licensing board after posting about a trauma patient. Although she did not use the patient’s name, the post included enough details for others in the community to identify him. Similarly, a nurse in Michigan was fired for posting inf0rmation about a patient on Facebook even though the post did not include the patient’s name.

Enforcement of HIPAA strengthened. The  Office of Civil Rights (OCR), which enforces the privacy and security components of the Health Insurance Portability and Accountability Act (HIPAA) (P.L. 104-191), began auditing providers for compliance with those requirements. Enforcement of HIPAA requirements as not limited to EHRs. A Massachusetts hospital agreed to pay $1 million to settle  violations after an employee left patient records on the subway. OCR imposed its first penalties for HIPAA violations in February, 2011. The organization was fined $1.3 million for refusal to provide patients with their medical records and an additional $3 million for failure or refusal to provide information requested by OCR.

120 data breaches that occurred in 2011 were added to the OCR “wall of shame.” These breaches involved actual or potential disclosure of  private health information related to 500 or more individuals. Theft of a desktop computer at a Sacramento, California healthcare organization potentially compromised the health information of more than 3 million patients.

Delay of requirement to demonstrate meaningful use. The deadline for providers who request Medicare or Medicaid EHR incentive payments for investments in certified health information technology in 2011  was extended to 2014 from 2013.

Bar on texting of physician orders. The Joint Commission published a standard stating that transmission of physician orders to hospitals, laboratories or other settings by text message is unacceptable because: (1) the identity of the sender cannot be verified; and (2) there is no way to retain the message as validation of the entry in the medical record.

A developer of certified EHR modules disclosed inaccuracies in its software. The  deficiencies relate to functions needed to report meaningful use.