The Landscape: Because HIPAA enforcement previously lacked teeth, many healthcare organizations haven't developed the policies and procedures required to prevent data breaches. The ARRA-HITECH Act is about to change all of that.
The Future: HITECH's security provisions and heightened enforcement may force hospitals and their business associates to spend more on training and security features such as encryption and audit trail systems, and to hire consultants to conduct audits.
Most of the attention paid to HITECH's impact on hospitals has focused on overcoming clinical hurdles to meeting meaningful use guidelines. But many CIOs seem more relaxed discussing CPOE and data exchange than they do changes to HIPAA regulations. That's because HITECH's changes to privacy and security regulations and enforcement could force them to devote considerably more resources to audits, policy reviews and relationships with business associates. And it may require re-evaluation of the relationship between IT security and compliance officials.
In brief, the biggest security changes in the HITECH Act involve:
Business associates: Effective Feb. 17, 2010, business associates, such as claims processors or benefit management firms of HIPAA-covered entities, are directly responsible for complying with HIPAA security provisions.
Breach notification: HITECH creates the first national data breach notification law. Covered entities have 60 days from when they reasonably should have known about a breach to report it. If the breach involves more than 500 records, it must be reported to prominent local media; states such as California have even more stringent notification laws. This could put hospitals under greater public scrutiny.
HIPAA enforcement: The Department of Health and Human Services Office for Civil Rights is getting more tools (and staff) to enforce HIPAA, and states' attorneys general can bring civil actions. If there is a breach of protected health information (PHI) through “willful neglect,” it could cost $25,000 per incident if the hospital moves to fix the security weakness and $50,000 per incident if it doesn't, up to a maximum of $1.5 million per year.
The health IT provisions of the stimulus bill present other security concerns as well. “The biggest changes aren't the laws and penalties, it's that HITECH is all about sharing data and making it more accessible to outside entities,” says David Finn, former CIO of Houston's 639-bed Texas Children's Hospital and current health IT officer for Symantec Corp. (Mountain View, Calif.). “It's relatively easier to secure your own house. But as you move toward exchange, it adds many layers of complexity.”
A recent Healthcare Information and Management Systems Society (HIMSS, Chicago) security survey points to some troubling trends, according to Finn. “There is more awareness of the issue, but as far as budget numbers, creation of formal security positions, or tools being integrated, there has not been much change. That's what most concerns me,” he says. “They know HITECH is coming down the road, but they are not doing the assessments necessary.”
Lisa Gallagher, HIMSS' senior director of privacy and security, cites one statistic from a survey in which 60 percent of respondents say they've alloted less than 3 percent of their IT budget to data security. “That is very concerning to me,” she says, pointing out that less than half say they have a chief information security officer or chief security officer in their organization, and a quarter say they don't do formal risk analyses. “They aren't doing these risk analyses because they don't have the experience or the resources to conduct them,” Gallagher says. “That's why that budget number is significant.”
Information Privacy and Security Consultant Chris Apgar says that when Portland, Ore.-based Apgar and Associates is asked to audit a hospital, it usually finds the same five problems:
No risk analysis has been completed
Up to that point, the hospital hasn't conducted any security audits
The hospital may do an initial training, but doesn't offer refreshers and doesn't train temps, contractors and volunteers, who are all part of their work force
There's little documentation of any policies and procedures
The disaster recovery/emergency management plan is limited in scope and/or out of date.
So what should hospital security teams be concentrating on first? Apgar says one focus should be sending out addendums to their business associate contracts. After prioritizing their business associates by which access the most PHI and mission-critical data, “I would ask those high-risk business associates to give me a list of their policies and procedures, and a copy of their last risk analysis and compliance documentation,” he says. “Some hospitals are doing full-blown audits of their business associates.”
However, experts say the field is not level. Indeed, HIMSS' Gallagher suggests that if upon review, the business associate is “wildly out of compliance, you need to consider terminating that contract.”
Taking an active stance
Some CIOs have already taken proactive steps to ensure compliance with the new provisions.