Steve Gravely, partner and head of the healthcare group practice at law firm Troutman Sanders in Richmond, VA, notes that his firm has seen increasing enforcement activity by the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services. OCR is responsible for enforcing HIPAA. Gravely serves as legal counsel for health care providers and Health Information Exchanges (HIEs) that are directly involved in the sharing of protected health information. 

“At the same time, we are seeing states enact tougher privacy laws and ‘data breach’ laws that affirmatively require businesses, including health care providers, to disclose data breaches,” he explains. “Once reported, these breaches often lead to fines.” 

The rapid growth of electronic medical records, along with an increase in medical identity theft and a lack of appropriate security controls to restrict access to authorized individuals is resulting in a serious risk to patient information, according to Uday Ali Pabrai, CISSP, CSCS, chief executive, ecfirst, Newport Beach, CA, the author of “Are Medical Records at Risk? Medical Identity Theft Rises and New State Penalties,” November, 2008.

“The risk to medical records is rising and the consequences of not taking reasonable and appropriate steps to protect this information are not insignificant, especially with current enforcement actions and associated penalties,” says Pabrai. “Healthcare organizations need to better address the multitude of privacy and security related compliance regulations continually. Organizations need to enable a powerful technology infrastructure that can not only be trusted, but leveraged to deliver much better care. Today’s infrastructure is just too vulnerable and introduces a serious risk to the healthcare organization.”

The crackdown involves all types of health care providers that are covered by HIPAA and their business associates. From the government side, it involves OCR and state Offices of Privacy and state Attorneys General in some cases, according to Gravely.  The HIPAA crackdown, however, should reinforce the importance of protecting the confidentiality of medical information. For patients, it may encourage more reporting and complaints of suspected breaches. 

Medical identity theft is a subset of identity theft, says Pabrai, who points out that The World Privacy Forum identifies two areas of vulnerability with medical identity theft: the use of a person’s name or other identifiers without the knowledge or consent of the victim to obtain medical services or goods; and the use of a person’s identity to obtain money by falsifying claims for medical services. This may also involve the falsification of health records to support claims submitted.

“Medical identity theft involves the use of existing accounts or new ones that may be established by the perpetrator. Medical identity theft can have a devastating impact if the perpetrators’ medical information or claim gets included as part of the victim’s medical record. The victim may be exposed to significant risk in the areas of medications or procedures if the changes in their medical record have information that has been wrongfully added or omitted,” says Pabrai. “Further, life insurance or health insurance may be denied based on the medical conditions the victim never had.”

Privacy and security are already huge issues with EMRs, acknowledges Gravely. “It is receiving a significant amount of attention already. I have not seen any discernable impact of recent enforcement actions other than to reinforce the recognition that privacy and security are essential.” 

Pabrai cites several factors that are raising the critical need for health care organizations to examine the rising risk to medical records: medical identity theft is a significant risk to organizations and now accounts for three percent of identity theft crimes; the Centers for Medicare and Medicaid was recently involved in a landmark case that resulted in a fine and a three-year corrective action plan for monitoring and reporting by the organization; and rising information privacy and security compliance requirements including HIPAA, PCI, DSS, and state regulations.

“The healthcare information technology infrastructure today is not as resilient as it needs to be to safeguard medical records,” states Pabrai. “Hospitals and health systems are in some stage of implementing capabilities to support 100 percent electronic personal health records. Health care organizations are still struggling with how to take the necessary steps to comply with federal and state regulations, even though failure to integrate and manage critical security countermeasures introduces compliance risks, enterprise vulnerabilities and poor employee productivity and satisfaction.”

Pabrai reminds everyone that the HIPAA Academy strongly recommends that all organizations directly or indirectly impacted by the HIPAA legislation go beyond the requirements of the Security Rule and implement appropriate solutions to protect not just electronic Protected Health Information (EPHI), but all vital enterprise assets and sensitive information.

“The scalability, flexibility and technology-neutral characteristics of the HIPAA Security Rule provide both an opportunity and an obligation for health care organizations to secure EPHI. Other regulations such as FACTA as well as state requirements only reinforce the need for health care organizations to establish a resilient information infrastructure,” he states.