Stimulus bill puts burden on physicians to tell patients of data breach
■ A column about keeping your practice in good health
- WITH THIS STORY:
- » Related content
Sending a letter to patients to notify them of a data breach in your office is more than just a nice thing to do -- it's becoming something you must do.
The recently passed stimulus legislation -- the American Recovery and Reinvestment Act of 2009 -- includes language that requires any physician office that has discovered a breach involving unsecured data to notify by letter every affected patient. The requirement is the same whether records are on a computer or in paper form. You have until 60 days after discovering the data breach to let patients know it happened.
If more than 500 patients are affected, you also have to immediately notify local media and the Dept. of Health and Human Services. HHS will post notice of the breach on its Web site. If fewer than 500 patients are involved, you must file an annual report with HHS.
The American Medical Association said it feels it is important to protect patients' privacy, but it wants to make sure the law doesn't produce any undue financial or work burdens on the physician.
"These laws change the landscape for physicians," said Lisa Sotto, partner and head of the privacy and information management practice at New York law firm Hunton & Williams LLP.
With that in mind, experts say it's important to have a plan for what to do if a data breach is discovered. Look into whether your data are encrypted, or can be. Create a form letter that can be easily altered to fit the circumstances of the breach. Ensure you have up-to-date contact information on your patients or their next of kin.
Details of what should be included in the letter required under the federal stimulus law are still being worked out. State laws often require that patients be notified that their personal and health information may have been breached, the date the breach occurred and how it occurred, said Robert Gellman, a privacy and information policy consultant in Washington, D.C.
In many cases, state laws requiring hospitals or practices to notify patients in case of a data breach do not require notification if the data is encrypted. But the laws often do not define "encrypted," giving physicians leeway to decide whether any data accessed was truly unsecured. Encryption is generally considered to involve information that is gibberish unless a user has a special key or code
By mid-April, according to the stimulus law, HHS will have a definition of encryption; any practice whose data is encrypted will not be required to send out notice of a breach.
Experts say if your electronic records don't already have an encryption system, it could cost anywhere from a few thousand dollars to $20,000 per physician to have one installed. But the cost of a data breach could be greater.
For example, in Longview, Wash., the Pediatric Clinic sent letters to all of the five-physician practice's 20,000 patients and family members after someone broke into a locked room and stole a backup tape for its patient data base from the computer hard drive. About 25% of the patients had their Social Security numbers included in the data base; no credit card information was involved.
The incident cost the practice more than $20,000 -- $15,000 of which was the cost of sending the letters, office manager Cindy Strandberg said.
Attorney Sotto said the costs could be much higher if a patient sues over the breach, or if the practice offers a year's worth of credit-monitoring services to affected patients.
Practices also could be fined by HHS for breaches under tougher enforcement penalties added to HIPAA as part of the stimulus act. The fines could range from $100 for an unintentional violation to $10,000 for a violation caused by willful neglect, to $50,000 if an identified violation is not corrected.
State attorneys general would be given leeway to take action on behalf of patients against practices.
Experts say that the legislation aside, the best reason to track your systems and inform patients of any breaches is simply good business.
"Practices that don't notify patients could ... lose your patients' confidence," said Pam Dixon, executive director of World Privacy Forum, a privacy-focused public interest research group located in Cardiff by the Sea, Calif.