September 2014

Boston Data Breach Raises Questions
By David Yeager
For The Record
Vol. 26 No. 9 P. 26

Medical transcription service organizations (MTSOs) handle sensitive medical information on a daily basis. In general, they do a thorough job of maintaining data privacy and security. That’s one reason a data breach at Boston Medical Center earlier this year grabbed the attention of many in the industry.

In the incident, 15,000 patient records became accessible on MDF Transcription Services’ website used by physicians. According to the Boston Globe, the records contained patients’ names, addresses, and medical information, including what drugs they were taking, but did not include Social Security numbers or financial information.

Because of the volume of data that MTSOs handle, it may be surprising that data breaches don’t occur more frequently. If nothing else, the Boston Medical Center breach serves as a harsh reminder that data security requires constant vigilance.

“If this isn’t the wake-up call that’s needed, I don’t know what is,” says Susan Lucci, RHIA, CHPS, CHDS, AHDI-F, a consultant and chief privacy officer for Just Associates.

“Transcription companies, as a whole, access some of the most sensitive data in hospitals and for providers. The PHI [protected health information] that they’re working with is extremely sensitive and needs to have all of the protections that privacy and security rules hold for business associates. Health care consumers and covered entities need to know about these breaches so that they can do their due diligence when they’re looking for a transcription vendor.”

Lucci says the Boston Medical Center breach, as well as others that involved M2ComSys in August 2013 and GMR Transcription Services between March and October 2011, underscores the need to conduct a comprehensive business analysis, as mandated by HIPAA, to properly assess risk. She says identifying threats, vulnerabilities, and the protections already in place allows organizations to determine their risk level. While it’s true that large organizations have more resources to deploy security protocols—along with a higher degree of risk—Lucci says when it comes to HIPAA, size doesn’t matter.

“HIPAA was never intended to be so difficult that everybody has to adhere to the highest level,” she notes. “It is scalable, and organizations need to keep that in mind when they are working to comply with HIPAA. It comes down to looking at the requirements of HIPAA and understanding that it’s not there to create an administrative burden; it’s there to keep PHI protected and secure.”

Although risk can never be completely eliminated, organizations must minimize danger to the greatest degree possible within the scope of their organization. For MTSOs, Lucci says the following are basic requirements for adequate security: effective policies and procedures; a well-trained privacy and security officer; up-to-date business associate agreements; a comprehensive security risk analysis on business systems, software, and hardware; and a trained workforce schooled in HIPAA compliance. While smaller companies don’t necessarily need to follow a Nuance- or M*Modal-type HIPAA compliance program, they still will be held accountable for securely handling PHI.

How Do Breaches Occur?
Although leaving data on an unsecured website seems like the most basic of errors, Brenda J. Hurley, CMT, AHDI-F, a health care documentation compliance consultant, says it’s possible the demands associated with life in an EHR environment may have played a role in the Boston Medical Center breach.

When paper records were the norm, items that were the responsibility of transcriptionists were easily accessible. Today, information sometimes is expected to be transferred from the EHR to the patient record. For example, data from the initial patient encounter can be imported into the file for the follow-up visit even though some health care organizations don’t provide their transcriptionists with access to the EHR.

“Doctors now often say, ‘Copy the med list from the last visit, and put it in this visit.’ Those types of comments are constantly being dictated now,” Hurley says. “And that means that transcriptionists need to have access to that old information. Otherwise, how do they know what’s in that list? So sometimes information must be made available to transcriptionists to complete the record.”

That being the case, she says there are ways for MTSOs to securely obtain access to the desired information. Because little information has been released about the Boston Medical Center breach, it’s difficult to determine its root cause. According to Hurley, the incident may have been the result of a failure to reinstall the firewall following a software update or a programming change. It’s also possible that simple carelessness was the culprit, she notes.

Whatever the reason, Hurley says a data breach can be the death of a small MTSO. Most health care organizations have a mechanism for recouping the costs associated with a data breach written into their MTSO contracts. Should 15,000 patients need to be notified of a data breach, the expense could prove to be irreparable. Also, the Office for Civil Rights has been handing out increasingly larger fines for HIPAA violations. As a result, a small MTSO may not be able to meet its contractual obligations or the health care provider may feel that the only way to limit its liability is to cut ties with the MTSO.

Although this reality may cause fear among some transcription providers, several of whom declined to be interviewed for this article, Hurley views it as an opportunity. “Perhaps there is that feeling that there is some industrywide damage that has occurred, but if you’re an MTSO that’s doing it right—you’re securing your websites, you’re training your staff, you have written policies and procedures in place, you’ve done a risk assessment, you’re constantly alert to ways to improve the process and protect information better—I think they would welcome such scrutiny from the industry,” she says.

Angela Dinh Rose, MHA, RHIA, CHPS, the director of HIM practice excellence for AHIMA, says it’s important to be proactive about security. For example, she recommends MTSOs hire someone to hack into the business network to get a better read on where vulnerabilities are. At the very least, all PHI should be encrypted and password protected. Most of all, she says anyone who handles PHI needs to keep data security at the forefront of their efforts.

“It goes back to knowing your policies and procedures, making sure that your processes are in place, and making sure that you check them and double check them and triple check them,” Dinh Rose says. “Just because you implement something doesn’t mean that six months later it’s still working. You have to go back and look at it to make sure that it’s still working.”

—David Yeager is freelance writer and editor based in Royersford, Pennsylvania.