Manage Learn to apply best practices and optimize your operations.

Encryption tops new rules of electronic health records compliance

When it comes to electronic health records and personal health information, secure storage can have many meanings, but only one that counts: Encrypt data as many ways as you can.

Electronic health records are in the news, but they’re not as new as you might think. My first involvement with...

electronic health records was in 1976, with the American College of Surgeons’ end-stage renal disease information system. This kept records of every U.S. citizen who had been diagnosed with end-stage renal disease. It provided information regarding patient demographics, primary diagnosis, lab orders, lab results, treatment plans, drugs prescribed, physicians seen and patient visit history. That made it one of the federal government’s first electronic health data systems. The system provided a data mine of valuable clinical information that improved patient services and clinical treatment.

I was impressed that the federal government, through the Social Security Administration, was taking an active part in improving health care for its citizens. Interestingly, at the time neither the government nor the health care organization storing this data had any requirements for securing the data. There was no data encryption, no encrypted backup tapes and no means to audit who saw the information.

Now after many years of various government agencies, private industry and medical institutions’ attempts at improving health care through electronic data services, the message we are hearing is protected health information (PHI) needs to be secured, managed and audited. The public feels health care is broken. Health care costs are out of control. Patient information has been lost. Access to medical records has been compromised. Health care services are disproportionate based on geographic location and patient financial stature.

These are the reasons why the electronic health record (EHR) is now center stage in the eyes of the administration. That attention will require IT managers in health care institutions to renew their focus on data security. Encrypted transmission and storage of data, stricter and multilayered authentication and audit ability -- all these will become part of the health care IT landscape as we move toward ubiquitous EHR.

But that’s just the tip of the iceberg. The administration and Congress see the need for EHR systems but cannot provide a roadmap to get there. They are depending on major health care and computer hardware vendors to provide the integrated EHR solutions but don’t have a clue as to how it can be done. They enact laws to fine and punish providers who experience breaches in their PHI data but provide no solutions or, more importantly, funding to help health care institutions secure PHI. Health care reform will cost health care institutions a significant amount of money in their information systems departments that has yet to be addressed by the executive branch or Congress.

Health care IT data requirements

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA). This law was enacted to protect patient identities, medical re­cords (paper and electronic), health insurance information and protected health information. All clinical institutions, hospitals, health insurance companies and health care vendors must meet HIPAA compliance requirements.

Even though HIPAA has strict compliance requirements, not many noncompliant institutions have been held accountable in the years since the law was enacted. Most clinical institutions are still playing catch-up in assuring that their IT systems for managing EHR and PHI data are HIPAA-compliant.

If HIPAA has been a gradual change, the federal government’s latest moves have been a shock to the system. On Feb. 17, President Barack Obama signed into law a $787 billion economic stimulus package called the American Recovery and Reinvestment Act (ARRA). The key health care component of ARRA is Title XIII of Division A and Title IV of Division B of the act -- the Health Information Tech­nology for Economic and Clinical Health (HITECH) Act. That is the law that will put accountability into HIPAA, or what I refer to as the “teeth” to HIPAA compliance. The law will also allow the present administration to set its foundation for health care reform.

The federal arm of the HITECH Act is the Department of Health and Human Services (HHS). The enforcement of the HITECH Act statutes started Aug. 18. In other words, HITECH is now in force. With the HITECH Act now signed into law, Obama stated his case on June 15 at the annual conference of the American Medical Association in Chicago (italics mine):

“Now … how do we permanently bring down costs and make quality, affordable health care available to every single American? That's what I've come to talk about today. … Fix what's broken and build on what works. If we do that, we can build a health care system … a system that gives Americans the best care at the lowest cost.

“First, we need to upgrade our medical records by switching from a paper to an electronic system of record-keeping. And we've already begun to do this with an investment we made as part of our Recovery Act.

“You shouldn't have to tell every new doctor you see about your medical history or what prescriptions you're taking. You shouldn't have to repeat costly tests. All that information should be stored securely in a private medical record so that your information can be tracked from one doctor to another -- even if you change jobs, even if you move, even if you have to see a number of different specialists. That's just common sense.”

The key words are information to be stored securely in a private medical record. Those words will keep every health care CIO from sleeping well at night. Although the words seem so simple, the ability for clinical institutions to actually accomplish this is incredibly difficult.

The new basics for health care IT

Starting with stored securely, it doesn’t take long for a CIO to realize that EHR and PHI security is the proverbial onion that must be peeled. The onion layers include the following issues:

  • Data encryption
  • Secure storage
  • Strong authentication
  • Role-based privileges
  • Reporting
  • Audit logging

The costs of these requirements are not specifically addressed in the health care reform bill, making the task of complying with the HITECH Act costly for clinical organizations that have not made any progress on these layers. Secured storage of EHR and PHI will require health care institutions to provide data encryption at the server and PC levels, secure storage and encrypted backup storage:

Data encryption at the server and PC level: Health care CIOs should already have implemented hardware encryption wherever possible. However, now that the HITECH Act is law, encryption is not an option.

Secure storage: Many disk vendors are offering hardware encryption for PC disks. The cost is reasonable. It can save a clinical organization liability for the EHR data stored on a PC in the event the PC is lost or stolen. Software encryption vendors offer good choices as well.

Encrypted backup storage: In May 2008, a backup tape of patient data was stolen from an employee of a North Carolina clinical practice organization who was on his way to deliver the tape to a secure, off-site data storage facility. The backup tape, which contained patient information including names, addresses, Social Security numbers, employers, insurance companies, policy numbers and family members, was not encrypted. The liability impact to the clinical practice was overwhelming -- notification to the police, the North Carolina Department of Justice and the Consumer Protection Division, as well as to 40,000 North Carolina residents, was a significant financial burden to the organization. Future litigation is still undetermined.

Most backup tape vendors offer hardware data encryption for tapes that provide a best-practice level of security for data storage and can accomplish encrypted backups without sacrificing backup speed and performance. The “common sense” solution for encrypted backup tapes is far less costly than any litigation.

Breach notification requirements

So if you are a CIO who hasn’t implemented EHR or PHI data encryption, the only things you will need are time and money -- but realize you will find neither of these in the HITECH Act. There is no funding targeted to securing EHR and PHI data within the HITECH Act, which does not require a clinical institution to encrypt data but does require the institution to “secure” the data and provide notice of the breach of unencrypted PHI. So it is very important to pay attention to the fine print of the HITECH Act. The following is a small excerpt from the HITECH Act that specifically points out some of an institution’s notification requirements when a breach of PHI occurs (italics added):

(f) Content Of Notification -- Regardless of the method by which notice is provided to individuals under this section, notice of a breach shall include, to the extent possible, the following:

(1) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.

(2) A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).

(3) The steps individuals should take to protect themselves from potential harm resulting from the breach.

(4) A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.

(5) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll free telephone number, an e-mail address, Web site, or postal address.

These are just a few of the requirements under the HITECH Act that a clinical institution will have to comply with when it discovers a breach of EHR or PHI data. So the short list for health care CIOs is: Encrypt everything and hire a lawyer.

Secure storage is part of what Obama referred to as “common sense.” If you are a CIO worth your salt, you have already securely stored your EHR data using solid “best practice” solutions. Make sure when purchasing any EHR solution that the vendor supports your storage requirements.

Al Gallant is the director of technical services at Dartmouth Hitchcock Medical Center in Lebanon, N.H. Let us know what you think about the story; email [email protected].

Dig Deeper on Electronic health records privacy compliance