I spoke at this week's HIMSS Privacy and Security Forum in Boston on the privacy…
The Queen of Soul famously wailed about being a link in a chain of fools. Today's lead story in the Boston Globe tells us about another sort of link in the chain — the weakest link in the chain of custody of patient records. In brief, a pathology billing service bought out by another service apparently dumped all records more that a year old in a town dump; a Globe photographer taking out his own trash noticed that the paper records (which he was looking at because he thought they ought to be recycled rather than dumped) had identifiable patient data and represented at least four hospitals from across Eastern Massachusetts. Clearly, these records ought to have been shredded or otherwise destroyed before disposal. Assuming they had some airtight contracts in place, the hospitals involved may well be looking to the seller of the billing service in this case to reimburse them for costs of:
Under the HITECH Act's "Son of HIPAA" rules, the hospitals could be on the hook to the federales for up to $1.5 million in fines each as a result of this incident, and the state AG could get in on the action as well, filing suit on behalf of the affected Massachusetts residents and seeking to ensue that proper procedures are in place. There may also be a violation of the state data security law here as well. Massachusetts has a particularly stringent data security law on the books that took effect within the past year, and not all affected businesses have come into compliance. The AG may be on the prowl for a few high-profile cases, like this one, in which to levy substantial fines and convince the laggards that compliance would be more than worth their while.
The natural question to ask, given the facts of this case, is: What Would a Meaningful User Do?
With the ink barely dry on the meaningful use final rule, and the usual suspects lined up for and against the proliferation of EHRs, it seems clear that the use of electronic health records would have eliminated the problem of plain text paper records flapping in the wind at the Georgetown town dump. However, their use would not have eliminated the problem of covered entity and contractor bad judgment, if that is in fact the issue in this case.
Digitizing records does not eliminate covered entities' responsibilities with respect to the operation of their business associates and subcontractors. As we all know, the latest and greatest laws and regs make covered entities fully responsible for the deeds and misdeeds of their business associates and subcontractors. (True even if the breach notification final rule is on ice for a while.) Thus, it becomes imperative for covered entities to have a much better handle on their associates' understanding of applicable law, on their policies and procedures, and on the actual implementation of their policies and procedures.
Auditing business associate and subcontractor compliance with HIPAA and other privacy laws is probably worth the expense. The costs saved include being called out on page one, above the fold.
David Harlow
The Harlow Group LLC
Health Care Law and Consulting
Healthcare NOW Radio Podcast Network · Harlow on Healthcare
In this episode I speak with Ryne Natzke, Chief Revenue Officer of TrustCommerce, a Sphere…
Natalie Davis, CEO of United States of Care, returned to Harlow on Healthcare to discuss…
If the EHR is the system of record, then Lumeon is the system of action.…
Blockchain in healthcare? Well, it can solve some problems. Have a listen to my conversation…
Joel Diamond, Chief Medical Officer at 2bPrecise, speaks with me about bringing genetic testing information…