Monday, December 14, 2015

Small privacy violations can have huge impact on individuals but don’t get the appropriate attention and followup under current HIPAA enforcement

To contrast the large data breaches in healthcare that get high public visibility but may have lesser known impacts on the individuals whose data is stolen with the little known breaches that can have a huge impact on a single individual, National Public Radio reported Small Violations of Medical Privacy Can Hurt Patients and Corrode Trust.

Noted by the report –

Under the federal law called the Health Insurance Portability and Accountability Act, or HIPAA, it's illegal for health care providers to share patients' treatment information without their permission. The Office for Civil Rights, the arm of the Department of Health and Human Services responsible for enforcing the law, receives more than 30,000 reports about privacy violations each year.

The bulk of the government's enforcement — and the public's attention — has focused on a small number of splashy cases in which hackers or thieves have accessed the health data of large groups of people. But the damage done in these mass breaches has been mostly hypothetical, with much information exposed, but little exploited.

The report also notes that –

Even when small privacy violations have real consequences, the federal Office for Civil Rights rarely punishes health care providers for them. Instead, the office typically settles for pledges to fix any problems and issues reminders of what the privacy law requires. It doesn't even tell the public which health providers have reported small breaches — or how many.

The Office of Civil Rights took some criticism in this NPR report:

The vast majority of the federal Office for Civil Rights' enforcement work has been directed at large-scale medical data breaches, whether or not they result in any demonstrable real-world harm.

Health providers are required to notify the office within 60 days of breaches affecting at least 500 people and also must share details with the media and contact those potentially affected. OCR's website makes public a list of these cases, highlighting them on what industry insiders dub the Wall of Shame.

Rarely do small privacy breaches get anywhere near the same attention, except when they involve celebrities or high-profile individuals.

Organizations only have to report them to OCR once a year. Even then, the agency doesn't post them online. HHS has rejected requests under the Freedom of Information Act for information about them.

Since 2009, OCR has received information about 1,400 large breaches. During the same time, more than 181,000 breaches affecting fewer than 500 individuals have been reported.

In September, the HHS inspector general issued 2 reports that criticized the Office for Civil Rights, including its handling of small breaches. One report said the OCR should strengthen its followup of breaches of Patient Health Information when reported by HIPAA covered entities.  Another report said the OCR should strengthen its oversight of covered entities’ compliance with the HIPAA Privacy Standards. The inspector general said OCR did not investigate the small breaches reported to it or log them in its tracking system.

Thursday, December 10, 2015

HealthData Management Reviews the Ten Largest Healthcare Cyber Attacks in 2015

HealthData Management recently reviewed the 10 largest cyber attacks of 2015 in the healthcare setting.  The report notes that some of the attacks started in 2014 (focusing on the time period of when the attacks were reported).  The total number of victims from these hacks was placed at 109,671,626, which represents about one-third of the population of the U.S. Each hacked organization has offered paid credit and/or identity theft protection services.

The single largest attack was against Anthem Health Insurance, affecting 78.8 million individuals.  The hack affected all Anthem product lines, compromising names, birthdates, member IDs, SSNs, addresses, phone numbers, email addresses and employment.
An attack against Premera Blue Cross, started in 2014, affected 11 million individuals.  As with Anthem, a wide range of member information was compromised, including personal bank account numbers. Ten million individuals were affected by an attack started in 2013 against Excellus BlueCross BlueShield, which included members from other BCBS plans in a 31 county area in update New York.  The company said “Individuals who do business with us and provided us with their financial account information or Social Security number also are affected.”

UCLA Health detected suspicious network activity in late 2014 and investigated with assistance from the FBI, concluding that the attackers had not gained access to parts of the network that contain personal and medical information.  In mid 2015, as part of an ongoing investigation, UCLA determined that attacks had accessed parts of its network, affecting 4.5 million individuals.
Medical Informatics Engineering, which sells electronic health records with its NoMoreClipboard subsidiary, found an attack that involved 3.9 million individuals.  The hack retrieved patient names, user names, hashed passwords, security questions and answers, email addresses, dates of birth, health information and Social Security numbers all compromised.

