Document Disposal Company Responsible for old Patient Records found in Park

Over 277,000 patients were notified by Texas Health Harris Methodist Hospital in Fort Worth ("Texas Health Fort Worth") earlier this month of a breach of their health information.  Only patients seen between 1980 and 1990 whose records were maintained on microfiche are affected or potentially affected by the breach. 

Texas Health Fort Worth's business associate, document destruction company Shred-It, was contracted to dispose of the old microfiche records. As reported by the Star-Telegram, because the microfiche could not be destroyed on-site, Shred-It was to transfer them to another facility for destruction.  

Somehow "lost" or misdirected during transit, the records found themselves in a park where a concerned citizen found them and contacted the Dallas police.  Records were reportedly found in at least two other public locations, and contained names, addresses, Social Security numbers, birth dates and health information. As Texas Health Fort Worth stated in a press release,   

We have no knowledge that any of the information included on the microfiche has been accessed or used inappropropriately.  Furthermore, microfiche is no longer commonly used and specialized equipment is needed to read the information it contains. 

While certainly it is unlikely that the average Joe has access to microfiche equipment, it is inexcusable that the records wound up in a park, of all places, to begin with. Although Shred-it "assured" Texas Health Fort Worth that it took appropriate action as a result of the incident, Texas Health Fort Worth has switched vendors.  I would expect other hospitals in the area to follow suit. It remains to be seen whether OCR will investigate Shred-it for this incident. 

WellPoint hit with $1.7 million for Security Weaknesses in Online Application

The increasingly heavy-handed OCR announced news yesterday of yet another resolution agreement for HIPAA violations; this time hitting WellPoint Inc., a managed care company, with $1.7 million for an Internet breach that occurred between 2009 and 2010 affecting over 600,000.  HHS stated in the press release,

This case sends an important message to HIPAA-covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.

Data (including names, birth dates, social security numbers and health information) was unsecured in a web-based application database after an upgrade.  The resolution agreement alleges that the Data was disclosed improperly over a five month period.  HHS indicated that,

  • WellPoint failed to implement policies for authorizing access to ePHI;
  • WellPoint failed to perform an "adequate" technical evaluate after a software upgrade affected authentication controls; and
  • WellPoint failed to implement technology to verify (authenticate) access to ePHI by authorized individuals.

Covered Entities affiliated with WellPoint include certain Anthem, Blue Cross and Blue Shield, and UNICARE health plans, among others.  There was no Corrective Action Plan accompanying the resolution agreement, which seems to indicate OCR was happy with the mitigative action taken by WellPoint after the fact. However, the Indiana attorney general's office had filed suit against WellPoint back in 2010 for failing to provide notification as required under state breach laws, and the Connecticut attorney general's office opened an investigation as well. 

For entities planning software and other upgrades and modifications (all you "Meaningful Users", to start), you can retrieve a copy of the news release and resolution agreement to give to and hammer home with your Security Officer and IT Departments here

ONC Sells Successes of Health IT Adoption to Congress in Annual Report

The ONC released its second annual report on the adoption of health IT this past June.  The report provides a snapshot of the nation's efforts and continuing barriers to health IT adoption.  Although EHRs have been lambasted lately by Congress, the report primarily covers the ongoing big "wins" for health IT adoption: increased participation in the Medicare and Medicaid EHR Incentive Programs ("Meaningful Use") in 2012, increased adoption of EHR technology among physicians and hospitals and increased rRx, and various federal and state HIE and HIT efforts. 

For example, CMS is more than happy to report that over half of the nation's eligible professionals have received payments through Meaningful Use as of April 2013, with about 80% of eligible hospitals receiving incentive payments as well. Among the 50 States, only 8 do not have mechanisms broadly available statewide for directed exchange, whether fully implemented or in pilot phases, of which New Jersey is one of. And 36 states have query-based exchange available either statewide or through at least certain regions.   

The report also highlights the variety of programs, pilots and regulatory efforts undertaken by CMS and ONC, among others, and the success these have had since the passage of the HITECH Act. However, ONC acknowledges the barriers that remain for health IT, particularly interoperability, and remains committed to developing flexible, modular standards and policies for the interaction and exchange of information among various types of systems. 

To help support interoperability, the State HIE Program recently released a set of online training modules for providers, supporting the roll-out of Meaningful Use Stage 2 set to kickoff this October for eligible hospitals, and January 2014 for eligible providers. The Standards and Interoperability ("S&I") Framework continues to work with stakeholders in the vendor and provider communities to identify barriers and their solutions to achieving national interoperability.  And the public/private partnership through the national eHealth Exchange (formerly the Nationwide Health Information Network or NwHIN) continues as ONC's "incubator of innovation" in HIE. 

Additional efforts highlighted by ONC include:

  • improving consumer and provider confidence and trust in health IT and HIE;
  • engaging consumers in their ehealth and identifying solutions for consumers to better control and direct the flow of their information through HIE;
  • gathering data through various public forums and surveys on privacy and security concerns for safeguarding health information in health IT;
  • development of interactive tools for providers to assess mobile device security as well as general security tools for safeguarding electronic PHI and EHRs, and minimizing breaches;
  • identifying strategies for improving coordination and integration of behavioral health providers into broader health IT efforts, including launching an interstate Direct behavioral health pilot; and
  • identifying stragegies for improving coordination and integration of long-term and post-acute care providers into broader health IT efforts.

For the entire snapshot of the nation's health IT status, read the full report with its easy-to-read charts and graphs.  You may be surprised at how much ONC has been involved with and that has happened in the evolution of health IT and HIE.