Radiology Navigates Stricter HIPAA Laws

Encrypting laptop computers and securing email are among the basic precautions radiologists can take to avoid hefty fines associated with stricter regulations modifying the Health Insurance Portability and Accountability Act (HIPAA). The regulations became mandatory in fall 2013.

Known as the Omnibus Rule or Mega Rule, the new legislation took effect in March 2013, with compliance mandated in September 2013. The law represents the third phase of a process begun in 1996 with the enactment of HIPAA and extended in 2009 with the Health Information Technology for Economic and Clinical Health (HITECH) Act. The rule was issued by the Office for Civil Rights (OCR)—the entity that enforces HIPAA—of the U.S. Department of Health & Human Services (HHS).

Enacted amid concerns that patient privacy might be endangered by the growing use of electronic health records (EHRs), the Omnibus Rule was motivated in part by a perception of lax enforcement, informatics experts say. “This new rule intensifies issues first raised by HIPAA,” said David E. Avrin, M.D., Ph.D., vice-chair of informatics, the Department of Radiology and Biomedical Imaging, the University of California, San Francisco. “It turns up the heat on a problem that already existed.”

Under the rule, OCR will increase investigations and penalties for groups that demonstrate security lapses in the storage and exchange of patients’ protected health information (PHI). Civil penalties for noncompliance have been increased based on the level of violation. Any breach of PHI, whether intentional or accidental, can potentially set violators back by as much as $1.5 million. The maximum penalty ultimately is at the discretion of HHS. As recent settlements show (see sidebar), those penalties can reach seven figures.

“Privacy compliance is a big deal for radiology groups; you can’t just dismiss it,” said J. Raymond Geis, M.D., a member of the RSNA Radiology Informatics Committee (RIC).

“It’s like a car accident,” Dr. Avrin added. “You don’t think about the costs until it happens to you.”

Among other changes, the Omnibus Rule makes business associates, including storage facilities and cloud computing/data storage vendors, and subcontractors liable for compliance. The rule restricts use of PHI for marketing and fundraising purposes and prohibits the sale of PHI without individual authorization. Patients who have personally paid for any treatments have the right to prevent disclosure of records if they choose.

Encrypted Laptops are “Low-hanging Fruit”

For radiologists, the new rule has less to do with the practice of radiology than it does with group leadership administrative responsibilities, according to Dr. Avrin, former chairman of the RIC. Under HIPAA, PHI that is linked based on 18 identifiers must be treated with special care. (See sidebar)

“In terms of privacy data violation, the issue is not necessarily about the images, but about the reports and diagnostic information therein,” Dr. Avrin said. “From a private radiology group perspective, you have to be aware of your administrative responsibilities and make sure you have oversight and authority commensurate with those responsibilities to ensure the confidentiality of what you oversee.”

Though the 563-page Omnibus Rule covers a wide range of subjects, recent history suggests that the majority of breaches could be avoided with some routine updates to PHI storage. For instance, approximately half of the HIPAA violations added to the HHS website in November 2013 involve the loss or theft of unencrypted laptops—what Dr. Avrin described as the “low-hanging fruit” of privacy adherence.

A 2012 Healthcare Information and Management Systems Society (HIMSS) survey underscores the prevalence of the problem: the society found that only 64 percent of healthcare organizations use encryption when transmitting healthcare information. “Everyone in the department should have an encrypted laptop,” Dr. Avrin said. “It’s reckless to carry around a laptop without encryption.”

Laptop encryption—specifically, whole disk encryption—requires the user to enter a password before using the computer and also protects data from unauthorized access by converting it into unreadable code. Whole disk encryption offers a much stronger level of protection than typical security features, such as logging into an operating system or protecting individual files with a password. For radiology groups, providing encrypted laptops to all staff members, along with enforcing strict rules for use, may be the most cost-effective approach.

“You can’t be penny wise and pound foolish,” Dr. Avrin said. “Staff laptops—whether PC or Mac—should be locked down and the healthcare system should establish group policies for encryption.”

