Helen to Speak on Solving Privacy Dilemmas with Health Information Exchange at national Health Care Info Privacy Forum

Privacy Forum pic.JPGPrivacy Forum 2.JPGPrivacy Forum 3.JPGPrivacy Forum 4.JPG














To Register, click here.


HIPAA Auditor Responsible for Breach in 2010

In June of 2010, a large healthcare system was informed by its business associate that a breach had occurred, affecting thousands of patients at its hospital.  The breach had occurred the previous month when an employee of the business associate lost an unencrypted flash drive that may have contained patient information.  Although the breach was reported last year, news regarding the breach appears to have begun circulating this past week, most likely due to the new role of the business associate in question. 

The real kicker is that the business associate was none other than KPMG, the prominent auditing, advisory and tax company that was recently awarded $9.2M by the Office for Civil Rights (OCR) to conduct HIPAA privacy and security compliance audits.  Although the flash drive reportedly did not contain patient information such as social security numbers, addresses, personal identification numbers, dates of birth or financial information, the embarrassing fact remains that a KPMG employee used an unencrypted flash drive to carry around patient information. 

Not only was I surprised at KPMG's responsibility for the breach, but also the length of time that went between the discovery of the loss of the flash drive by KPMG (May 10, 2010) and the report that was sent to the covered entity regarding the loss (June 29, 2010).  Although KPMG just barely notified its customer within the HITECH sixty day notice requirement, one has to wonder why it took so long for KPMG to discover that the device was missing and/or report it.

Although I am also curious as to why a KPMG employee would need to carry around patient information on a flash drive to begin with (especially an unencrypted one), this shows that a breach can happen to the best of us.  It also highlights a big problem for hospitals and other health care providers when it comes to security of patient information.  All too often residents, nurses and other health care providers copy patient information onto flash drives, laptops or other unencrypted devices which are easily lost or stolen.  These risks must be identified and aggressively managed by health care organizations and their business associates to minimize the risk of breach to such organizations and the patients they serve. 

HealthLeadersMedia reports that Susan McAndrew, OCR deputy director for health information privacy, wrote in an email that the case was currently under investigation and as such, OCR could not address KPMG's involvement in the breach.  When asked whether KPMG's involvement in the breach had been considered prior to awarding it the HIPAA audit contract, McAndrew stated,

The award of the HIPAA audit contract was the result of HHS’ usual, rigorous, competitive process. Specific questions regarding the contract award are procurement sensitive.

The public notice made available by the hospital on its website stated that,

KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.

Improved encryption? The flash drive that went missing reportedly did not have any encryption mechanisms.  One would hope though that KPMG has followed through and improved its security measures, given that it is now an ONC HIPAA auditor with the potential to access patient PHI and other information in the course of its auditing activities.

New Hampshire HIO Hits the Ground Running

After years of collaboration and planning, New Hampshire has announced the launch of its Health Information Organization, the NH-HIO, developed with the help of the New Hampshire Department of Health and Human Services Office of Health Information Technology, the Massachusetts eHealth Collaborative, and the New Hampshire Institute for Health Policy and Practice, as well as over 80 stakeholders.  The NH-HIO was officially established by House Bill 489 which was signed into law recently by New Hampshire Governor John Lynch.

Governor Lynch stated,

Technology should do for the health care industry what it has done for many other industries, and that's create efficiency and lower costs....This new law allows the creation of a health information organization which will mean a faster, easier and more secure transfer of health records, saving time and money, while still protecting patient privacy.

The NH-HIO has been designed to protect privacy and security while creating the infrastructure necessary to help coordinate care, reduce administrative costs and provide easier and timelier access for providers to needed patient information.  New Hampshire Health IT Coordinator, David Towne, stated,

I envision that the NH-HIO will be a unifying, collaborative organization that will identify and implement cost-cutting "win-win" health IT initiatives that benefit healthcare providers, healthcare purchasers, and most of all, patients.

