HIPAA and HITECH
Plan for the future and trust that your revamped policies are sound
Editor’s note: This article is part of an ongoing series of stories in BOH regarding the effect of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which includes the HIPAA provisions in the American Recovery and Reinvestment Act of 2009.
As technology grows, evolves, and spawns newer versions of itself, security and privacy challenges promise to become even worse.
Now factor in HITECH and President Obama’s long-term goal of establishing electronic health records for all Americans by 2014.
“The security and privacy challenges can be overwhelming,” says Brian Tretick, executive director of Ernst & Young’s IT Enablement Center in McLean, VA.
How can providers ultimately feel confident that their patients’ PHI, stored here and transmitted there, is 100% safe? They can’t and never will, says Tretick.
“The HITECH Act is going to force [providers] to put a huge dose of energy into their processes,” he says.
That’s where salvation lies, says Tretick. Designing a framework of ironclad policies and procedures is priority No. 1. And once you’ve accomplished that with confidence, there is no reason to sweat the new technologies coming down the road because you will have done everything you can to build a strong, protective wall.
Trust in your processes and plan ahead
Tretick likens your processes to parenting. “You prob-ably don’t know where your kids are and what they are doing at all times,” he says. “But you raise them right and have the confidence that they are doing the right thing.”
You don’t have to know about everything at once. Instead, start by following these steps:
- Take an inventory of your information. “You need to know the good, bad, and the ugly,” says Tretick. “It’s all part of a risk assessment.”
- Identify which devices, portable or otherwise, your organization uses.
- Determine the risks involved, the areas in which your organization is vulnerable, and reasonable steps to mitigate these risks in the short and long term. This is important for all organizations, says Tretick. “You have internal systems, devices, paper copies, third-party service providers, and electronic exchanges,” he says. “It’s difficult to have a handle on all of that and know where all the information is. No one alone has that kind of vision.”
- Speak to as many hospital staff members as possible to gain a better understanding that will help guide your future decisions. Knowing exactly which types of technology your organization will be using in five to 10 years is impossible, but these devices are likely to be hybrids of technology that exists today. They will include portable technology such as BlackBerries®, PDAs, medical devices, drives, and memory sticks. “Devices that process or otherwise contain personal information will be increasingly prevalent [in the future],” says Tretick. “Control over the devices will become a privacy challenge.”
- Factor portable and other nontraditional devices into your approach. Ensure that the appropriate and necessary controls pertaining to use and protection of personal information follow the data onto these devices. Recognize the need to address a new stable of elements that can be identified, monitored, and controlled, says Tretick. Corporate policy or edict is unlikely to prohibit or defeat these devices, so actively factoring them in is important, he says.
- Hire savvy IT administrators and security engineers, says Kevin Beaver, CISSP, founder of Principle Logic in Atlanta. “Try to get management to realize these are real business problems that’ll catch up with them eventually,” Beaver says.
- Write thoughtful policies and procedures, implement them, and trust that they will work. But recognize that technology will change and prepare for it. Understanding where the technology is, managing risk and compliance, and realizing that third-party relationships will force everyone to change is important, says Tretick.
Accounting for HITECH
Amendments and revisions to laws that govern business associates (BA) and breach notification will affect how providers approach technology in the future.
BAs are currently subject to the same set of civil and criminal penalties that originated in the HIPAA security rule.
“Every time a hospital group contracts with a BA, they have to do more due diligence,” says Tretick. “They have been doing this already, just less formally.”
Providers are facing increased risk and pressure because of HITECH’s new breach notification requirements. HITECH requires covered entities to notify patients of any unauthorized access, acquisition, or disclosure of their PHI that may compromise patient privacy and security and integrity of the PHI. This federal law is not limited to breaches of online information or financially sensitive information, such as a credit card or Social Security number.
Covered entities must send notices no later than 60 days after discovery of a breach. Organizations that wait more than 60 days to send notices will need to explain why they didn’t provide notification earlier.
“There is an opportunity here where a provider may be legally required to provide a bigger spotlight on its activities,” says Tretick. “Everyone will be paying attention to things that are important. But in many cases before, the breaches haven’t been significant.”
Beaver questions whether HITECH will or even should play a major role, given that providers often ignore HIPAA.
“I think it’s actually pretty ridiculous that existing laws such as HIPAA aren’t being enforced the way they should be,” he says. “Providers shouldn’t face HITECH any differently. These basic information security practices have been around for decades, have been federal law since 2003, and yet so many in management still don’t take them seriously.”
Beaver also wonders how hospitals will manage new technologies while complying with HIPAA and HITECH.
“Oftentimes, these [technologies and regulations] are at odds,” he says. “New technologies make things nice and quick and handy, but they often open up new security issues. And they also require more resources to manage, regardless of what the vendors claim about ease of use, minimal administration, etc. Many providers don’t even have their existing systems under control, and I suspect this will only get worse.”
Tretick similarly believes that a confluence of Internet-enabled medical devices managed by service providers and used by medical providers will prove to be a daunting compliance challenge in the future. It’s in the hospital’s best interest to raise the bar with third-party vendors. “That would eliminate some of the burden,” he says.