Breach Notification – and how it applies to you

“Breach notification” is a term used to describe unauthorized access to protected health information (PHI), and one’s responsibilities in response to such an occurrence. A “breach” can happen due to theft of data (a deliberate act), or simply the unintentional exposure of PHI to unauthorized viewing. When a breach occurs, the law obligates the holder of the PHI to disclose to every affected individual (patient) that a breach took place. Failure to disclose such breaches can carry significant penalties.

The economic stimulus law’s HITECH section provides incentive payments to physicians to adopt HHS-Certified Electronic Health Records (EHR) systems, and to use them in ways consistent with Meaningful Use. Considerable money is at stake here – about $30 billion in incentives to doctors and hospitals, with about $18 billion going through Medicare and $12 billion going through Medicaid.

Oversight of these payments is under the purview of CMS, but the HHS’ Office of the Inspector General plans to audit this process. According to a recent report, the Inspector General intends to review CMS’ oversight and program management in order to prevent duplicate and fraudulent incentive payments. It also will ensure that the new law’s Breach Notification requirements are put in place. CMS has stated it has budgeted $905 million to carry out these enforcement activities. Failure to ensure PHI safety and security, and failure to notify and remedy a PHI breach invalidates achievement of Meaningful Use, nullifying incentive payments.

So what kind of vulnerabilities do physicians face with regard to the risk of PHI breaches, when choosing and EHR system? Firstly, in a paper-based office, PHI breaches (someone stealing or looking at a chart in an unauthorized way) are usually small-scale – one chart at a time – but, nevertheless, Breach Notification obligates the practice to let the patient know that their chart was stolen or breached.

Many EHR systems are locally deployed – client/server systems designed to run on a Local Area Network (LAN). That means that computers somewhere on the premises (or backup systems used for safety to back up the data) contain PHI – theft of these computers (or backup media) can result in a massive breach. In fact, the most notable instances of breach have been from theft of computers containing PHI.

There is a safe harbor, however. If the data is encrypted – stored in a way where PHI is deemed unusable, unreadable, or indecipherable – and provided that the encryption keys are not stored in the same place, then Breach Notification is not required. Further, if the media on which PHI is stored (like the original paper documents that were scanned, or the disks that were used for upload) is destroyed – shredded – or local copies on a computer of documents that were uploaded into a secure/encrypted location are erased in a way that cannot be retrieved (consistent with NIST specifications), then breach notification exemption exists.

Such encryption systems are burdensome, and are a challenge for EHRs that are locally installed – it is up to the physicians (the HIPAA-covered entity) to make sure that the vendor sets up the system in a secure way. The HHS Inspector General may audit such installations to make sure.

What about hosted systems? Not all hosted EHRs are the same – just because a vendor says it’s web-based doesn’t automatically mean it’s safe. Practice Fusion has been very focused on safety and security, and has designed its web-based EHR in such a way that no PHI resides on a local machine – once a session has ended, there is no PHI left behind. Of course, local scanned-image or other files (like Word documents) that are uploaded into Practice Fusion should be destroyed in a secure-erased way, and the original papers that are scanned should be shredded – but that is true with every EHR system.

At the server end, Practice Fusion takes great pains to ensure data security and protection against intrusion, beyond the basics of 128-bit https encryption, firewalls, and 3-key access control (with enforcement of high-level password complexity). There has even been engagement of private security consultants to carry out security audits of how the data is protected, and of how PHI access is protected both internally and externally. The result is such that the “safe harbor” protection against Breach Notification can be extended to Practice Fusion users – use of this particular system will result in a much higher level of security than one is likely to achieve with any locally-installed system.


Robert Rowley, MD – Chief Medical Officer, Practice Fusion, Inc.