March 01, 2015

Storing and Protecting Electronic Medical Records in the Age of HIPAA and HITECH

Aaron W. Brooks

The term HIPAA can refer to a great many legal concepts, given that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers a broad range of issues. For the purposes of this article, however, the term refers to the federal laws and regulations governing the use and disclosure of medical records. These laws and regulations are often referred to as the “Administrative Simplification” statute and rules.

he Foundation of HIPAA Administrative Simplification

The Administrative Simplification statute is set forth under Title II, Subtitle F, of HIPAA, codified as Section 1171 through 1179 of the Social Security Act. Its core purpose is to improve the Medicare and Medicaid programs—and the efficiency and effectiveness of the health care system in general—by establishing standards and requirements for the electronic transmission of health information. In other words, as the health care system began moving away from paper-based medical records and toward electronic health record systems, Congress deemed it important to unify the digital format for electronic medical information transactions. The rules created to address this issue are known as the HIPAA Transactions and Code Set Standards.

Unifying the format of medical information makes it more likely that different entities will be able to exchange health information accurately and effectively, and also provides a clear set of software criteria that can be used to design and build interoperable electronic health record systems. However, encouraging electronic medical records and interoperable software brings about heightened concerns with respect to the privacy and security of the sensitive patient information contained therein. For this reason, the HIPAA Transactions and Code Set Standards are accompanied by three specific regulatory structures designed to protect the privacy of both paper and electronic patient information, as well as the security of electronic patient information.

The OCR’s Administrative Simplification Rules

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency that created, administers, and enforces the Administrative Simplification rules. All these rules, together with a wealth of commentary, guidance, and FAQs, can be found on the OCR’s Administrative Simplification website (http://www.hhs.gov/ocr/privacy/hipaa/administrative/index.html).

There are three core Administrative Simplification rules: the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. Generally speaking, the HIPAA Privacy Rule provides the circumstances under which intentional uses and disclosures of patient information are permitted; the HIPAA Security Rule provides the safeguards required to prevent unintentional uses and disclosures of patient information; and the HIPAA Breach Notification Rule describes the notifications that patients are required to receive if an unintentional use or disclosure of patient information occurs.

The Administrative Simplification rules apply to “covered entities” and, to a somewhat lesser degree, “business associates.” The two main types of covered entities are: (1) health plans (including many employer-sponsored group health plans) and (2) health care providers who transmit health information using the HIPAA Transactions and Code Set Standards. Business associates are entities that provide administrative services to a covered entity using the covered entity’s patient information. For example, a law firm that represents a hospital in a medical negligence claim and receives patient data from the hospital in the course of the representation would most likely be considered a business associate. By contrast, a law firm that represents the plaintiff in a medical negligence claim is not a business associate, even if it receives patient information as part of the representation, because it is not providing administrative services to a covered entity.

The Administrative Simplification rules protect a particular category of information, referred to as “protected health information” (PHI). PHI encompasses all health information that is created or received by a covered entity and which relates to: (1) the past, present, or future physical or mental health condition of an individual; (2) the provision of health care to an individual; or (3) the past, present, or future payment for the provision of health care to an individual. PHI excludes health information that does not identify an individual so long as there is no reasonable basis to believe the information could be used to identify the individual.

Great care should be used when applying the exception for health information that does not identify an individual. In March 2010 the OCR held a series of health information de-identification workshops that resulted in its “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule” (tinyurl.com/a4lf65x). The OCR’s de-identification guidance provides a safe harbor for making health information “de-identified,” and complying with the safe harbor requires one to remove at least 18 types of identifying information (including all geographic subdivisions smaller than a state). Thus, one can’t assume information is outside the scope of PHI simply because common identifiers such as name and address have been taken out.

The HIPAA Privacy Rule

The HIPAA Privacy Rule provisions are, more or less, divided into two categories: (1) rules about when and how PHI can be used or disclosed; and (2) rules for preserving a patient’s rights with respect to his or her PHI. The first category, rules about using and disclosing PHI, can be summarized with the following rule of thumb: A covered entity or business associate may not use or disclose PHI unless (1) it has first received a HIPAA-compliant authorization that has been signed by the patient identified in the information or (2) a specific exception set forth in the HIPAA Privacy Rule applies. Thus, having an authorization signed by the patient generally avoids the need to analyze whether any given use or disclosure is permissible under the HIPAA Privacy Rule.

Nevertheless, many uses and disclosures are permitted without a patient’s authorization. For example, covered entities may disclose patient information for treatment purposes, to obtain payment for services, and to manage their operations (frequently referred to as the “treatment, payment, and health care operations” exception). Exceptions also exist for several other scenarios, such as judicial proceedings, public health reporting, law enforcement, and medical research. All the HIPAA Privacy Rule exceptions contain details about when and how they are to be applied, so it’s important to fully understand the use or disclosure exception being utilized when a patient authorization has not been obtained.

