New federal requirements under the Health Information Technology for Economic and Clinical Health (HITECH) Act and recent revisions to the Health Insurance Portability and Accountability Act (HIPAA) have made it especially important for hospital organizations and medical groups to protect the integrity and privacy of their patient data. And while that task is likely to become more challenging with the introduction of the latest set of regulations, providers can help make sure their patient information is safe by following good business practices, according to Steven J. Fox, a partner with the Washington, D.C.-based law firm Post & Schell, PC, and an expert on legal issues regarding healthcare IT and data privacy.
Fox cites three areas that providers should focus on in particular.
Encrypt data and devices: Under the HITECH rules, providers are required to notify individuals who are affected when a data breach occurs and, in cases were a breach involves 500 or more people, the providers must notify major media outlets. “This is a huge embarrassment to the organization, and it’s costly,” Fox says. Yet he points out that the notification requirements do not apply to organizations that have encrypted their data according to the encryption standards recommended by the government. Fox acknowledges that process of going through encryption is both time consuming and expensive, but “it is way less disruptive to your organization than the alternative of losing something and then scrambling,” he says.
Practice due diligence: The proposed rules under HIPAA extend beyond covered entities to downstream business associates and their contractors. Part of the responsibility of doing business with outside vendors is to put language in a business associate agreement that vendors are subject to the same rules as the covered entity. But Fox also notes that smaller companies may not be familiar with regulations under HIPAA or the HITECH Act. “Part of due diligence is educating your trading partner,” he says. He advises asking vendors what kinds of security and privacy safeguards potential partners have in place. “If they don’t know what you are talking about, they may have to come up to speed or you may want to change subcontractors,” he says.
Choose vendors carefully: One of the big issues with the transition to electronic health records is the question of where to store the resulting data. Fox cautions providers to take a hard look at the stability and practices of potential vendors offering off-site storage options such as cloud storage. This is especially true of small health providers and small medical practices that lack sophisticated IT know-how of their own, he says. Fox has observed a sharp increase in the number of small vendors offering data storage options to small practices and health providers. “I guarantee that half of them will not be around five years from now. What happens if you put your patient’s information in there, and then one day they are out of business?” he asks. “It’s the small, less sophisticated consumers that I am concerned about, because nobody is looking out for them.
One potential resource for small practices that can’t afford sophisticated legal advice is regional extension centers (RECs) that are cropping up in various regions of the country. In some areas, RECS are the only resource that exists between vendors and small practices, Fox says, and he encourages them to fulfill their advisory role on behalf of the physician practices. In his view, RECs can identify potential vendors for member physician practices and act as an advisor as well. “I think it is incumbent on these RECs to say, ‘we’ve negotiated a contract, and not only is it a good contract pricewise, but it is going to protect you.’”
More information on data security will be featured in the October issue of Healthcare Informatics magazine.