Lisa Gallagher
Breaches of patient information have become a significant problem in the healthcare industry during the past few years. From 2005 to 2008, around 10 million records were breached, according to information gathered by Premier, Inc. (Charlotte, N.C.), with the average cost estimated at $6.3 million. Costs come in the form of internal investigations, attorneys fees, customer notifications, call center support and crisis management, along with damage to an organization's reputation.
And now, with the passage of the American Recovery Reinvestment Act (ARRA), the risks could become even greater. The Health Information Technology for Economic and Clinical Health Act (HITECH), the section of ARRA that will allot $19.2 billion in health IT funds, includes a large portion dedicated to privacy and security. The legislation features new provisions regarding protected health information that organizations must follow if they want to receive incentive payments - and avoid serious penalties. It's a measure that could significantly impact a C-suite leader's strategy, according to Lisa Gallagher, senior director of Privacy and Security for the Chicago-based Healthcare Information and Management Systems Society.
“People have been operating under the HIPAA paradigm for a dozen years. The HITECH Act contains provisions that change some of those terms,” says Gallagher (see sidebar). She believes hospital leaders have been more focused on the funding aspects of the bill when, in fact, the changes regarding breach notification and accounting of disclosure are just as critical. “They need to devote time to creating additional policies, procedures and processes for meeting these requirements,” she says.
ARRA establishes the first federal requirements on health data breach reporting and notification, extending the traditional covered entities under HIPAA to include business associates and non-covered entities that handle protected health information (PHI). What this means, according to the Chicago-based American Health Information Management Association, is that PHI is now protected no matter where it resides.
It is an idea whose time has come, says Dale Sanders, vice president and CIO, Northwestern Medical Faculty Foundation at Northwestern University in Chicago. “For the most part, I'm very supportive of the changes. They're going to be painful and that part is not appealing. But I think this was overdue.”
The new rules
Arguably the most significant aspect of the proposed rule is the requirement that patients who are affected by a breach are notified within 60 days, says Gallagher, with a breach defined as “inappropriate or unauthorized access” to PHI. If the number of individuals affected is 500 or greater, the organizations involved must report the incident to the Secretary of the Department of Health and Human Services, and notify the community through prominent media outlets. This way, says Gallagher, patients will likely be informed of a breach, even if the organization is not able to reach them using the contact information on file.
But it isn't as simple as merely sending out a letter. According to Kate Healy of Verrill Dana LLC, notice must be sent by first class mail to the last known address of the individual, and any delays must be explained. “The burden is really on the notifying entity to demonstrate that all the required notifications were made,” says Healy, who is partner and chair of the Health Technology Group at the Portland, Maine-based law firm.
If organizations do not comply with the requirements, there could be serious penalties. “From what I've seen of HITECH, there's been a change in the enforcement philosophy, so I think providers would be well-advised to anticipate more rigorous enforcement activity on the part of the government,” says Healy.
Another facet of the HITECH Act that should be of concern to CIOs and other hospital leaders, Gallagher says, is the new regulation surrounding accounting of disclosure. Covered entities are now compelled to track all PHI disclosures, including those made for the purposes of treatment, payment and operation. In addition to that, they must be able to provide to patients, upon request, an accounting of every disclosure for three years preceding the request. “That's a significant change,” Gallagher says. “The issue is going to be figuring out how to put in place a process that makes the accounting available without a disruption to operations or patient care.”
Time for action
While security issues are often delegated to IT and security managers, Gallagher says the HITECH requirements are a critical matter that warrants attention from the C-suiters. “Because of the overall risk to the business, you need to be on top of this issue, whether that means putting together committees or writing policies - whatever it's going to take to get this done in your organization.”
At Northwestern, Dale Sanders is heavily involved in privacy and security issues. In addition to the CIO role, he also serves as chief security officer for Northwestern Medical Faculty Foundation (NMFF), a multi-specialty physician organization that supports the research and academic endeavors of the Feinberg School of Medicine at Northwestern University.
“We've been developing a checklist that was put into place so that if there was a breach, we could quickly go through it and identify the actions that we needed to take,” he says. The checklist includes names and contact information for individuals who must be notified, and identifies who can respond to media inquiries.
NMFF, however, takes it a step further. “We even have pre-established relationships with some of the credit reporting bureaus, so we can turn on the automatic protection of personal identification from a credit bureau and financial standpoint,” says Sanders. “We need to be able to respond within a couple of days and tell people if the exposure of their information is going to encompass any kind of financial or red-flag events for them, in addition to the PHIs being disclosed.”
