Kroll Fraud Solutions Blog – A Dialogue on Data Security

As mentioned in the previous post, HB 300 covers lots of ground. One item that’s received a lot of public attention is the fact that the law includes a ban on selling personal health information (PHI) for profit. Violators of the ban could face fines of up to $5,000 per violation, and a $1.5 million cap for civil penalties. Also affecting consumers directly is a provision that requires covered entities utilizing electronic systems with sufficient capability to fulfill requests for health records within 15 business days.

The Office of the National Coordinator for Health Information Technology (ONC) is seeking public comment regarding personal health records, now through December 10. Comments can be submitted through the website, on the following topics:

• Privacy and security and emerging technologies
• Consumer expectations about collection and use of health information
• Privacy and security requirements for non-covered entities
• Any other comments on personal health records (PHRs) and non-covered entities

The ONC is also hosting a day-long public roundtable discussion, Personal Health Records – Understanding the Evolving Landscape. According to the website, the purpose is to “inform ONC’s congressionally mandated report on privacy and security requirements for non-covered entities (non-CEs), with a focus on personal health records (PHRs) and related service providers.”

This month, Connecticut Attorney General Richard Blumenthal announced that his office reached a settlement with health insurance company Health Net over their breach of sensitive patient data. The agreement resolves allegations that Health Net violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as well as state privacy protections. The Health Net breach dates back to May 2009, when the company lost a disk drive with PII and PHI for some 2 million patients. The company took more than what Blumenthal considered a reasonable amount of time to report the missing disk and notify affected individuals. Blumenthal alleged that the company delayed and otherwise failed to properly inform the state governing authorities.

In the late 1960’s, Dr. Lawrence L. Weed developed the Problem Oriented Medical Record (POMR).  His vision was to have electronic medical records with standardized progress charts for all patients.

Fast forward 30 years, and you would be hard pressed to find a medical group or health care system that used Electronic Health Records (EHRs) to exchange patient data with one another. Most medical records were still in the form of physical documents, stored in a file folder and shared between a few key members in the medical facility.

In June, the Office of the National Coordinator for Health Information Technology (ONC) issued its final rule to establish a temporary certification program for Electronic Health Record (EHR) Technology. This marks an important step towards allowing healthcare facilities to meet and achieve meaningful use, a requirement to qualify for incentive payments under Medicare and Medicaid. Yet, even with this new development, lingering security questions still plague the process, making the transition to an interoperable EHR system seem even further away and harder to achieve.