Heinz Children’s Health is a small pediatric practice serving the health- care needs of children in...

Heinz Children’s Health is a small pediatric practice serving the health- care needs of children in a small, rural community. Twenty-five years ago, Dr. Helen Heinz founded the practice, which now includes two physician assistants, two registered nurses, a home health nurse, an office manager, and a receptionist. The practice has always used paper records, but when Dr. Heinz learns that, under the American Recovery and Reinvestment Act (ARRA) of 2009, the Centers for Medicare & Medicaid Services is offeringsignificant incentives to eligible professionals who adopt electronic health record (EHR) technology and demonstrate its meaningful use, she sees an opportunity to move her practice into the electronic age.Once she decides to adopt an EHR system, Dr. Heinz is faced with another decision: which system to adopt. She discovers that there are not only several EHRs available from which to choose but also several ways to adopt them. The first option is to license the software and run it on a server that would be installed in her office. However, this would mean hiring an information technology (IT) person to set up the system, configure it, install upgrades, and keep it running. The second option is to license the software and run it on a server that would be installed in a data center. This option is not much different from the first option, except that the machine would be located somewhere else. Dr. Heinz still would need to hire IT staff. The third option is to subscribe to an EHR software-as-a-service (SaaS), where she and her staff would just log in to the EHR over the Internet to get access to their patients’ records. This option would not require Dr. Heinz to hire an IT person to install, configure, upgrade, or maintain any software and hardware. The SaaS provider would configure the software for the practice, create accounts for everyone in the office, provide 24/7 access, install updates, and keep it running smoothly. Plus, several SaaS vendors have pointed out that by subscribing to an EHR service, Dr. Heinz would not have to worry about HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance; the provider would take care of that for her. This sounds too good to be true (as it later turns out to be).The SaaS vendor that Dr. Heinz selects is Fleet Software, a small, local company that for the past ten years has been developing and imple- menting custom software for businesses in the area. The owner, Jake Fleet, is friends with Dr. Heinz’s son; he is charming and widely considered to be a “guru” in computers and software. When he reads about the ARRA’s

incentives, his entrepreneurial mind sees an opportunity to get into the EHR software business. He has developed a lot of business software but has never developed EHR software. To avoid having to develop software for business processes he’s not familiar with and to enable him to get to the market sooner, he decides to license an EHR product and make it available through a SaaS subscription model.Jake checks out some of the leading EHR and practice-management products, both commercial and open source, designed for small practices. He hires his cousin, a retired physician, to help with product selection and training. After calling several references who have done business with Fleet Software and are delighted with its work, Dr. Heinz signs up for Fleet’s SaaS offering. Because Fleet Software will be providing a service involv- ing protected health information, Heinz Children’s Health signs a business associate agreement with Jake, as required by HIPAA.Fleet Software creates accounts for all of the practice’s staff and, using the existing paper records, sets up EHR records for patients with chronic conditions and for those who have appointments scheduled over the next two months. Jake and his cousin train the staff on how to use the software, and Jake gives Dr. Heinz a number to call if her staff run into any problems with the software. Two months later, Heinz Children’s Health goes “live” with its new EHR.It takes some time for Dr. Heinz and her staff to get accustomed to using the system instead of the paper record, but they quickly see some real advantages. Information in the EHR is organized and always easy to find. It provides reminders when lab tests and vaccinations are due, and it is equipped with pop-up calendars to help in scheduling a patient’s next appointment. Graphs show each patient’s growth in comparison with mean growth patterns. Jake and his cousin have done a good job selecting and customizing the EHR application for the practice.Things go smoothly until one morning when Dr. Heinz and her staff discover that all of their patient records are gone from the EHR. They can log in, but no records are showing up. In a panic, Dr. Heinz calls Jake. After doing some checking, he discovers that the system upgrade they rolled out the night before has inadvertently overwritten the storage partition containing the records. Fortunately, he has backed up the records, and he promises to have the backup reloaded within a couple of hours. Meanwhile, Dr. Heinz and her staff revert back to paper until the EHR is restored.Several months later, Dr. Heinz receives an irate phone call from the mother of a child who has been diagnosed with sickle cell disease. The mother’s anger was triggered when a neighbor expressed sympathy even though the

mother has not mentioned the diagnosis to anyone. Dr. Heinz questions her staff and learns that the receptionist, after seeing the child with his distraught mother, checked his medical record in the EHR and saw the diagnosis. The receptionist became upset and discussed the information with the neighbor, who in turn approached the mother. Dr. Heinz is surprised that the reception- ist could even view the patient information, particularly given that the EHR is supposed to be HIPAA compliant, as Fleet Software had promised. She is also astounded when she walks out into the reception area and sees the reception- ist’s screen displaying another patient record in full sight of those waiting for their appointments. After closing the exposed record and reprimanding the receptionist privately, she calls Jake. He explains that the company just cre- ates the accounts, but Heinz Children’s Health is responsible for telling them about user privileges and any access restrictions that should be set up for those accounts. Upon further discussion, Dr. Heinz learns that Jake considersthe clinic responsible for a number of other HIPAA requirements.Later, Fleet Software’s server suffers a malicious attack. The attacker takes advantage of a known vulnerability in the server software, allowing the attacker to bypass user authentication and thus gain unauthorized access to all data stored on the server. Jake reports the incident to Dr. Heinz and provides a list of patients whose information may have been exposed. When Dr. Heinz asks him what the company is doing about the problem, he explains that the company investigated the incident and found that the attacker had exploited a known vulnerability in the server–software vendor’s critical security update. Fleet Software then generated a list of individuals whose information could have been exposed and reported this information to its clients, including Heinz Children’s Health. He declares that these stepscomplete the company’s regulatory and contractual obligations as a busi- ness associate, leaving the clinic responsible for notifying the individuals whose information may have been exposed.Dr. Heinz is now rethinking her decision to adopt an EHR to qualify for the incentive payment. The clinic may be better off using paper records until she retires.

Here is my question that needs to be answered.

What are some of the risks that are not addressed by HIPAA but that a SaaS subscriber may need to consider?