At Adena Health System, protecting patient data has been one of CIO Marcus Bost's top priorities from day one. When he first arrived at the Chillicothe, Ohio-based system three years ago, he assembled network and security staffs with a very specific purpose: to keep Adena out of the papers. “That's pretty much how I interviewed them,” he says. “Their primary goal is to not let that happen, so they're actively monitoring it.”
Safeguarding patient information is a key concern at an organization like Adena, where data is shared among 14 locations, including two hospitals and 36 practices.
“All of our facilities are linked via a privately switched fiber backbone and everything is encrypted as it goes across those connections,” says Bost. “We can share all manner of data. Anything that's available at one is available at the other, so we're sending a lot of information all over our network.”
But while it's critical to protect data, Bost says it is also important not to burden clinicians by making it too difficult for them to access information. Bost's staff has been able to achieve this by implementing a single sign-on solution (from Andover, Mass.-based Sentillion) and integrating as many applications as possible around its core clinical application, Meditech (Westwood, Mass.). This way, “They sign in once and get access to all the different modules,” he says. “We do everything we possibly can to make it easier, because you're always walking that fine line between how much you're asking your clinicians and employees to do versus what's due diligence for security.”
As far as the breach notification procedures in place at Adena, Bost wasn't directly involved in drafting the document, which was led by compliance and legal officers. However, he did review the document before it was submitted to the board.
Such involvement, says Healy, is extremely important. “Hospital executives need to stay engaged and have a few sources that can give them some of the nuts and bolts about the changes that the HITECH Act brings,” she cautions. “If a large enough breach occurs, it can result in a lot of negative publicity. Hospitals are non-profit; they're trying to retain patients, increase satisfaction and obtain contributions. The risks are very real for them.”
Sidebar
HITECH's PHI Provisions
The Federal Trade Commission and the Department of Health and Human Services will issue final interim regulations in August regarding breach notifications (the report is slated to be completed by February 2010). Until then, the FTC has issued a proposed ruling regarding security breaches of patient information. The key components, according to Lisa Gallagher, senior director of Privacy and Security for HIMSS, are as follows:
Notification of a health information breach must occur within 60 days
For breaches involving more than 500 residents of a state, local media and HHS Secretary must be informed
Accounting of disclosures must be available for three years from date of request.
These timelines, says Gallagher, are based on the purchase date of the EMR that is disclosing the information. Organizations that purchased an EMR after Jan. 1, 2008 must meet the requirements by Jan. 1, 2011, while organizations that purchased EMRs prior to that date will have until Jan. 1, 2014 to comply.
Sidebar
HITECH 101
To learn more about the specifics of the HITECH Act, particularly in regard to the new requirements for business associates and the increased penalties for privacy and security violations, please read HCI Editor-in-Chief Anthony Guerra's Web exclusive interview with Verrill Dana Attorney Kate Healy at http://www.healthcare-informatics.com/kate_healy.
Healy recommends that CIOs stay educated on what is happening with HITECH by consulting with the hospital's legal counsel, and by regularly visiting the following sites:
American Hospital Association: http://www.aha.org
CHIME: http://www.cio-chime.org
Department of Health and Human Services' Office for Civil Rights: http://www.hhs.gov/ocr
Sidebar
Financial Data vs. EMR
Below are results from an informal poll conducted by Dale Sanders, vice president and CIO of the Northwestern Medical Faculty Foundation in Chicago. The question, which asked whether readers were more concerned with protecting personal identity and financial data or EHR data, drew an overwhelming response, with more than 400 people voting.
Sanders had this to say regarding the lopsided results: “Clearly, we must and will protect both types of information, particularly in healthcare - this is not an either-or-situation. However, as we spend limited time and money protecting our private information in general, it would seem that we should take these perceptions of public concern in mind. In healthcare, we've spent significant resources protecting personal health information as a consequence of HIPAA, and rightly so, but only recently have we focused similar attention on personal identity theft, as required by the Federal Trade Commission's Red Flag rule.”Sidebar
Takeaways
The HITECH section of ARRA includes provisions relating to protected health information that could significantly alter the C-suite leader's strategy.
Patients will be entitled to request an accounting of disclosure for up to three years after the date of request. The onus will be on hospital leaders to put in place a process that makes accounting available without disrupting operations or patient care.
Because of the increased risks hospitals now face, it is critical that executives are aware of the new requirements, and are either involved in or have a solid understanding of the organization's breach notification policies
Sidebar
Continue the Conversation
Wiki-fy this story at http://www.healthcare-informatics.com by posting comments, listing relevant resources and linking to associated events.