Privacy & Security: Playing Catch Up
The Health Insurance Portability and Accountability Act (HIPAA) has been on the radar of hospitals since before its 1996 passing. And with the signing of Health IT for Economic and Clinical Health (HITECH) Act into law in 2009, healthcare institutions are running out of excuses when it comes to deficient privacy and security programs. The extensive regulations have required a Herculean effort and new considerations, such as the HIPAA Privacy & Security Audit Program, the popularity of mobile devices and headline-grabbing data breaches, continue to keep hospital IT leaders busy.
"It's time to have the training wheels off of your privacy program," says Adam Greene, JD, MPH, partner at Davis Tremaine Wright in Washington, D.C., and former senior health IT and privacy specialist at the Office for Civil Rights (OCR).
Under the HITECH Act, the U.S. Department of Health and Human Services (HHS) is instructed to conduct periodic audits, which began in November 2011 and will continue through 2012. These will be top-to-bottom, comprehensive audits, says Greene. For almost all of the entities, "it will be the first time their organization is reviewed in such a fashion by an outside party. Honestly, most are going to be wholly unprepared."
In the event of a HIPAA audit, organization leaders should be able to fairly quickly present their risk assessment, work plans, policy crosswalks and more, says Judi Hofman, privacy and information security officer for St. Charles Health System in Bend, Ore. "If you're sitting at your desk wondering where those materials are, you'd better get this into your work plan."
The lack of preparedness for privacy and security audits is "surprising considering how long and hard we've all been working," says Lisa Gallagher, senior director, privacy and security for the Healthcare Information and Management Systems Society (HIMSS). "After years and years, we're still in the education and awareness phase." Risk assessment is the core of compliance with the HIPAA security rule, she says.
Terrell Herzig, MS, information security officer at the University of Alabama Health System (UAB) in Birmingham, has found that some organizations have only performed a risk assessment in the IT department. "If you do that, you miss a lot of the risk to an organization."
Cost can be a factor, says Hofman. "We know a lot of third-party commercial risk assessments are fairly expensive. Unfortunately, sometimes it takes a crisis for an organization to spend that kind of money." However, if audited, organizations must be able to show due diligence even if they're not fully compliant. "You've got to be able to show that you're working toward compliance."
Healthcare organizations also must conduct a risk analysis which has a defined process and differs from a risk assessment or gap analysis, says Tom Walsh of Tom Walsh Consulting, based in Overland Park, Kan. The National Institute of Standards and Technology's "Special Publication 800-30" was published in 2002, but few organizations are following its guidelines. That's unfortunate, Walsh says, since it is referenced in the HIPAA Security Rule, as well as in white papers and audit findings released by the Centers for Medicare & Medicaid Services. Walsh says many think they have done a risk analysis but "when held up to the true definition, you find out they're not. It's pretty common and scary."
On the privacy side, Greene says a lot of organizations may think that they have good privacy controls in place, but in actuality, haven't done more than craft a few policies. "They haven't necessarily done a full examination of practices and seen what's working and what's not," says Greene. For example, an organization might have a policy regarding patient access to their medical records. But, if a patient asks a physician or nurse for a copy, does that employee know how to respond? Greene also questions whether the patient will be pointed to the appropriate forum or if the employee will tell the patient that the record is not available or perhaps not even know how to answer the question.
The healthcare community was not very concerned in the past about performing these steps, says Gallagher, because it was convinced there was not adequate enforcement. But, HIPAA audits probably will render that thinking outdated.
Organizations with breaches that affect more than 500 people are now required to notify the individuals, the government and the media. "If you put your head in the sand and don't exercise reasonable diligence," says Greene, "you are potentially liable for not making required breach notifications, beginning from the time the breach would have been discovered with proper controls in place." Penalties can cost up to $1.5 million per year for failing to appropriately notify individuals, and millions more for failing to notify the government and, in some cases, the media.
"Every organization I've ever worked for had a goal of maintaining a solid reputation in the community," says Walsh. "Nobody wants to go public with a breach. It shatters the trust between patients and the healthcare system." While most large systems know the rules, Walsh says many smaller clinics are not even aware of the newer requirements on reporting breaches.
They may become aware due to increasing investigations and resulting fines. There has been a marked increased in settlement agreements over the last year-and-a-half, Greene says. The first was in 2008 and the average penalty amount has been $1.3 million.
Another rule that has been published by OCR, Gallagher points out, is a draft rule for accounting of disclosures, which is "really important for organizations to examine." Any use or disclosure of patient data must be logged, and the organization must prepare a process for response to patient requests for an "Access Report" or an "Accounting of Disclosures." The biggest challenge here is that there are massive amounts of data to be stored to meet the criteria, she says. "We're waiting for the final rule, but the healthcare community is very concerned about implementation costs."
