Office of Civil Rights Director Leon Rodriguez aims to improve patient data protection

By Chelsea Conaboy, Globe Staff

Director Leon Rodriguez/Courtesy photo

Despite the challenge of getting new systems off the ground, it’s clear that electronic health records are a powerful tool. They could save the American health care system billions of dollars by reducing unnecessary tests. They could make managing multiple chronic illnesses easier for both patients and doctors. And they present big research opportunities.

Ultimately, though, electronic health records are only as good as they are secure.

Leon Rodriguez, who started in September as head of the office charged with enforcing federal health privacy laws, said he recognizes that. Rodriguez said his office will take a tougher stance on the Health Insurance Portability and Accountability Act, better known as HIPAA, with a goal of improving public acceptance of electronic records.

“People will trust the system more, and the system will, in fact, be more trustworthy,” said Rodriguez, who is director of the Office of Civil Rights within the Department of Health and Human Services.

Rodriguez was in Boston last week, visiting the regional office and meeting with people in the community about various projects, including the expansion of translation services for Asian Americas.

“It’s better health care if you can actually communicate with your patient,” he said, in an interview after his visit.

Rodriguez’s office also oversees enforcement of laws prohibiting discrimination in health care based on disability, race, and ethnicity.

The privacy law has been in place for 15 years, and the 2009 stimulus bill strengthened it, increasing penalties for individuals and institutions who breach privacy. Previously, entities that broke the law were subject to fines of no more than $25,000 annually. Now the fines can max out at $1.5 million in a year. The update to the law required public reporting of breaches that affect 500 patients or more.

Called the HITECH Act, for Health Information Technology for Economic and Clinical Health, the 2009 law also allowed for Rodriguez’s office to go after “business associates” of health care providers, including companies that handle protected patient data for billing purposes or management of hospital records. Previously, the government could do little more than recommend that a hospital or providers stop working with a vendor that had misused or misplaced patient data.

Many of the largest breaches reported since 2009 involved such contractors. One of the biggest in recent years occurred in Massachusetts last year, when a company that South Shore Hospital hired to destroy three boxes of unmarked computer tapes lost two of them. The lost tapes may have contained personal and financial information for about 800,000 patients.

Though Congress gave the Office of Civil Rights authority over business associates starting last year, the regulations are still being written. Rodriguez said he is hoping they will be finalized soon. Some industry experts said time is of the essence, especially as hospitals and doctors across the country are quickly adopting electronic systems.

Micky Tripathi, CEO of the Massachusetts eHealth Collaborative, a nonprofit that provides strategic and technical support for providers adopting electronic records, wrote a blog post this month about how his company reacted when a laptop containing information on thousands of patients was stolen out of an employee’s car last spring.

While the group took responsibility for much of the follow-up, the legal burden fell primarily on the shoulders of the organizations it worked for, Tripathi said. It was unclear what authority the Office of Civil Rights had over the his company’s response.

“This ambiguity did not change our response or our diligence to comply with all state and federal laws, but in my opinion, this clearly points to a huge gap in the current monitoring and enforcement framework,” Tripathi wrote. “OCR should have the authority to follow a data spill as far into the contracting chain as they need to go.”

Tripathi went into detail about the company’s reaction to the breach, right down to hiring a private investigator to try to locate the stolen laptop for sale on Craigslist or in pawn shops, and he offered a list of eight lessons learned. He expects to see the number of incidents like the one his company faced grow exponentially with the expansion of electronic health records, he wrote.

Deven McGraw, director of the Health Policy Project at the nonprofit Center for Democracy & Technology in Washington D.C., said stronger enforcement of HIPAA is critical to the success of electronic health records. People regularly see news reports about health data breaches.

“Even if their data isn’t involved in the breach, they start to wonder whether the health care system has its act together,” she said.

About two-thirds of the large, publicly reported data breaches are the result of loss or theft of a piece of technology, McGraw said. Those breaches could have been avoided if that equipment was properly encrypted. (Tripathi’s company had been shopping for encryption options when the breach occurred, he wrote.)

McGraw said the health care industry is playing catch up.

“We’re just on the back side of the curve of adoption of more robust security,” she said. “I’m hoping that in another year, we’ll have a little bit of a different picture, but it’s not pretty right now.”

McGraw said she would like to see the the rules on business associates released soon -- and not stuck in the politics of regulation during an election year.

Meanwhile, Rodriguez said his office is ready to work with providers focused on security.

“We are available for technical assistance for entities that want to get it right,” he said.