Christine Sarrico
Jim Hauenstein

Hospitals appear to be in a no-win situation in trying to balance the conflicting mandates of promoting increased information sharing while ensuring the privacy of patients' personal health information.


At a Glance   

  • For Enloe Medical Center in California, a good-faith effort to self-report a breach in the privacy of a patient's medical record resulted in a six-figure fine imposed by a state regulatory agency.
  • Hospitals face a "catch-22" situation in responding to the conflicting mandates of developing electronic health records that allow information sharing across institutions versus ensuring absolute protection and security of patients' individual health information.  
  • Some industry analysts suggest that the sanctions for security breaches such as the one experienced by Enloe will have the unintended effect of discouraging self-reporting of breaches.  

It's a nightmare scenario for any healthcare institution: a self-audit that turns up a breach of privacy regarding a sensitive medical record. No breach of privacy is ever tolerable, but few would argue that any imposed sanctions or penalties need to take into account degrees of seriousness and mitigating factors-both before and after a breach.

Unfortunately, at Enloe Medical Center in Chico, Calif., a recent self-reported breach of the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) resulted in a six-figure fine that brought into the spotlight many of the issues surrounding the dynamic tension between electronic health records (EHRs) and privacy. These issues leave many experts and healthcare professionals confused and frustrated regarding how best to achieve the promised benefits without forsaking patient privacy.

Cost-Efficiency and Better Care Versus Privacy Concerns

It began in February 2009, when President Barack Obama signed the American Recovery and Reinvestment Act (ARRA), popularly known as the federal stimulus package, into law. A key provision of ARRA is the Health Information Technology for Economic and Clinical Health (HITECH) Act, created to fund accelerated deployments of IT in health care, particularly EHRs. That act also significantly expanded the financial risks and penalties for HIPAA violations.

As one of the early adopters and longtime advocates of EHRs, Enloe has strongly supported the ability for providers to securely access and share medical information electronically. The health system also takes privacy very seriously and has invested significant money in educating internal and administrative staffs of its providers and partners about their responsibilities in protecting privacy.

However, recent events have given the organization pause about the usage and regulatory framework surrounding EHRs. In Enloe's case, a patient received treatment at the facility for an injury, the nature of which had the potential to arouse curiosity. The sensitivity of the circumstances surrounding treatment prompted Enloe's administrators to perform a self-audit on the case, leading to a finding that seven people had inappropriately accessed that patient's medical record. One of these people was an Enloe employee, five were employed by physician practices, and the seventh was a vendor representative who was working with Enloe on patient collections and was not authorized to view information on individual patients.

Enloe's leaders promptly took corrective and disciplinary measures, notified the patient of the breach, notified the provider partners of the breach, and reported the incident to the Centers for Medicare & Medicaid Services and the California Department of Public Health (CDPH). The leaders were shocked when, nearly a year after they reported the incident, CDPH decided to hold Enloe accountable for all breaches and issued a fine of $130,000. Its position was that the owner of the record is strictly liable and accountable for all breaches-even those acts committed intentionally by outside individuals who had received, and acknowledged receiving, adequate training on Enloe's patient privacy policies.

The CDPH's fine prompted some physicians to flatly refuse to accept access to Enloe's EHRs, citing the potential liability they would face for events they cannot control. As a result, Enloe has two critical mandates that are in conflict. The first is to capitalize on the improved efficiency that EHRs can promote by enabling information sharing across institutions and health systems to reduce or eliminate redundant tests and treatment and improve patient care and outcomes. But the second is to safeguard patients' privacy, which points to an inherent problem: How can a hospital move to EHRs and share data across institutions if the hospital could be held accountable for privacy violations committed by other institutions?

For some industry experts, the problem starts with the approach taken by the CDPH in fining Enloe for the privacy violation. Scott Withrow, Esq., founding partner at Withrow, McQuade & Olsen LLP in Atlanta, is one such expert who believes that sanctions are not the right approach to EHRs and privacy. "The right way is to design a system without any breaches-that's what we should be striving for," he says. "The fact is, paper isn't convenient, cost-effective, or easy to share-but it is far more secure. There are far fewer opportunities for someone to access a patient's paper file that's in a locked file room. EHRs save money, but the costs to make EHRs as secure as paper-well, those might actually exceed the savings of EHRs themselves."

Withrow suggests hospitals are right to be wary of the downside of EHRs. "The information is too sensitive and breaches are high-publicity events," he says. "And given CDPH's lengthy delay in issuing the fine, one can only wonder what kinds of exposure dozens of major health systems are facing at this very moment in unresolved cases. It may well be that the costs outweigh the process savings. And with HITECH increasing the stakes of privacy breaches, that only tips the scales further. So the only alternative for regulators is to employ a heavy-handed approach."

Withrow points to the inherent distrust people have in EHRs as perhaps the greatest hurdle to overcome, however. "In the financial services industry, the public has seen high-profile breaches where thieves have stolen thousands of credit-card numbers from supposedly impenetrable systems," he says. "I've seen a real uneasiness about EHRs. In some ways, the government is jamming EHRs down the public's throat, but people just don't believe the privacy controls will be sufficient."

A Need for Standards

There is also some question as to whether regulators might be providing a significant disincentive to self-report HIPAA breaches that are uncovered during internal audits. A series of graduated warnings or penalties might be a more appropriate framework with respect to HIPAA breaches. But guidelines regarding such incidents have not yet been developed.

