In part one of this Q&A, Micky Tripathi, president and CEO of the Massachusetts eHealth Collaborative, discusses the effects the HIPAA omnibus rule has had on health information exchange and how his organization's encryption policies have changed in response to a 2010 data breach.
In the spring of 2010, one of your employees had his company laptop stolen, which contained unencrypted records for nearly 14,000 patients, costing your organization nearly $300,000 and 600 hours of work. What has changed in terms of your approach to device encryption and how did you go about selecting a vendor?
Micky Tripathi: There is always a combination of technical and policy controls to put in place. With respect to policy controls, what we did was bolster our training and clarify the various ways in which, from a process and policy perspective, PHI [personal health information] needed to be handled. This included "formal registration" by our employees in terms of which projects they will need to access PHI and in what time period. So they report that to our security and compliance officer and he has a running list of who should be having access to PHI. So this gives us an overall sense of the personnel and devices that we have [that] might have PHI on them or not.
In terms of the technical controls we put in place, there is a law in Massachusetts that requires encryption of PHI, and it's not specific to healthcare. It applies to any organization that has any type of account information, which would be anything that is not available publically but could be deemed as account information, such as a social security number or a health insurance identifier. So that's a requirement we have to meet anyway. We were already in the process of investigating options for encryption, but unfortunately this breach happened when we were in the middle of that investigation and hadn't yet chosen a solution and implemented it.
We ended up choosing full disk encryption for all of our mobile devices. All of them have whole disk encryption. We evaluated four to five different solutions, looked at them from a cost and effectiveness tradeoff. We also made sure we had a couple of other solutions available to all employees, such as secure email -- we went with ZixMail -- to make sure they had the ability to send things in encrypted form, either to clients or among our own staff. We also provided them [with] the capability via a software solution for encrypting files on their own. For example, if they needed to put something on a flash drive and be able to give it to an authorized customer or staff member, they could do that in a secure fashion.
What are the main implications of the HIPAA omnibus on health information exchange (HIE) development as you see it, and how is this impacting initiatives with the Massachusetts Health Information Highway (Mass HIway) and efforts in New Hampshire?
Tripathi: There are a number of changes that came about with the HIPAA omnibus, but I'm not sure many of them have fundamentally changed much of what most health information exchange organizations have been doing -- I don't think it has changed anything for Massachusetts or New Hampshire. In terms of overall policy direction though, there are certainly different rules and requirements that we now have that we didn't have before. But both of those efforts have really been working toward the spirit as well as the letter. For example, the requirement that organizations become BAs [business associates]. My company [the Massachusetts eHealth Collaborative] is a data warehouse, HIPAA says we have to be a BA, but we already were a BA for the purpose of a data warehouse, so these were things we were already doing and most public information organizations that I know were already doing.
But certainly the scope of it applies to some categories such as cloud computing and other vendors like that who were a little bit of limbo. Clearly they maintain PHI, so they're now covered by BAAs [business associate agreements]. There are going to be new requirements for notice of privacy practices, so every organization now who is participating in HIE would need to include the HIE in their notice of privacy practices, so that would be an update of their NPP [Notice of Privacy Practice] that they give to their patients.
Now there is no so-called affirmative distribution requirement on providers, as I understand it.
There are a number of changes that came about with the HIPAA omnibus, but I'm not sure many of them have fundamentally changed much of what most health information exchange organizations have been doing.
president and CEO, Massachusetts eHealth Collaborative
I'm not an attorney, but based on a business perspective, my understanding is they don't have an affirmative distribution requirement, and what that means is, if you are a provider participating in an HIE, you are now required to include the HIE as one of the organizations who would be receiving PHI from the practice. You are not required to send out a new NPP to every patient -- all you're required to do is update that NPP, post it on your website or wherever you make it available, and then as patients come in, you give them the new NPP to sign. But you don't need to go back through all of your patients in your active patient roll and send out the new NPP.
That is different from health plans, however, where my understanding is that they do have affirmative distribution requirements, so if they are part of an HIE, they would technically have to update their NPP to include the HIE and they would be required to send out the new NPP to all of their members. So [there's] a little bit of difference depending on who you are -- this is one area for providers that is not a big change, but for health plans, it's a higher administrative requirement you have to meet.
In terms of accounting for disclosures, breach notification, the removal of risk of harm -- those just strike me as being different technical things -- technical from a policy and implementation perspective -- that organizations need to account for, but don't seem to account for significant change.
The only other area [that] is not clear is that there is a change specific to HIEs [on] restrictions on self-pay transactions. I think this is more of a provider issue, but the HIPAA omnibus says [when dealing with] information that regards an episode of care where the patient completely pays out of pocket, a patient has the right to prevent the health plan from receiving that information from that encounter. Right now, EHRs are not built to filter out that information, nor are most HIEs. Again, the restriction is on the health plan, so if the plan isn't participating in the HIE, it won't change anything. But if the plan is involved in the HIE, and the plan has routinely had access to that information, that does present the need now to say, "How am I going to prevent that health plan from seeing information on encounters that were fully paid for out of pocket?" And again, EHRs don't really capture that information right now, so there is going to need to be a little bit of work to be done from a policy and technology perspective as to how to enforce such a requirement.
How will the new omnibus rule change data breach reporting (i.e., will there be a lot more)? Will business associates be thrown under the bus more often?
Tripathi: My perspective is that they ought to be thrown under the bus when they deserve it. Prior to this rule,[and] I spoke to this on my blog after the breach, there was this weird gray area where it wasn't clear that [the] OCR [Office for Civil Rights] had jurisdiction over us, for example, because we were a contractor to a BA, and that struck me as being quite bizarre and actually wrong, even though it "benefitted us," and I put that in quotes to have it not be clear whether [the] OCR had jurisdiction over us from a societal perspective. It seemed to me that they absolutely should have had jurisdiction over us, and they should have been able to follow the path of a data breach as far down through the chain of contractors as it needed to go. So it makes all the sense in the world to me for them to have jurisdiction over BAs and contractors to BAs all the way down to the point of a material breach.
Does that mean they'll get thrown under the bus more? The rule still says the covered entity (CE) is ultimately responsible. When your BA screws up, you as a CE are still responsible for that. So it doesn't take the CE off the hook, it just means BAs are more accountable themselves for whatever transgressions for which they have been responsible.
In terms of whether more breaches will get reported, since the HIPAA final rule repealed the risk of harm test, and again in my blog I talk a lot about the gymnastics that we have to go through in our forensic analysis to even decide, "Is this a breach or not?" and "How many individuals records were actually breached?" There was a lot of ambiguity around what that "risk of harm" actually meant. They now have a four-factor test, instead of a general risk of harm statement, which you go through to determine whether a breach has occurred. I think that should make things a little bit better, but I don't know if that means more or fewer breaches will be reported. It would be an interesting sort of test for us to sort of ask ourselves if this four-part test was enforced back when we had our breach, would it still [have] been a breach?
There are a couple of attorneys who I know and respect who think this will lead to more breaches being reportable than in the past, and again I'm an attorney, but perhaps just because it's just more objective now.
Continue to the second part of this Q&A.
This was first published in May 2013