There are currently two competing forces with respect to the administration of healthcare. On the one hand, the government seeks widespread use of EMRs and electronic dissemination of medical records. On the other hand, OIG, various Attorneys General and the courts present potentially crippling financial liability for the almost inevitable data breaches caused by hackers.
The recent data breaches of Target and Sony, among others, amply demonstrate that financial data (which often includes medical data) presents a rich target for hackers. The value of Medicare information is often much more valuable, on a per person basis, than a person’s credit history. More specifically, dishonest DME companies and/or sham medical facilities are able to use improperly obtained Medicare information thus enabling them to be reimbursed well in advance of the government becoming aware of, investigating and finally stopping the improper billing and resulting payments. Considering the value of these “rich targets,” it seems almost inevitable that data hacking is a growth (albeit illegal) industry.
Conversely, the government is currently cutting Medicare reimbursement from more than 257,000 U.S. doctors by 1% for failure to meet federal goals in the use of electronic medical records. In addition, 28,000 providers will be fined an additional 1% of Medicare pay for failure to prescribe medications electronically.
While there are approximately 400,000 providers that have received bonus Medicare payments for meeting electronic use goals, these bonuses will ultimately be replaced by fines for failure to adopt electronic records and/or communications.
For those that have adopted EMR and electronic communication systems, the courts are generally allowing private rights of action for the breaches, and this is in addition to the governmental fines and associated costs for HIPAA and HITECH breaches.
In a case brought in Minnesota, U.S. District Judge Paul Magnuson recently ruled that consumers were allowed to sue Target Corporation over the retailer’s late 2013 data breach that they claim compromised their personal financial information. Target has said that at least 40 million credit cards were compromised in the breach which may have resulted in the theft of the personal information (such as e-mail addresses and phone numbers) of as many as 110 million people. This ruling followed a similar decision by Judge Magnuson in which he allowed banks to move forward with their lawsuits against Target for the money they spent reimbursing fraudulent charges and for the issuance of new credit and debit cards related to the breach.
With respect to the Sony breach, at least four lawsuits have been filed accusing Sony of not doing enough to protect individuals’ private data, including personal medical information. According to the class action lawsuit filed in U.S. District Court in California, “for decades, [Sony] failed, and continues to fail, to take the reasonably necessary actions to provide a sufficient level of IT security to reasonably secure its employees’ [personal information].”
Frankly, the same allegation could be asserted against any organization that is the victim of a data hack. The essential argument would be that by sheer virtue of the fact that data was hacked, the company, or in this case the medical provider, did not provide sufficient security.
Effectively, medical providers are forced to either embrace electronic medical records and electronic dissemination of medical information or face lower revenues and/or fines. On the other hand, if they do embrace the use of EMRs and electronic transmission of PHI, they risk the consequences of an almost inevitable chance of their data being hacked, which could (at least theoretically) render them insolvent or even bankrupt.
Alternatively, medical providers could follow the Kremlin’s logic and recognize that entering information into a computer renders it susceptible to hacking or improper dissemination. Specifically, in July of 2013, a source in Russia’s Federal Guard Service (FSG), which is in charge of safeguarding Kremlin communications, disclosed that FSG was looking to spend approximately $15,000 to purchase ELECTRIC typewriters in light of the publication of secret Wiki leaks documents. Apparently, they believe that computers cannotbe trusted. Interestingly, it appears that the Kremlin actually forgot that computers are not the only technology vulnerable to attack. Even ELECTRIC typewriters are not safe.
There were reports that German politicians were also considering a return to manual typewriters for sensitive documents. The Germans were not even considering electric typewriters, but were going back to the REALLY old-fashioned MANUAL typewriters. If you are starting to believe that the Germans are paranoid, the Associated Press (in the 1980s) reported that the Soviets bugged the typewriters in the U.S. Embassy. “In the second such lapse since 1978, U.S. officials allowed Soviet agents to get hold of typewriters being shipped to the U.S. Embassy in Moscow and to bug them electronically ‘for years,’” the Senate intelligence committee said Tuesday. As a result, the panel said “for years, the Soviets were reading some of our most sensitive diplomatic correspondence, economic and political analyses, and other communications.”
With the advent of microchips, one could argue that even pens could transmit information.
It would be very sad if the medical profession were held to a standard that large corporations and even governments cannot maintain. Is using quill pens the only bulletproof solution to preclude liability, or should we have reasonable and attainable standards beyond which doctors, clinics and hospitals would not be held accountable for data hacks?
What do you think?
If you think this article is worthy of comments, please share it with your connections.