The second category of the HIPAA Privacy Rule, rules for preserving a patient’s rights, addresses how covered entities must interact with patients about their PHI. Most importantly, all covered entities must publish a notice of privacy practices that is designed to inform patients about the uses and disclosures to which their PHI might be subjected. Additionally, patients have the right to access and copy their PHI, the right to be provided with an accounting of certain uses and disclosures that have actually been made, and the right to amend their PHI if they believe it is not accurate. Like the use and disclosure rules, each of the HIPAA patient rights contains many details and exceptions, and it’s important to fully understand these details and exceptions when applying them to any specific case.

The HIPAA Security Rule

The HIPAA Security Rule is divided into three categories: (1) rules designed to ensure the technical security of PHI (such as virus protection, firewalls, and encryption); (2) rules designed to ensure the physical security of PHI (such as locks, security cameras, and restricted access areas); and (3) administrative rules designed to ensure that secure practices are followed (such as written security policies, password management practices, and sanctions for policy violations). In this author’s opinion, the single most important concept in the HIPAA Security Rule that attorneys should be familiar with is that of encryption.

Encryption can be understood on three levels, and the citations that follow are taken from the OCR’s “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals” (tinyurl.com/mxt3xjt). The first level is “data at rest,” which refers to electronic information that is being stored for later use (such as on a hard drive or flash drive). This type of information should be encrypted in accordance with National Institute of Standards and Technology (NIST) Special Publication 800-1. The second level is “data in motion,” meaning electronic information that is being transmitted from one storage location to another (such as between a laptop and a cloud storage service). This type of information should be encrypted in accordance with NIST Special Publications 800-52, 800-77, 800-113, or others that are Federal Information Processing Standards (FIPS) 140-2 validated. The third level is “data at end of life,” which refers to paper documents or electronic media being thrown away or recycled. Electronic media in this category should be cleared, purged, or destroyed consistent with NIST Special Publication 800-88. Paper, film, or other physical information should be shredded or destroyed in a manner that makes it realistically impossible to be read. The OCR has specifically excluded redaction alone as a method of data destruction.

The HIPAA Breach Notification Rule

Most importantly, note that PHI that has been encrypted as described above is not subject to the HIPAA Breach Notification Rule, even if it is lost or stolen. Beyond that, any use or disclosure that is not permitted under the HIPAA Privacy Rule is generally considered a “breach” if it compromises the security or privacy of the PHI. A breach is presumed unless the covered entity or business associate can demonstrate a “low probability” that the PHI has been compromised. To make this demonstration, the covered entity or business associate must perform a written risk assessment using specific factors set forth by the OCR, and this risk assessment must be kept for at least six years. Assuming a breach has occurred and the written risk assessment doesn’t show a low probability of compromise, the covered entity and business associate must undertake a detailed notification process, and it must happen without “unreasonable delay” (but in no case later than 60 days after the date the breach is discovered or should have been discovered with reasonable diligence).

HITECH and the Electronic Storage of Medical Records

On February 17, 2009, Congress enacted the Health Information Technology for Economic and Clinical Health Act (HITECH). The fundamental purpose of HITECH is to encourage investment in health information technology, and the act specifically authorized administrative incentive programs to improve quality of care, patient safety, and health care efficiency through new adoption of technology. The core program used to accomplish this goal, called Meaningful Use, is carried out through Medicare and Medicaid incentive payments for certain providers and hospitals that adopt certified electronic health record technology (CEHRT) and use it to achieve specified objectives. The current foundation for electronic storage of medical records is the set of technical standards being established by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC).

In addition to incentivizing providers to adopt CEHRT, the Meaningful Use program is creating an impetus for providers to use their CEHRT to make electronic patient information available to other providers who might treat the same patient. Two technologies are rapidly emerging to meet this need: health information exchange software (HIE) and health information service provider software (HISP). HIE is a software platform used to connect the CEHRT of several different providers in a manner that allows each to search and retrieve medical records from the other. HISP is a software platform used to securely transmit medical records directly from one CEHRT to another. In combination, the rapidly developing technologies of CEHRT, HIE, and HISP are hoped eventually to create a secure global network of health information whereby any medical provider would have access to the most relevant and current information possible about each of its patients.

Aaron W. Brooks

Aaron W. Brooks is a member of the firm Holmstrom & Kennedy, P.C., in Rockford, Illinois. His practice focuses on technology-based transactions and licensing, trademarks, copyrights, and privacy law.