Business

Stimulus bill puts burden on physicians to tell patients of data breach

A column about keeping your practice in good health

By — Posted March 16, 2009.

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Sending a letter to patients to notify them of a data breach in your office is more than just a nice thing to do -- it's becoming something you must do.

The recently passed stimulus legislation -- the American Recovery and Reinvestment Act of 2009 -- includes language that requires any physician office that has discovered a breach involving unsecured data to notify by letter every affected patient. The requirement is the same whether records are on a computer or in paper form. You have until 60 days after discovering the data breach to let patients know it happened.

If more than 500 patients are affected, you also have to immediately notify local media and the Dept. of Health and Human Services. HHS will post notice of the breach on its Web site. If fewer than 500 patients are involved, you must file an annual report with HHS.

The American Medical Association said it feels it is important to protect patients' privacy, but it wants to make sure the law doesn't produce any undue financial or work burdens on the physician.

"These laws change the landscape for physicians," said Lisa Sotto, partner and head of the privacy and information management practice at New York law firm Hunton & Williams LLP.

With that in mind, experts say it's important to have a plan for what to do if a data breach is discovered. Look into whether your data are encrypted, or can be. Create a form letter that can be easily altered to fit the circumstances of the breach. Ensure you have up-to-date contact information on your patients or their next of kin.

Details of what should be included in the letter required under the federal stimulus law are still being worked out. State laws often require that patients be notified that their personal and health information may have been breached, the date the breach occurred and how it occurred, said Robert Gellman, a privacy and information policy consultant in Washington, D.C.

In many cases, state laws requiring hospitals or practices to notify patients in case of a data breach do not require notification if the data is encrypted. But the laws often do not define "encrypted," giving physicians leeway to decide whether any data accessed was truly unsecured. Encryption is generally considered to involve information that is gibberish unless a user has a special key or code

By mid-April, according to the stimulus law, HHS will have a definition of encryption; any practice whose data is encrypted will not be required to send out notice of a breach.

Experts say if your electronic records don't already have an encryption system, it could cost anywhere from a few thousand dollars to $20,000 per physician to have one installed. But the cost of a data breach could be greater.

For example, in Longview, Wash., the Pediatric Clinic sent letters to all of the five-physician practice's 20,000 patients and family members after someone broke into a locked room and stole a backup tape for its patient data base from the computer hard drive. About 25% of the patients had their Social Security numbers included in the data base; no credit card information was involved.

The incident cost the practice more than $20,000 -- $15,000 of which was the cost of sending the letters, office manager Cindy Strandberg said.

Attorney Sotto said the costs could be much higher if a patient sues over the breach, or if the practice offers a year's worth of credit-monitoring services to affected patients.

Practices also could be fined by HHS for breaches under tougher enforcement penalties added to HIPAA as part of the stimulus act. The fines could range from $100 for an unintentional violation to $10,000 for a violation caused by willful neglect, to $50,000 if an identified violation is not corrected.

State attorneys general would be given leeway to take action on behalf of patients against practices.

Experts say that the legislation aside, the best reason to track your systems and inform patients of any breaches is simply good business.

"Practices that don't notify patients could ... lose your patients' confidence," said Pam Dixon, executive director of World Privacy Forum, a privacy-focused public interest research group located in Cardiff by the Sea, Calif.

Back to top


RELATED CONTENT

ADVERTISEMENT

ADVERTISE HERE


Featured
Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story


Read story

Goodbye

American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story


Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story


Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story


Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story


Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story


Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story


Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story