Meaningful use requirements aren't the only part of the HITECH Act keeping hospital leaders awake at night. The Health Information Technology for Economic and Clinical Health Act (part of the American Recovery and Reinvestment Act of 2009) also increases providers' privacy and security responsibilities. Organizations that fail to meet these obligations likely will suffer extensive financial and reputational damage, loss of productivity, and a governmental compliance review and ongoing intervention.

HIPAA Revisited

Under the expanded Health Information Portability and Accountability Act in HITECH, health care leaders are required to think more proactively about their patients' data. HITECH formally defines a privacy breach; mandates requirements for organizations to systematically audit access to patient records; expands the length of time for which an organization must account for disclosures; and details notification requirements to patients, Health & Human Services, and the media for a breach affecting more than 500 patients. Additionally, the legislation establishes fines and penalties for breaches and even more stringent penalties for willful neglect on the part of the provider. The act also has changed the culture of government enforcement. HHS now actively monitors and performs systematic reviews of health care organizations to ensure compliance. Since the notification rule became effective Sept. 29, 2009, HHS has identified about 260 breaches. Collectively, these breaches affect more than 10 million individuals.

Mind the Gaps

In essence, HITECH has mandated that health care organizations weave privacy and security into the fabric of their establishments. All hospital business leaders must collaborate to establish and implement policies and technology to address these new legal obligations. Board leadership will be essential in leading a culture that safeguards patient data and in ensuring adequate resources for those efforts. To measure the effectiveness of compliance efforts, executives and trustees must assess the organization in the following three areas.

Compliance, legal and privacy—Hospital leaders must determine if their organization has:

  • Entitywide privacy, security and compliance plans that incorporate requirements mandated by HITECH, HIPAA and relevant state laws.
  • A written plan for responding to patient requests for disclosure.
  • A written plan for investigating staff tips that a colleague is violating privacy policies and stringent policies for sanctioning staff who violate access rules.
  • Revised business-associate agreements to reflect privacy requirements. This includes execution of revised agreements by all suppliers and partners with access to protected health information.
  • Written and executive-endorsed policies for disposal of physical medical records and devices that may contain personal health information.
  • Written procedures for evaluating the harm of privacy breaches and subsequently fulfilling federal disclosure and notification responsibilities.
  • Revised written policies on what constitutes inappropriate access to patient information based on the definitions under federal and state laws.
  • Strong staff privacy training.
  • Data-sharing policies with third parties based on requirements.

Information security and privacy technologies—Many organizations already are using critical technologies to plug privacy and security vulnerabilities. These systems are considered baseline technologies: firewalls; anti-virus software; intrusion-detection and prevention systems; remote-access technologies; encryption; employee authentication and authorization that limits access to need-to-know information; and password management. These technologies are not enough to eliminate all vulnerabilities. To proactively drive out risk of a breach, an organization should:

  • Employ a reputable, specialized third party to perform a gap analysis of information security and provide a report for the board.
  • Implement technologies and associated policies for encryption of all portable devices.
  • Initiate breach monitoring and protection for all systems that access protected health information.
  • Automate detection of privacy breaches related to identity and medical identity theft and unauthorized employee access to celebrities, friends, family and neighbors' records.
  • Automate privacy audit reporting across all applications that access protected health information.
  • Ensure electronic health record and other application vendors produce audit trails.
  • Create a chief information security officer position empowered with the appropriate authority and resources to identify and mitigate privacy breaches.

Training, policies and procedures—Industry benchmarking data confirms that patient breaches are preventable with moderately priced, off-the-shelf technology combined with refinements to provider training, incident remediation and sanctioning processes. Hospitals and systems must ensure that their training, policies and procedures support a culture that is committed to protecting patient information. They should have a formal, comprehensive policy for employee access to protected health information; a streamlined approach for investigating a privacy incident; a formal warning and sanction policy for inappropriate access of patient records; and continuously updated privacy and security training for all staff members.

It's Not Too Late

Although asking the right questions might reveal gaps in your organization's readiness to adopt new privacy and security requirements, it's better than learning about them in the course of a compliance review. The cost of proactive privacy and security planning is negligible when compared with the cost of a breach.

Kurt Long (Kurt.Long@FairWarningAudit.com) is CEO and founder of FairWarning Inc., St. Petersburg, Fla.

Sidebar - Costs and Consequences