The Landscape: Because HIPAA enforcement previously lacked teeth, many healthcare organizations haven't developed the policies and procedures required to prevent data breaches. The ARRA-HITECH Act is about to change all of that.
The Future: HITECH's security provisions and heightened enforcement may force hospitals and their business associates to spend more on training and security features such as encryption and audit trail systems, and to hire consultants to conduct audits.
Most of the attention paid to HITECH's impact on hospitals has focused on overcoming clinical hurdles to meeting meaningful use guidelines. But many CIOs seem more relaxed discussing CPOE and data exchange than they do changes to HIPAA regulations. That's because HITECH's changes to privacy and security regulations and enforcement could force them to devote considerably more resources to audits, policy reviews and relationships with business associates. And it may require re-evaluation of the relationship between IT security and compliance officials.
In brief, the biggest security changes in the HITECH Act involve:
Business associates: Effective Feb. 17, 2010, business associates, such as claims processors or benefit management firms of HIPAA-covered entities, are directly responsible for complying with HIPAA security provisions.
Breach notification: HITECH creates the first national data breach notification law. Covered entities have 60 days from when they reasonably should have known about a breach to report it. If the breach involves more than 500 records, it must be reported to prominent local media; states such as California have even more stringent notification laws. This could put hospitals under greater public scrutiny.
HIPAA enforcement: The Department of Health and Human Services Office for Civil Rights is getting more tools (and staff) to enforce HIPAA, and states' attorneys general can bring civil actions. If there is a breach of protected health information (PHI) through “willful neglect,” it could cost $25,000 per incident if the hospital moves to fix the security weakness and $50,000 per incident if it doesn't, up to a maximum of $1.5 million per year.
The health IT provisions of the stimulus bill present other security concerns as well. “The biggest changes aren't the laws and penalties, it's that HITECH is all about sharing data and making it more accessible to outside entities,” says David Finn, former CIO of Houston's 639-bed Texas Children's Hospital and current health IT officer for Symantec Corp. (Mountain View, Calif.). “It's relatively easier to secure your own house. But as you move toward exchange, it adds many layers of complexity.”
A recent Healthcare Information and Management Systems Society (HIMSS, Chicago) security survey points to some troubling trends, according to Finn. “There is more awareness of the issue, but as far as budget numbers, creation of formal security positions, or tools being integrated, there has not been much change. That's what most concerns me,” he says. “They know HITECH is coming down the road, but they are not doing the assessments necessary.”
Lisa Gallagher, HIMSS' senior director of privacy and security, cites one statistic from a survey in which 60 percent of respondents say they've alloted less than 3 percent of their IT budget to data security. “That is very concerning to me,” she says, pointing out that less than half say they have a chief information security officer or chief security officer in their organization, and a quarter say they don't do formal risk analyses. “They aren't doing these risk analyses because they don't have the experience or the resources to conduct them,” Gallagher says. “That's why that budget number is significant.”
Information Privacy and Security Consultant Chris Apgar says that when Portland, Ore.-based Apgar and Associates is asked to audit a hospital, it usually finds the same five problems:
No risk analysis has been completed
Up to that point, the hospital hasn't conducted any security audits
The hospital may do an initial training, but doesn't offer refreshers and doesn't train temps, contractors and volunteers, who are all part of their work force
There's little documentation of any policies and procedures
The disaster recovery/emergency management plan is limited in scope and/or out of date.
So what should hospital security teams be concentrating on first? Apgar says one focus should be sending out addendums to their business associate contracts. After prioritizing their business associates by which access the most PHI and mission-critical data, “I would ask those high-risk business associates to give me a list of their policies and procedures, and a copy of their last risk analysis and compliance documentation,” he says. “Some hospitals are doing full-blown audits of their business associates.”
However, experts say the field is not level. Indeed, HIMSS' Gallagher suggests that if upon review, the business associate is “wildly out of compliance, you need to consider terminating that contract.”
Taking an active stance
Some CIOs have already taken proactive steps to ensure compliance with the new provisions.
Gerald Greeley, CIO of 229-bed Winchester Hospital in Massachusetts, says he is working with the director of legal affairs “on a re-evaluation of what needs to be done internally and in terms of business associate agreements. Besides the changes in ARRA, there are some new stringent regulations going into effect in Massachusetts on protecting personal information from identity theft, so we are going to work on a new round of training for staff,” he says. Another focus at Winchester is better encryption for things like USB drives, Greeley adds. “And anywhere there is protected health information, we need to move that to a secure server.”
Some consultants say that getting a better handle on data breaches will require a change in cultural attitudes. Healthcare is already highly regulated, and the mindset is often about doing just enough to pass the next audit, says Glen Day, a principal in Booz Allen's Los Angeles office. “But a better approach is to develop a breach prevention policy that puts tools in place to alert them in a proactive way. Unless they take a proactive monitoring stance, they will be further penalized,” adds Day, the former chief privacy officer for Los Angeles County.
