Almost all software programs have bugs in their code. The bugs may be security holes, problems displaying pages on mobile devices or inaccurately displaying results in reports to name a few. So it should be no shock that electronic health record (EHR) systems would have bugs as well. EHRs are complex software programs and are prone to the same bugs as other software programs.
Now picture a scenario where a bug in an EHR displays the information of the wrong patient in a patient portal. A patient logs into the patient portal but instead of seeing their record, they see the record of another patient. Although it might be hard to believe, the truth is that I have heard this exact situation from two different EHR / medical billing vendors in the past week. Both situations only occurred when a combination of functions were performed which in turn resulted in the wrong information being displayed.
Software Vendor Repercussions
From the software vendor perspective they have a huge problem on their hands. Showing the wrong patient information to another patient is clearly a HIPAA violation. Basically they are disclosing protected health information (PHI) of one patient to another patient. There are several questions that need to be answered:
- How many patients have seen the wrong information?
- Which patients’ information have been disclosed?
- Which providers (covered entities) need to be notified that their patients have had their information breached?
The challenge here is trying to determine which patients have been affected. Without strong auditing and audit logs it is very difficult if not impossible to determine. Auditing is one of those hidden, behind the scenes functions that take a lot of work to implement and doesn’t provide a lot of functionality that clients value. But auditing is absolutely required under the HIPAA Security Rule. Because it is not a customer facing function, a lot of software vendors do not implement robust auditing. This can come back to bite them if there is ever a software bug that potentially leads to a suspected HIPAA breach.
Without auditing and the ability to prove which patients were affected and which weren’t, assumptions have to be made which could result in an overstatement or understatement of affected individuals. Neither are good outcomes.
Covered Entity Repercussions
While software vendors experience the pain of software bugs, their customers can experience a lot of the pain as well. This is true in the case of the EHR / medical billing vendors exposing the wrong PHI to other patients. Once the software vendor determines which patients were affected, they have to notify their customers, the covered entities, of the security breach. The covered entity or medical provider unexpectedly receives an email or letter from their software vendor letting them know that there has been a security breach that requires notification to the affected individuals / patients.
Imagine receiving a letter telling you that 2,000 of your patients were affected by a security breach and that you not only have to notify them but you have to notify the Office of Civil Rights (OCR) as well. There is nothing that you did wrong but because your business associate (software vendor) had a breach it is now your responsibility.
Almost certainly the incident will require legal counseling, breach notification efforts and expenses and result in many upset patients.
Depending on the size of the breach and the circumstances surrounding the breach, OCR may decide to investigate the breach. When business associates experience a HIPAA breach, many times OCR will investigate both the business associate and the covered entity (as documented here)
A breach by a business associate can open Pandora’s Box for the covered entity. The covered entity can be subjected to the same investigation as the business associate. Their HIPAA compliance program can be scrutinized. The outcome of an investigation could lead to fines and penalties.
Vendors (business associates) need to ensure that the software programs are thoroughly tested and have robust audit capabilities to help with breach determination. They must understand their obligation to report the breach to their clients as defined in their business associate agreements. And they must ensure that they have a robust HIPAA compliance program that will stand up to the scrutiny of an OCR investigation.
Covered entities need to ensure that they have taken steps to be HIPAA compliant and have documented their compliance. They also need to ensure that they have proper business associate agreements and have taken steps to ensure that their business associates are complying with HIPAA regulations.
A simple software bug in a program could have major consequences for all parties involved including the vendors, covered entities and patients.