Breaches of patient information have become a significant problem in the healthcare industry during the past few years. From 2005 to 2008, around 10 million records were breached, according to information gathered by Premier, Inc. (Charlotte, N.C.), with the average cost estimated at $6.3 million. Costs come in the form of internal investigations, attorneys fees, customer notifications, call center support and crisis management, along with damage to an organization's reputation.
And now, with the passage of the American Recovery Reinvestment Act (ARRA), the risks could become even greater. The Health Information Technology for Economic and Clinical Health Act (HITECH), the section of ARRA that will allot $19.2 billion in health IT funds, includes a large portion dedicated to privacy and security. The legislation features new provisions regarding protected health information that organizations must follow if they want to receive incentive payments - and avoid serious penalties. It's a measure that could significantly impact a C-suite leader's strategy, according to Lisa Gallagher, senior director of Privacy and Security for the Chicago-based Healthcare Information and Management Systems Society.
“People have been operating under the HIPAA paradigm for a dozen years. The HITECH Act contains provisions that change some of those terms,” says Gallagher (see sidebar). She believes hospital leaders have been more focused on the funding aspects of the bill when, in fact, the changes regarding breach notification and accounting of disclosure are just as critical. “They need to devote time to creating additional policies, procedures and processes for meeting these requirements,” she says.
ARRA establishes the first federal requirements on health data breach reporting and notification, extending the traditional covered entities under HIPAA to include business associates and non-covered entities that handle protected health information (PHI). What this means, according to the Chicago-based American Health Information Management Association, is that PHI is now protected no matter where it resides.
It is an idea whose time has come, says Dale Sanders, vice president and CIO, Northwestern Medical Faculty Foundation at Northwestern University in Chicago. “For the most part, I'm very supportive of the changes. They're going to be painful and that part is not appealing. But I think this was overdue.”
The new rules
Arguably the most significant aspect of the proposed rule is the requirement that patients who are affected by a breach are notified within 60 days, says Gallagher, with a breach defined as “inappropriate or unauthorized access” to PHI. If the number of individuals affected is 500 or greater, the organizations involved must report the incident to the Secretary of the Department of Health and Human Services, and notify the community through prominent media outlets. This way, says Gallagher, patients will likely be informed of a breach, even if the organization is not able to reach them using the contact information on file.
But it isn't as simple as merely sending out a letter. According to Kate Healy of Verrill Dana LLC, notice must be sent by first class mail to the last known address of the individual, and any delays must be explained. “The burden is really on the notifying entity to demonstrate that all the required notifications were made,” says Healy, who is partner and chair of the Health Technology Group at the Portland, Maine-based law firm.
If organizations do not comply with the requirements, there could be serious penalties. “From what I've seen of HITECH, there's been a change in the enforcement philosophy, so I think providers would be well-advised to anticipate more rigorous enforcement activity on the part of the government,” says Healy.
Another facet of the HITECH Act that should be of concern to CIOs and other hospital leaders, Gallagher says, is the new regulation surrounding accounting of disclosure. Covered entities are now compelled to track all PHI disclosures, including those made for the purposes of treatment, payment and operation. In addition to that, they must be able to provide to patients, upon request, an accounting of every disclosure for three years preceding the request. “That's a significant change,” Gallagher says. “The issue is going to be figuring out how to put in place a process that makes the accounting available without a disruption to operations or patient care.”
Time for action
While security issues are often delegated to IT and security managers, Gallagher says the HITECH requirements are a critical matter that warrants attention from the C-suiters. “Because of the overall risk to the business, you need to be on top of this issue, whether that means putting together committees or writing policies - whatever it's going to take to get this done in your organization.”
At Northwestern, Dale Sanders is heavily involved in privacy and security issues. In addition to the CIO role, he also serves as chief security officer for Northwestern Medical Faculty Foundation (NMFF), a multi-specialty physician organization that supports the research and academic endeavors of the Feinberg School of Medicine at Northwestern University.