Hospitals must also delve into clinical and financial departments to see how data is actually being used. “A chief security officer may have drawings and diagrams of the IT architecture and where PHI data is supposed to reside,” Day explains, “but what this doesn't recognize is all the ways data is actually used.” Digital information, he says, is often copied from databases into laptops or e-mailed or put on USB drives. “So there's the policy and then the reality of how it's used. My experience is that in 100 percent of cases, it's in many more places and used in more ways than they can imagine.”
Analysts and consultants expect that the HITECH changes will bring more patient data breaches to public attention. Often the discovery of a serious breach forces an organization to re-evaluate its security stance and identify and address weaknesses.
For instance, after an admissions employee was accused of selling the data of 2,000 patients in a 2008 identity theft scheme, New York-Presbyterian Hospital initiated an organization-wide information security enhancement project to improve coordination among institutions, and reduce personally identifiable information.
In written testimony presented to the HIT Standards Committee, Soumitra Sengupta, Ph.D., New York-Presbyterian's information security officer, notes that the 2,242-bed multi-hospital system has since worked to improve its audit log alerting mechanisms. “We had to do a better job of using our audit logs to determine which access of patients' records is legitimate and which is illegitimate,” he says. “We learned from our breach that the simple set of rules we had in place was not enough. We had to do a better job of understanding how employees actually access data to create better rules.”
The audit log system now triggers alerts on specific conditions, such as number of consecutive medical record numbers accessed by a user, or a sudden significant change in number of records accessed by a user as compared to past practice. New York-Presbyterian has 30 applications reporting about 700,000 log records for about 65,000 patients each day in its audit log server. It also is working to encrypt all institutional laptops, requiring purchase of encrypted USB drives, and ensuring encryption of all tape backup, says Sengupta.
One recent change that may have a significant impact involves accounting of disclosure, he notes. Under HITECH, if an individual requests an accounting of their EHR information, covered entities must be able to provide disclosure information for the prior three years if the disclosures were made for “treatment, payment or health care operations.”
It may take considerable resources, Sengupta says, to round up explanations for why each hospital employee accessed an individual's record during a hospital stay.
Does Your Organization Need a CSO?
Fewer than half of respondents to the 2009 HIMSS Security Survey indicate that their organization has either a formally designated chief information security officer or chief security officer. And some analysts say that will become more of a problem as the HITECH changes unfold. “Not having a CISO or CSO title says something about an organization,” says David Finn, health IT officer for Symantec Corp. (Mountain View, Calif.).
HIPAA requires that an individual is designated to that role - and that individual should not be the CIO, according to Finn. “It's good that CIOs are engaged, but a CIO has a lot of things to think about.” When he held the position at Texas Children's Hospital in Houston, Finn had a privacy office within IT that worked hand in hand with a security group in the technical infrastructure department in IT.
Another question is whether the CSO should report to the CIO. “In an ideal world, I believe the CSO should not report to the CIO, because if there is too much of an IT focus, so you lose sight of the issues on the business side, such as training,” says Chris Apgar of Apgar and Associates (Portland, Ore.). “I would tell CIOs that if the CSO is reporting to you, make sure you take a broader view of the whole organization and issues other than technology. Make sure their role is expanded to look at all the policies and procedures, not just the tech issues.”
Lisa Gallagher, senior director of privacy and security at Chicago-based HIMSS, agrees that while the best arrangement is for a CSO to report elsewhere, “in most cases, they do report to the CIO, so the CIO needs to stay in the loop on what needs to be done.” Unfortunately, she says, many lose track of security issues because they are focused on the day-to-day mission of running the IT shop.
‘The boy who cried wolf’
There is skepticism among some health IT security executivies as to whether enforcement will actually be any more rigorous than it has been historically. “HIPAA never had a lot of teeth,” says Joe Granneman, who is both chief technology officer and chief security officer at Rockford (Ill.) Health System, which includes the 396-bed Rockford Memorial Hospital. “I have to ride that line between security and efficiency, but if it's not enforced, who's backing me up? I end up looking like the boy who cried wolf.”
Granneman says some physicians tell him they think the focus on protecting patient data is all blown out of proportion and shouldn't be a big deal. “So there is still a lot of education that needs to be done to get the importance of this across,” he adds. “Privacy is the number one patient concern around the use of electronic health records.”
Granneman, who reports both to the CIO and the audit subgroup of the hospital board of directors, says he believes Rockford is on the right track. “But of course, you're never done with security,” he says. “There's always something you could do better.”
Healthcare Informatics 2010 February;27(2):20-23