New requirements under the HITECH Act and HIPAA are proving to be game-changers when it comes to vendor relationships and breach reporting requirements. Meanwhile, health providers must cope with portable electronic devices that are gradually making their way into the workplace. Experts weigh in on what hospital systems need to do to protect their patient data.
Amid the sweeping healthcare regulatory reform measures that have been put into place over the past year, the responsibility of healthcare providers to protect the integrity and privacy of patient data has become more important than ever. Yet, for reasons that are partly regulatory and partly technological, the challenge of securing patient data has also become more challenging today than ever before.
As hospitals scramble to meet meaningful use requirements under the Health Information Technology for Economic and Clinical Health (HITECH) Act, they must also contend with more stringent reporting requirements. In addition, responsibilities of health provider business associates and subcontractors have been broadened under proposed rules, issued in July, that are designed to strengthen the Health Insurance Portability and Accountability Act (HIPAA). The proposed rulemaking would also expand an individual's rights to access their information and restrict certain types of disclosures of protected health information to health plans. In short, all entities with access to patient data now have more skin in the game.
In the technology arena, more data is on the move today, the result of the relentless waves of new handheld devices that clinicians often want to bring into the workplace. Meanwhile, the sheer volume of electronic data that is resulting from the transition to electronic records is requiring healthcare providers to rely more heavily on third-party vendors.
YOU SHOULD BE DOING SECURITY BECAUSE IT IS THE RIGHT THING TO DO, NOT BECAUSE THE LAW SAYS YOU HAVE TO DO IT.-JENNINGS ASKE
Given the volume of electronic patient data involved, it's perhaps not surprising that breaches are occurring. According to the Department of Health and Human Services’ Office of Civil Rights (OCR), 146 data breaches affecting 500 or more individuals occurred between Dec. 22, 2009 and July 28, 2010. The types of breaches encompass theft, loss, hacking, and improper disposal; and include both electronic data and paper records. To combat such data security violations in the future, experts interviewed for this article say hospitals must focus more attention on encryption, vetting of third-party business associates, and educational efforts to help clinicians recognize the importance of complying with their hospitals’ security measures.
SECURITY: THE LONG VIEW
CIOs charged with securing data in their organizations are finding that successful data security depends on top-down support and on a comprehensive strategy. It also helps to rely on an existing framework of standards for guidance, they say.
Jim Elert, CIO of shared services at the 47-facility Trinity Health, Novi, Mich., says that security is much more than a matter of passwords and firewalls. When building a security program, it's necessary to take a comprehensive view that accounts for governance, policies, and education, so that people who must use the system understand it, he says.
A similar view is expressed by Jennings Aske, chief information security officer at the Boston-based Partners Healthcare. He says healthcare organizations should not view security as primarily a regulatory-driven matter, but one that is intrinsic to meeting the organization's business objectives. “One of the big things in our organization, which I have preached since day one, is to stop chasing the law,” he says. “When organizations do something because it is regulatory-driven, they are missing the big picture. You should be doing security because it is the right thing to do, not because the law says you have to do it.”