Wednesday, November 10, 2010

Mercy Health Plan's Medical Data Security Breach Should Inform OCR's Harm Standard

A recent medical data security breach occurring in Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in Philadelphia lends support to removing the harm threshold written into the Interim Final Rule of HIPAA and the HITECH Act before promulgating the Final Rule. In August of 2009, the Office of Civil Rights (OCR) published the Interim Final Rule with request for comments on breach notification of protected health information (PHI), which set forth additional definitions and standards to relating to the Privacy Section. OCR is expected to issue the Final Rule by the end of this year or early next year.

When OCR published the Interim Final Rule last year, the media jumped on the inclusion of instructing the covered entity responsible for a breach of PHI to perform a risk assessment as a deciding factor of whether or not to disclose the breach to the individuals and the Department of Health and Human Services (HHS). Eight members of Congress expressed their concern by writing a letter to Kathleen Sebelius, noting that the American Recovery and Reinvestment Act (ARRA) that sets forth the statutory mandates relating to privacy of PHI does not include nor imply a harm standard and urged HHS to repeal or revise the harm threshold standard.

Section 13402 of the ARRA states that health care entities must notify the individual when there is an “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of that information.” In order to decide whether a breach compromises the individual’s security or privacy, the Interim Final Rule set forth a risk assessment criteria and translated a “compromise” of security or privacy to mean a “significant risk of financial, reputational, or other harm” to the individual. Problematically, the covered entity is tasked with assessing the risk of harm to determine whether it meets the threshold for disclosing the breach to the individual and HHS. The Interim Final Rule states that the covered entity should consider to whom the information was disclosed, the type and amount of information, and whether the information contained materials relating to potentially stigmatizing health conditions.

The letter written on behalf of eight Congressional representatives clarified that Congress specifically excluded a threshold for harm when promulgating Section 13402. Furthermore, requiring mandatory disclosure serves as a powerful incentive to health care entities to enact strict privacy and security protections to decrease the likelihood of a breach even occurring.

The Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan (MHP) incident is only the latest in a long line of PHI breaches. In late October, the Philadelphia Inquirer reported that a computer flash drive belonging to Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan (MPH) was lost at a community health fair. The flash drive contained the medical record information of over 280,000 Pennsylvanian Medicaid recipients.

Donna Burtanger, Vice President of Communications at MHP, stated that company representatives were trying to use the health plan members’ PHI to personalize service at community health fairs. Burtanger offered the example of when a health plan member visits a church sponsored health fair, the insurance company representative can access the member’s medical record to schedule an appropriate screening test such as a mammogram.

As one article pointed out, MHP assumes that the patients under the plan would want company employees to have and access the patient’s full medical record or bring that sensitive health information into a less secure location such as a community health fair. This situation highlighted the vast discrepancy between how an insurance company and its members would view the risk-benefit calculation of permitting non-essential access of their sensitive medical information.

If a health insurance company such as MHP does not know when its members would not want their information shared, accessed, or transported, it likely would also face a disconnect when attempting to determine potential harm arising from a breach of its members’ PHI and whether that level of harm would require disclosure of the breach.

OCR should consider whether placing a level of discretion in the hands of health care entities given the knowledge of this difference will build the public’s trust of using electronic health information.

--Katherine Drabiak-Syed