Health Net's Data Breach Highlights Need for Privacy Officer with Clear Job Description

Posted on December 3, 2009 by Jason C. Gavejian

Co-Author:  Joseph J. Lazzarotti, Esq.

Health Net Inc., one of the nation’s largest publicly traded managed health care companies, recently notified authorities and informed affected persons, with a statement on its website, that the unencrypted personal information of 1.5 million current and former members, stored on a portable disk drive, is missing from the company's Connecticut office. The company is now working to send written notices to affected individuals in four states—Arizona, New York, New Jersey and Connecticut.

Coordinating a data breach response, responding to the questions and complaints of affected persons, and negotiating with vendors to provide monitoring services are time-consuming, tedious tasks that require a strong sense of an organization’s public image, good judgment and excellent communication skills. Having the right person to drive this effort internally is critical. 

Additionally, companies that experience data breaches increasingly are becoming subject to federal and state agency inquiries. In this case, at least two states have announced investigations. Connecticut Attorney General Richard Blumenthal said his office will investigate the loss of the portable disk drive that he believed held the unencrypted health, personal, and financial information of some 450,000 Connecticut residents. Blumenthal also vowed to probe a six-month lag in notifying affected individuals of the breach. In a letter dated November 19, 2009, Arizona Attorney General Terry Goddard’s office requested information about the breach from Health Net, also noting the time between the breach and when affected persons were notified. It is critical that an organization’s Privacy Officer be prepared to respond to these inquiries, with the assistance of internal or external counsel when appropriate.

A breach of personal information, particularly one of this size, reminds us of the need for companies to take steps to implement policies and practices that safeguard sensitive personal and company confidential information. The first step is to appoint a person to spearhead a data breach response– typically the Chief Privacy or Information Officer. Among the duties and responsibilities of a Privacy Officer is being the company’s first line of defense when responding to a data breach, including directing the investigation of the breach, coordinating the notification process, addressing the concerns of affected persons and responding to government agency inquiries. For a sample Privacy Officer job description, click here.  

Tags: , , , , , , , , , ,

Electronic Health Records: The Work to Build a Health Information Technology Infrastructure Begins

Posted on December 1, 2009 by Jason C. Gavejian

Co-Author:  V. John Ella, Esq.

In a key step toward developing a proposed U.S. health information technology (HIT) infrastructure, the Centers for Medicare & Medicaid Services has announced that Iowa’s Medicaid program is the first to receive federal matching funds for planning activities necessary to implement the electronic health record (EHR) incentive program established by the American Recovery and Reinvestment Act of 2009 (ARRA). 

ARRA was signed into law by President Obama on February 17, 2009. Among its various parts, ARRA includes provisions for the improvement of our nation’s health care through health information technology (also known as Health IT or HIT), Medicare and Medicaid Health IT provisions which provide incentives and support for the adoption of certified electronic health records (EHRs); and provisions to expand, enforce, and enhance the privacy and security safeguards required by HIPAA. The proposed goal of a switch to EHRs is to improve the quality of health care for individuals, make care more efficient by making it easier for providers treating a patient to coordinate care, and make it easier for individual patients to access the information they need to make decisions about their own health care. Responsibility for implementing this program falls to the National Coordinator for Health Information Technology, a position currently filled by Dr. David Blumenthal at the Department of Health and Human Services (“HHS”). In furtherance of this goal, Mr. Blumenthal recently announced $80 million in grants to develop a HIT workforce. Additionally, the HHS has created a helpful website on the topic of health information technology with links to resources on privacy issues.

In discussing the approximately $1.16 million in federal matching funds Iowa will receive, Cindy Mann, director of the Center for Medicaid and State Operations at CMS said, “While Iowa is the first state to receive approval of its plan for implementing the Recovery Act’s EHR incentive program, a number of other states have submitted plans as well, meaningful and interoperable use of EHRs in Medicaid will increase health care efficiency, reduce medical errors and improve quality-outcomes and patient satisfaction within and across the states.”   As the first state to receive federal funding, Iowa will use the funds to focus on planning, information gathering, analysis, and assessment with respect HIT and the use of EHR within the state.  

A HIT Infrastructure is likely to raise a range of new issues involving the handling of sensitive personal information. For instance, anytime extensive personal and medical information is placed in electronic form, the chance of a data breach or information misuse rises significantly. This is especially true given the recent growth in the area of medical identity theft. Additionally, as some commentators have reported, physicians, hospitals, and clinics have all expressed concerns regarding the technical feasibility of the system, potential for patient mix-ups, as well as the extensive cost to make the switch to EHR. How such a system would affect employers and group health plan administration remains unclear.  

With such an emphasis on a switch to EHR, and billions of federal dollars fueling the conversion, all businesses, particularly health care providers, need to be consider how they will be affected by the new HIT infrastructure. 

Tags: , , , , , , , ,