Moreover, the lack of any evidence that regulators have clear investigative procedures in place is a point of concern. Rather than actively researching such incidents, interviewing the participants, or determining the timelines, regulators seem more inclined to treat such matters in a cursory manner, from a high-level perspective. And, as Enloe's experience seems to suggest, they do not appear to be acknowledging hospitals' efforts to train staff and implement security measures to prevent breaches.

In Enloe's case, the regulators could have looked closely at the situation and, recognizing the hospital's good-faith effort to address the problem, issued a fair and equitable sanction. The regulators' approach, however, raises a reasonable concern that until guidelines and standards are in place and fully propagated to healthcare organizations, health systems will regard it as counter-productive to self-report breaches. Instead, they may opt to address breaches quietly and internally, with the hope of avoiding an external audit.

Securing an EHR today presents a substantial technical challenge, and a complete solution may still be some years away. Nonetheless, it remains incumbent upon health systems to monitor the security levels of their applications. One important protection that Enloe has instituted is to place restrictions on which application and module within that application a user can access, despite the user's having established his or her ID at logon.

Indeed, a common criticism of vendor software security for clinical information systems is that the user's logon is all too often linked not only to the application, but also down to the individual patient record-level. Vendors' rationale for this practice is that it is a costly and complex matter to restrict a user's access to a specific patient record. Thus, all too often, if a provider's administrator has access to patient records through a health information exchange (HIE), that administrator also will have access records of people who are not the provider's patients.

This situation underscores the inherent dilemma: One arm of government is telling providers that they must aggressively pursue initiatives to create information access. Another regulatory group is issuing fines for privacy breaches, while technology vendors are unable to deliver the tighter levels of access security. Healthcare IT leaders are working to address this challenge. Many have implemented application-level securityand are working with internal compliance professionals to conduct training and regular audits to detect inappropriate accesses. However, it may be wishful thinking to expect the industry to achieve more than that-at least today.

Do We Need HIPAA 2.0 for EHRs and HIEs?

It's not that vendors are insensitive to this issue. Binda Mangat, CEO of Quorum Technologies, a leading systems integrator, expresses the challenge in this way: "Right now, this is a huge issue-and a complete paradox. You have a presidential administration that is gung-ho to promote EHRs, but no one is looking at how to properly deploy them or what the repercussions would be.

"I think a key question is the most fundamental: Who owns the EHR? I've been asking that for 20 years, and there's still no answer. Is it the doctor, the hospital, or the patient? I believe the patient owns it-but that view is far from pervasive."

Mangat also points out that there are structural impediments that prevent healthcare systems from maximizing the value of EHRs by sharing them. "Everyone talks about HIEs, but the hard truth is that few health systems have agreements in place to actually work with one another to make them happen. Here in Sacramento, we had an initiative to bring all of the major health systems together. But that fell apart because every participant, understandably, wanted to shape the result to fit its own best interests."

What's still missing, says Manat, is a regulatory body to force the issue. "Until someone says, 'Here's the platform, here are the standards, and here is the legal protection,' it's very unlikely that a hospital will want to be on the high-risk bleeding edge of this issue," he says. "Really, what we need here is what I'd call 'HIPAA 2.0' because, in the original HIPAA, we weren't even thinking about something as complex as HIEs. The health record should belong to the patient, who grants permission to access or store that record. Canada has done excellent work in this area. It mandates the storage of the record in a central repository and mandates that providers access that collective, centralized record."

Laudable, but Elusive, Goals

In the aftermath of the fine levied against it by the CDPH, Enloe has initiated a complete appeal of the case and intends to mount an appropriately vigorous defense. In the meantime, Enloe's executives remain concerned about the conflicting goals of broader access to medical records and airtight privacy. These are laudable goals, of course-and healthcare providers should remain strongly committed to achieving them. However, in the short term, when access goals meet privacy concerns in the real world, the result often falls short of the healthcare industry's aspirations.


Christine Sarrico, FHFMA, is CFO, St. Agnes Medical Center, Fresno, Calif., a member of HFMA's Northern California Chapter, and a member of HFMA's National Board of Directors (Christine.Sarrico@samc.com

Jim Hauenstein is CIO, Enloe Medical Center, Chico, Calif. (jim.hauenstein@enloe.org).


sidebar 1

about Enloe Medical Center
Enloe Medical Center is a 382-bed hospital headquartered in Chico, Calif., that offers a full continuum of health services ranging from preventive education and outpatient services to acute care, behavioral health, inpatient rehabilitation, home health, and hospice services. The hospital, which is an independent, not-for-profit healthcare organization governed by a community-based board, serves more than 400,000 residents in a six-county region in Northern California.


Sidebar 2

A Checklist for Improving EHRs to Comply with HIPAA Privacy Requirements  

Regulators:  

  • Publish standards and definitions regarding what constitutes a violation.
  • Create levels of severity and devise a hierarchy of warnings and fines that are based on standards.

Healthcare providers:  

  • Tighten internal compliance procedures.
  • Conduct extensive and regular training of all employees.
  • Train the employees of provider-partners.
  • Obtain signed privacy agreements with all employees.
  • Conduct regular audits to ensure compliance.

Software developers:  

  • Create and implement record-level security to restrict access to a patient's file solely to those with a clinical interest and responsibility in the case.

Publication Date: Tuesday, February 01, 2011

Login Required

If you are an existing member, please log in below. Username and password are required.

Username:

Password:

Forgot User Name?
Forgot Password?

If you are not an HFMA member and would like to access portions of our content for 30 days, please fill out the following.

First Name:

Last Name:

Email:

   Become an HFMA member instead