The first Board of Directors meeting of the NH-HIO will be held later this month. For more information, the official press release can be found here

Uncertainty in Federal Budget Prompts Kansas to Return $31.5M Early Innovator Grant

On Tuesday, August 9th, Kansas Governor Sam Brownback announced that Kansas would be returning $31.5M in federal grant money awarded to it from the Department of Health and Human Services (HHS).

There is much uncertainty surrounding the ability of the federal government to meet its already budgeted future spending obligations....To deal with that reality, Kansas needs to maintain maximum flexibility.  That requires freeing Kansas from the strings attached to the Early Innovator Grant."  Kansas Governor Sam Brownback.

The HHS Early Innovator competitive funding program awarded two-year grants to a select number of States to develop innovative information technology (IT) infrastructures needed to operate the Health Insurance Exchanges established by the Patient Protection and Affordable Care Act. Systems developed through the program are intended to be used as models for all States in their development and implementation of Exchanges. 

The return of the grant money is the second largest award to be returned for implementing the federal health care reform.  Oklahoma Governor Mary Fallin announced this past April that Oklahoma would not be accepting its $54.6M Early Innovator grant.  Other states have returned or turned down smaller grants.

Kansas plans on working towards developing state-based innovative solutions.  Although the return of the grant money likely will make it harder for Kansas to develop its own exchange, it paves the way for more substantial involvement from the Legislature.

Dr. Robert Moser, Secretary for the Kansas Department of Health and Environment said that the grant did not address the most important issue in health care reform, that of slowing the rate of cost growth in health care.  He stated, "Through the statewide Medicaid reform meetings, Kansas is taking the opportunity to decide for ourselves how best to provide health care access, improve outcomes and reduce costs for our state." 

HHS expressed disappointment in Kansas's decision to return the grant money, noting that "Kansas has given up an opportunity to be a leader in the development of technology for state exchanges, which could have benefited the citizens of Kansas as well as those in other parts of the country."

Governor Brownback's statement can be found here

Spartanburg Breach Affects 400,000...But They're Not Telling

According to the Office for Civil Rights (OCR) webpage listing breaches of PHI over 500, a theft affecting an originally unreleased number of patients turned out to have impacted approximately 4,000 patients...times 100.  You'd never guess from the short Press Release available on the Spartanburg Regional Healthcare System website, or, it appears, from any other information released by Spartanburg itself (See HealthDataManagement), but approximately 400,000 patients were affected by the theft of a Spartanburg computer from an employee's car on March 28, 2011.  Although certainly not the largest number of affected patients for a given breach incident (See on the ONC website, for example, AvMed in 2009 with 1,220,000 affected patients, the North Bronx Healthcare Network with 1,700,000 last year, as well as Health Net with 1,900,000 for a breach this past January), the number places Spartanburg squarely within some of the largest breaches of patient information in the past few years. 

Notice to thousands of patients of the theft began in late May of 2011.  According to the Press Release, the employee was authorized to have possession of the computer which was stolen.  It stated Spartanburg had no reason to believe any information had been misused as the file containing patient Social Security Numbers, names, addresses and dates of birth had been password protected.  However, it notified affected individuals that Spartanburg had made available, free of cost, identity theft consultation and restoration as well as ongoing credit monitoring. 

Surprisingly, the Press Release is devoid of any information regarding how many patients had been or could have been affected and it does not appear that Spartanburg has acknowledged the high count other than in its required notice to HHS of the breach.  Although initially the full extent of the breach may not have been known to Spartanburg when it first discovered the breach and began to notify patients, the fact that it has still not acknowledged publicly the substantial number of patients affected is perplexing.

While the HITECH Act does not require that patient notification include how many individuals have been affected by a given breach incident nor does it require the release of any sensitive information regarding the incident, downplaying (or at least avoidance of) the magnitude of the breach certainly wouldn't seem to me to be the top choice among PR options. Given that notice to HHS is required for all breaches affecting over 500 individuals and such information is made available on OCR's website, the information was destined to come out eventually.