An attack against a single database at CareFirst BlueCross Blue Shield affected 1.1 million individuals.  The attack was discovered during security work being done in response to attacks against other insurers.  Limited personal information was said to have been involved in the attack, with no member Social Security numbers, medical claims information or financial information put at risk.
In mid 2015 Beacon Health System discovered a phishing attack that accessed multiple employee e-mail boxes, starting in late 2013.  The breach was found by an internal forensic team after an employee noticed email irregularities, and affected the two-hospital system and affiliated physicians.  St. Mary’s Health in Indiana discovered a breach affecting 4,400 individuals after investigating a hack attack against employee email accounts. 

Advantage Dental, with 30 clinics across Oregon, discovered an attack on an internal database that affected over 150,000 individuals.  The access was terminated only 3 days after it was discovered and notifications were sent to affected individuals within 30 days.  The intruder accessed the database through a computer infected with malware.  

Monday, December 7, 2015

Check out The Joint Commission's Physical Environment Portal

The Joint Commission announced a Physical Environment Portal, in partnership with the American Society for Healthcare Engineering (ASHE), which focuses on 25 Life and Safety and Environment of Care elements from 8 standards identified as the most cited for violations over the last four years. 

This simple infographic identifies the standards being featured: Utility Systems, Means of Egress, Built Environment, Fire Protection, General Requirements, LS Protection, Automated Suppression System, and Haz Mat/Waste Management.  Each standard is being highlighted in 2-month modules: The first month features information for facilities managers; the second month focuses on strategies for leadership and clinical impact.  The current modules may be found on the Portal’s Announcement Page.

For example, violations associated with LS.02.01.20 – The Hospital Maintains the Integrity of the Means of Egress, the Portal offers examples of improved compliance – both for facilities managers and leadership.  For example, two Elements of Performance are identified as problem areas: Corridor Clutter was found to have a non-compliant rate of 22.41% and Doors unlocked in the direction of egress was found to have a non-compliant rate of 16.84%.  A flow chart provides examples of improved compliance: looking at issue identification, risks associated with non-compliance, the potential impact of the risk and mitigation strategies.  Notice that for each of these EPs there is a cross walk to the CMS Conditions of Participation. 

Navigate to the ASHE website’s Focus on Compliance for additional resources on each standard.  For example, for violations of LS.02.01.20 – The Hospital Maintains the Integrity of the Means of Egress, three specific areas are identified: Obstructions of the Means of Egress, Inappropriate Locking Mechanisms, and Improper Use or Designation of Suites.   Also, remember to visit and explore the resources in the Joint Commission Survey Toolkit. 

Finding a standardized combination of patient attributes and standardizing the collection/input of these attributes in provider electronic systems

Over a year ago NAHAM offered recommendations recorded in the Office of the National Coordinator for HIT’s 2014 Patient Identification and Matching Final Report.  Pointing to a standardization of data attributes and their capture in electronic systems –

NAHAM supports continuing efforts to create an environment of positive patient identity and believes that the standardization of patient identification protocols and technologies are important means to this goal.  NAHAM is investigating appropriate third factors to enhance positive patient identification.  NAHAM supports the development of standards for data attributes in electronic systems, whether clinical or administrative, and enhanced common capabilities for all health data systems to input standardized data….