Data encrypted in accordance with the standards of the National Institute of Standards and Technology (NIST) are generally not considered breached even when devices containing such data are lost or stolen.

Improper or unauthorized access by employees is another common source of privacy breaches. In one recent case, a community college instructor in Connecticut used patients’ X-rays as teaching tools without patients’ permission. Many of the images contained patient names, dates of birth and physician notes. The teacher had used his computer password to access the data at the hospital where he worked part-time as a radiologic technologist.

“When you’re dealing with potential fines of this magnitude, you need to exercise quality in hiring so that you limit the risk at the front end,” Dr. Avrin said. “You have to make it clear that any person who misuses the data or gives the password to someone is subject to termination.”

Unauthorized release of images to others can also be a problem, especially when privacy rules run up against a patient’s desire for convenience. “A lot of patients say they want to release their images to others, but they don’t have all the documentation,” Dr. Geis said. “We have to explain to them that we can’t release images to whomever they send to the office to pick up the CD, because we don’t have a written release form.”

Patients also often want PHI sent to their email accounts, not realizing that common accounts like Gmail are not secure.

Security Solutions on the Rise

Fortunately, resources for avoiding potential security violations are becoming more plentiful. For example, vendors are developing and refining new products that will make adherence to the laws easier, Dr. Geis said.

“More and more we see reasonably priced IT solutions implemented like secure email, where physicians and patients can communicate in an encrypted, HIPAA-compliant manner,” Dr. Geis said. “We also see better HIPAA compliance plans being actively implemented and enforced by radiology groups as well as hospitals.”

While not widespread now, new authentication solutions like fingerprint and eye scanning are likely to become more prevalent in the future, along with tools to make auditing easier, Dr. Geis said. “There is a strong need for easy access along with security and verification, which is providing an opportunity for vendors to develop solutions,” he said.

There are other measures radiologists can take to avoid HIPAA violations. Along with reviewing security policies—especially those concerning mobile devices—radiology groups should update agreements with business associates and review and revise Notice of Privacy Practices and Breach Notification Policies. Consultation with HIPAA experts is also advisable.

“A radiology group should have its own compliance officer, and that person has to have strong support from the senior management,” Dr. Geis said.

Ultimately, the stricter regulations require more due diligence on the part of radiology, experts say.

“All radiologists need to ramp up efforts to explore new IT tools available and remain efficient while still abiding by the law,” Dr. Geis said.

Web Extras

• Read the My Turn column, ‘The Cost of Security,’ by RSNA News Managing Editor, David Hovsepian, M.D., here.

Healthcare Navigates HIPAA Violations

Healthcare providers—including radiologists—have experienced a number of notable breaches and settlements, according to the U.S. Department of Health & Human Services (HHS).

Breaches include:

• More than 4 million people were potentially affected when four laptops were stolen from an Advocate Health and Hospitals Corporation Illinois administrative office. A class action suit has been filed by affected patients. (7/2013)
• Two unencrypted laptops were stolen from an office of AHMC Healthcare, a six-hospital system in California, potentially affecting the records of 729,000 people. (10/2013)
• Missouri-based Litton & Giddings Radiological Associates, P.C., said its janitorial service inadvertently sent paper billing records with public health information (PHI) to a recycling company without first shredding the documents. (10/2012)
• Online gamers looking for more bandwidth hacked into servers belonging to Seacoast Radiology in New Hampshire. Those servers contained patient data and billing information, affecting 231,000 people. (11/2010)

Settlements include:

• Affinity Health Plan, Inc., settled potential HIPAA violations for $1.2 million after multiple photocopiers were returned to leasing agents with data still on the hard drives. Up to 344,579 individuals may have been affected. (8/2013)
• WellPoint, a managed care company, agreed to pay HHS $1.7 million after security weaknesses in an online application database left the PHI of 612,402 individuals accessible to unauthorized users over the Internet. (7/2013)
• Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay HHS $1.5 million for a 2009 breach involving the theft of 57 unencrypted computer hard drives from a leased facility in Tennessee. The drives contained the PHI of more than 1 million people. (3/2012)

Web Extras

• For more information, go to hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.