This page contains a Flash digital edition of a book.
2011, with 385 breaches affecting about 19 million patient health records. The average number of patient records per breach in 2011 was 49,396, an 80-per- cent increase since 2010.


The 2009 Health Information Tech- nology for Economic and Clinical Health (HITECH) Act revised HIPAA regulations to require physicians and others subject to the law to notify the patient when a breach of his or her unsecured PHI oc- curs. HHS generally defines a breach as “an impermissible use or disclosure under the [HIPAA] Privacy Rule that compro- mises the security or privacy of the PHI” and poses a significant risk of “finan- cial, reputational, or other harm” to the patient.


Civil penalties for unintentional


HIPAA violations range from a mini- mum of $100 per violation to a maxi- mum of $50,000 per violation. Criminal penalties for fraud include a minimum $100,000 fine and up to five years’ im- prisonment. Individuals who violate HIPAA with intent to sell, transfer, or use PHI for commercial advantage, per- sonal gain, or malicious harm face a


maximum $250,000 fine and 10 years’ imprisonment. For more information about penalties, consult Section 13410 of the HITECH Act at www.hhs.gov/ ocr/privacy/hipaa/understanding/cov eredentities/hitechact.pdf. (See “Mum’s the Word,” August 2010 Texas Medicine, pages 49–53.) According to the 2010 and 2011


Ponemon Institute Benchmark Study on Patient Privacy and Data Security, data breaches commonly result in the follow- ing problems for physicians:


• Loss of revenue, business, and patient goodwill;


• Damage to reputation; • Lost time and productivity; • Cost of outside consultants and law- yers;


• Remediation, technology, and train- ing expenses;


• Government fines and penalties; • Lawsuits; and • Poor employee morale.


Austin attorney Deborah Hiser says physicians would be smart not only to


have a system to detect breaches but also to encrypt all confidential patient information. The reason: Physicians and business associates must provide the re- quired notification only if the breach in- volves unsecured PHI. HHS has guidance on ways to encrypt PHI on its website, http://1.usa.gov/n0KNLH. TMA’s policies and procedures guide is a useful HIPAA compliance tool. Ms. Hiser and attorney Ana Cowan worked with TMA to develop the guide’s HIPAA and HITECH privacy and security manu- als and forms. The manuals include tem- plate policies and forms for:


• Staff training on the HITECH Act requirements,


• Business associate agreements that incorporate the HITECH amendments,


• Breach risk assessments, and • Use of email with patients.


Texas law tougher than HIPAA Texas raised the patient privacy stakes with a new law that took effect Sept. 1. For example, while HIPAA has always re- quired physicians to train their employ- ees, the new state law mandates training specific to the staff member’s scope of employment within 60 days after he or she is hired. In addition, training must be provided at least once every two years and must be documented, says Ms. Hiser.


HIPAA webinar: Reduce your risk


Matt Murray, MD, a Fort Worth pediatric emergency physician and vice chair of the Texas Medical Association Ad Hoc Com- mittee on Health Information Technology, conducted a webinar titled HIPAA: Reduce Your Risk, which is available on demand from TMA. He discusses privacy, security, and patient consent concerns;


Texas’ new privacy law; changes to HIPAA; physician account- ability and financial penalties for privacy breaches; problems that can impede the safe use of electronic health records and electronic exchange of records; risk assessment tools; and encryption. To access the webinar, visit the TMA Education Center, http://


bit.ly/SA2X7W. 52 TEXAS MEDICINE January 2013


The Texas law directs physicians to notify patients their health information is subject to electronic disclosure, says Ms. Cowan. Fort Worth emergency physician Matt


Matt Murray, MD


Murray, MD, vice chair of the TMA Ad Hoc Committee on Health Information Technology, says it is especially im- portant for physicians to become well versed in cyber liability risk and Texas’ new medical re- cords privacy law. For instance, un- der the new state law, physicians us- ing EHRs must give patients their elec- tronic records with- in 15 business days of a written request (just like physicians


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68