This reference to “appropriate third factors” is a call on providers to go beyond The Joint Commission’s National Patient Safety Goal requirement that at least two patient identifiers be used.  While it can be acknowledged that this requirement speaks primarily to the clinical setting, it is a benchmark for Patient Access as well.  NAHAM’s recommendation call for an additional set of patient identifiers, ideally standardized both in combination and means of collection so that all healthcare systems are tracking the same data in the same manner, using the same recording protocols.  NAHAM’s recommendations to the ONC also included a call for standardized EHR technology solutions that would support the standardized patient identification attributes –

Ongoing education and training are also important to ensure personnel at all levels understand the important roles patient data input and patient identification protocols serve in enhancing patient safety.  NAHAM supports Stage 3 Meaningful Use requirements to improve patient matching and supports a comprehensive approach that includes the standardization of patient identification attributes, the development of standards for EHR technology solutions, and the development of best practices and protocols for data input. This would include regular feedback from supervisors and audits for quality control.

The same ONC report, based on the input of a number of stakeholders, including NAHAM, recommended the following data attributes: First Name, Last Name, Previous Last Name, Middle Name or Middle Initial, Suffix, Date of Birth, Current Address, Historical Addresses, Current Phone Number, Historical Phone Numbers, Gender. Whether these are the ideal data attributes is arguably subject to debate; however, we do have a general idea of what attributes are most commonly captured.

The results of an informal NAHAM survey presented at the Patient Identity Integrity Symposium held prior to the 41st Annual Educational Conference and Exposition showed that over 80% of respondents indicated that their systems collected the following patient information: Name (First and Last), Home Phone Number, Work Phone Number, Date of Birth, Gender, Next of Kin, Next of Kin Relationship, Guarantor Phone Number, Primary Physician, Insurance Information, Medical Record Number, Billing Address. 

Next of Kin, Next of Kin Relationship, Medical Record Number, and Billing Address fall out when looking at what 90% of respondents collect.  When looking at the common identifiers for all respondents, patient Work Phone Number and Primary Physician fall out.  The survey showed that 100% of respondents collect patient Name, Home Phone Number, Date of Birth, Gender, Guarantor Phone Number, and Insurance Information. 

We also have some metrics on the key patient identifiers or traits: Validity (is the trait known to be correct?), Distinctness (is the trait able to uniquely identify an individual?), and Stability (how much does the trait remain constant over the lifetime of the individual?).  The recent Sequoia Project's Framework for Cross-Organizational Patient Identity Management (Draft for Public Review and Comment: November 10, 2015) rated these characteristics along with Completeness (at what rate is the trait captured and available?) and Comparability (noting that numbers such as SSNs are easier to compare that free text such as addresses).  Last Name, First Name, Gender and Date of Birth scored well enough to be considered desirable traits, and Postal Code and Primary Phone Number were identified as promising, although Postal Code in particular scored low for Stability.  Ethnicity and Race scored high and very high for Comparability and Stability but comparably lower for Completeness, Validity and Distinctness. 

When looking at combinations of these traits, the following had the highest levels of Completeness: FN+LN+DoB, FN+LN+DoB+Gender, and FN+LN+DoB+Gender+Zip Code (first 5 digit).  This last combination scored highest for Uniqueness, second only to FN+LN+DoB+Gender+SSN (last 4 digits) – although this combination scored among the lowest for Completeness.  The Social Security Number scored low for Completeness and Validity, while scoring high for Distinctness, Comparability and Stability.

So, what combination of attributes could become the basis of a national standard?  Do phone numbers, historical addresses, or next of kin and relationship aid in maximizing Patient Identity Integrity?  What about the last four digits of the Social Security Number?  What combination of attributes does your organization collect?
We'll leave for another discussion the important milestone of standardizing the collection of these attributes -- meaning the protocols and conventions used in collecting and recording First Name, Last Name, whether to record Middle Name or Middle Initial, and how to agree on conventions such as hyphens (do we eliminate these all together?), titles, and generational titles - Junior, Senior, etc.

Let us know what you collect, your thoughts on standardization of how we collect this data, and what combination of attributes could serve as a national standard.

