ONC blog series tries to bust HIPAA information-sharing myths

The Office of the National Coordinator for Health Information Technology (ONC) is trying to shake the Health Insurance Portability and Accountability Act’s (HIPAA’s) (P.L. 104-91) image as a roadblock to information-sharing. In a four-part blog series, Chief Privacy Officer Lucia Savage, J.D., and Privacy Analyst Aja Brooks, J.D. described HIPAA’s promotion of interoperability through permitted uses and disclosures that do not require covered entities (CEs) to first obtain written authorization from the patient.  The posts provided real-life examples of permitted uses and disclosure involved in exchanges for both treatment and health care operations.

Treatment

If an individual authorizes a release of protected health information (PHI) in writing, including when she requests that the PHI be sent directly to a third party, a CE or business associate (BA) must generally comply.  However, CEs and BAs are often uncomfortable releasing PHI when such authorization has not been given.  The blogs emphasize that HIPAA provides for the release of PHI for treatment and health care operations of either the disclosing CE or the recipient CE (45 CFR 164.506(c)). Treatment is defined pursuant to 45 C.F.R. 164.501 and includes, in addition to traditional treatment, referrals, coordination of health care services with a third party, and consultation between providers. A disclosing provider is responsible for disclosing the information in a  permitted and secure manner, such as via certified electronic health record technology (CEHRT), but will not be liable for any actions that the recipient takes with that information.

Health care operations

Covered entities may also disclose information to other CEs or their respective BAs without authorization in certain circumstances related to health care operations, including those involving case management and quality assessment and improvement.  In all instances, both CEs involved in the exchange must have an existing or previous relationship with the patient, the requested PHI must pertain to that relationship, and the disclosing CE must release only the minimum necessary information.  For example, a physician may disclose minimum necessary PHI related to diabetic and pre-diabetic patients to a health management company that is a BA of a health plan (CE) so that the health management company can, at the health plan’s request, provide semi-monthly nutritional advice to members. The ONC also indicated that providers who are part of an accountable care organization (ACO) and operate as an organized health care arrangement (OHCA) may provide PHI to the ACO’s quality committee for quality assessment purposes if, for example, the ACO is looking to improve its rate of hospital-acquired infections.  Similarly, a provider may provide PHI about a current patient to the patient’s former provider if the former provider needs that information for quality assessment.

HIPAA: a tool for sharing?

The blog authors explained that HIPAA is not only a tool to protect PHI, but can be used to enable access to that same information when necessary for patient care. They hoped that the posts “shed some light on how HIPAA supports the goal of nationwide, interoperable exchange of health information for patient care and health.”  Perhaps wary providers will take note.

Another hit for health IT—now hackers hold hospitals hostage?

The nature of health care data security breaches is changing. Whereas the majority of lapses in health care information security were once caused by the loss and theft of devices, the greatest security threat to health care consumers and health care providers is now happening through large-scale hacks. The shift has left the industry exposed. The Institute for Critical Infrastructure Technology warns that among all of the nation’s critical infrastructures, the most vulnerable is the health care sector. The warnings aren’t empty, in January 2015, a breach of Anthem, Inc. allowed hackers access to the information of 80 million Americans. Three months later, another 11 million individuals had information stolen when health insurer Premera Blue Cross was hacked. Now, hackers have taken things one step stranger by shutting down a California hospital’s internal computer system for a ransom of almost $3.7 million.

New trend

According to the 2016 Health Care Breach Report from security company Bitglass, 98 percent of leaked healthcare records were exposed as a result of large-scale hacks, like the Anthem and Premera hacks. Although the enormity of those breaches might at first suggest that a few large breaches skewed the average results, the report also noted that even when the six largest breaches are excluded, hacking-related incidents still accounted for the majority of leaked health care data. The breach report explained that 111 million people were affected by data loss. Some of the data lost included names, addresses, dates of birth, social security numbers, and medical claims information. Why are hackers targeting health care data? The obvious answer: money. According to a Ponemon Institute report, in general, the average cost per lost or stolen record is $154, but when a record is stolen from a health care organization, the number rises to $363.

Ransomware

The trend is alarming, and the security threat does not appear to be stopping at conventional security hacks. The California hospital under ransom—Hollywood Presbyterian—was shut down by a type of malicious software known as ransomware. Like other malware, the software identifies weakness in a computer system and then encrypts data, which can only then be unencrypted with a key code. The hackers of Hollywood Presbyterian have placed a price on that keycode—9,000 bitcoin, worth about $3.7 million. According to the hospital, the hack has impacted the provider’s ability to deliver care by interrupting email and access to certain systems. According to the hospital, the hack has not compromised patient medical records. Ransomware has been used before. In fact, since its emergence in 2013, 56 types of ransomware have been used.

What is next?

Some commentators are calling hackers “cyber barbarians” and warning that hacks could result in the actual loss of life. Although the scope of the threat is debatable, there is no dispute that a very real change is happening in the world of health care information security. While security experts say that the threats are addressable and, in some cases, preventable, health care organizations are facing new challenges. Whether they are called hostage takers, barbarians, or criminals, hackers are posing a real threat to private and sensitive health data. The question now is two-fold: (1) what can be done to address and stop the current breaches? and (2) what will the hackers attack with next?