Tuesday, December 1, 2015

The Joint Commission Quick Safety Issue: Temporary names put newborns at risk

The Joint Commission released Quick Safety, Issue 17, October 2015, “Temporary names put newborns at risk”.  NAHAM’s Joint Commission Survey Toolkit includes material on naming conventions for newborns as well.  NAHAM members may find the toolkit, along with NAHAM toolkits for CMS Audits and Patient Identity Integrity, on the NAHAM website. 

TJC Quick Safety Issue, presented below in its entirety, including reference documents and TJC’s legal disclaimer, points out that temporary names for newborns results in a large number of patients with similar identifiers, identifies a number of misidentification errors, and makes specific recommendations regarding the use of more distinct naming conventions.

The Temporary names put newborns at risk


A common practice in hospitals is to give newborns temporary names at birth, since the parents may not have decided on the baby’s name. While the practice is intended to identify newborns, it results in a large number of patients with similar identifiers and who could potentially have the same date of birth, gender and surname – circumstances that put newborns at risk for patient identification errors.1,2

Newborns also are a unique patient population as they are unable to participate in the identification process. This unique need requires a reliable system that is hardwired among all providers to prevent error. An example of a typical temporary name is Babyboy Smith, using the baby’s gender and the parent’s last name. This naming convention is not distinct enough to prevent patient identification errors that could result in harm.

Newborn misidentification errors include:

  • Feeding a mother’s expressed breast milk to the wrong infant2
  • Reading imaging tests or pathology specimens for the wrong patient1
  • Incorrect documentation of medications, vascular lines, and patient weight2
  • Administering blood products to the wrong patient1
  • Collecting lab specimens from the wrong patient
  • Wrong person surgery
The Joint Commission’s Sentinel Event database includes 10 reports since 2010 of sentinel events that occurred due to the misidentification of newborns. All 10 reports are wrong person surgeries and all 10 resulted in circumcision being performed on the wrong patient.

A recent study1 published in Pediatrics highlights how one hospital experienced a 36.3 percent reduction in Retract-and-Reorder (RAR) events after implementing a distinct naming convention for newborns requiring admission to the neonatal intensive care unit (NICU). (RAR is an automated tool for detecting the outcome of wrong-patient electronic orders.) The distinct naming convention used the mother’s first name, followed by the letter “s” and the baby’s gender, then the parent’s last name (ex: Judysgirl Smith). In the case of multiple births, the hospital adds a number in front of the mother’s first name (ex: 1Judysgirl and 2Judysgirl).1

The high potential for error due to the misidentification of newborns was illustrated in a study published in 2006.2  Over a one-year period, a NICU discovered that not a single day was free of risk for patient identification. The mean number of patients who were at risk on any given day was 17, representing just over 50 percent of the average daily census. During the entire calendar year, the risk ranged from 20.6 percent to a high of 72.9 percent. The most common causes of misidentification risk were:

  • Similar-appearing medical record numbers (MRNs)
  • Identical surnames
  • Similar-sounding names
Safety Actions to Consider:

Hospitals can take the following simple and effective actions to protect vulnerable newborns from adverse events related to patient misidentification:

  • Stop using Babyboy or Babygirl as part of the temporary name.
  • Change to a more distinct naming convention.
  • Train staff on the distinct naming convention.
  • Follow the recommendation in National Patient Safety Goal 01.01.01 and implement use of two patient identifiers at all times.
  • As soon as parents decide on their baby’s name, enter that name into the medical record instead of the temporary name.

1. Adelman J, et al: Use of Temporary Names for Newborns and Associated Risks. Pediatrics 136(2); August 2015

2. Gray JE, et al: Patient Misidentification in the Neonatal Intensive Care Unit: Quantification of Risk. Pediatrics 117(1); January 2006

Note: This is not an all-inclusive list.

Legal disclaimer: This material is meant as an information piece only; it is not a standard or a Sentinel Event Alert. The intent of Quick Safety is to raise awareness and to be helpful to Joint Commission-accredited organizations. The information in this publication is derived from actual events that occur in health care.

©The Joint Commission, Division of Health Care Improvement