Organizations should be facing the mobile device debate head on, says Herzig. "Look at your environment. Instead of shying away from mobile devices, look at use cases. Be aware of what's out there and what people want to do with the technology." If you initiate a dialog with users head on, he says, they are more likely to work with you on security to prevent a large breach.
IT leadership needs to "know what devices are on your network," says Gallagher. "You've got to know what is connected to your network." That includes mobile phones, laptops, PCs and medical devices. That's the first step and organizations do not always have a handle on that, she says.
Once you have an inventory of devices, providers need policies and procedures covering acceptable use. Gallagher says the first question should be whether employees are downloading patient data onto portable devices and if so, why? Policies should determine whether downloading is permissible and if so, are those data being protected. "The risk is so high that if you can't protect those data, don't allow [downloading]," says Gallagher. "At the very least, consider all this as part of your risk assessment."
"Mobile devices represent a significant vulnerability," says Greene. Users download patient records and can use the device to communicate about patients in a potentially insecure manner. "The nature of the devices won't necessarily expose huge numbers of patients since the devices do not lend themselves to data analysis," but organizations need policies in place to help maintain privacy. "There are ways for physicians to text message patients or clinicians in a way that is compliant with HIPAA," says Greene, "but that doesn't happen naturally. The organization has to have an approach as part of its risk management strategy."
Organizations need a plan for implementation of encryption if they haven't already done it, says Hofman. "We're just finishing our encryption project and it wasn't cheap or easy. You better understand how to mitigate risk if you're not rolling out encryption. You need a really good way to protect those data. If they are breached, the only way to have a safe harbor is with encryption. Be prepared to follow up with a breach notification. There is no other way to mitigate that disclosure."
"It's time to have the training wheels off of your privacy program," says Adam Greene, JD, MPH, partner at Davis Tremaine Wright in Washington, D.C., and former senior health IT and privacy specialist at the Office for Civil Rights (OCR).
Under the HITECH Act, the U.S. Department of Health and Human Services (HHS) is instructed to conduct periodic audits, which began in November 2011 and will continue through 2012. These will be top-to-bottom, comprehensive audits, says Greene. For almost all of the entities, "it will be the first time their organization is reviewed in such a fashion by an outside party. Honestly, most are going to be wholly unprepared."
In the event of a HIPAA audit, organization leaders should be able to fairly quickly present their risk assessment, work plans, policy crosswalks and more, says Judi Hofman, privacy and information security officer for St. Charles Health System in Bend, Ore. "If you're sitting at your desk wondering where those materials are, you'd better get this into your work plan."
More than policies and procedures
Readiness surveys show that a "significant number of organizations have not done a risk assessment," says Greene, even though this has been a requirement since April 2005, and meaningful use also stipulates that organizations conduct a risk assessment. "Risk assessment is the foundation of a security program. If you don't know where the risks are it's pretty hard to appropriately apply the rest of the controls, such as encryption and authentification."The lack of preparedness for privacy and security audits is "surprising considering how long and hard we've all been working," says Lisa Gallagher, senior director, privacy and security for the Healthcare Information and Management Systems Society (HIMSS). "After years and years, we're still in the education and awareness phase." Risk assessment is the core of compliance with the HIPAA security rule, she says.
Terrell Herzig, MS, information security officer at the University of Alabama Health System (UAB) in Birmingham, has found that some organizations have only performed a risk assessment in the IT department. "If you do that, you miss a lot of the risk to an organization."
Cost can be a factor, says Hofman. "We know a lot of third-party commercial risk assessments are fairly expensive. Unfortunately, sometimes it takes a crisis for an organization to spend that kind of money." However, if audited, organizations must be able to show due diligence even if they're not fully compliant. "You've got to be able to show that you're working toward compliance."
Healthcare organizations also must conduct a risk analysis which has a defined process and differs from a risk assessment or gap analysis, says Tom Walsh of Tom Walsh Consulting, based in Overland Park, Kan. The National Institute of Standards and Technology's "Special Publication 800-30" was published in 2002, but few organizations are following its guidelines. That's unfortunate, Walsh says, since it is referenced in the HIPAA Security Rule, as well as in white papers and audit findings released by the Centers for Medicare & Medicaid Services. Walsh says many think they have done a risk analysis but "when held up to the true definition, you find out they're not. It's pretty common and scary."
On the privacy side, Greene says a lot of organizations may think that they have good privacy controls in place, but in actuality, haven't done more than craft a few policies. "They haven't necessarily done a full examination of practices and seen what's working and what's not," says Greene. For example, an organization might have a policy regarding patient access to their medical records. But, if a patient asks a physician or nurse for a copy, does that employee know how to respond? Greene also questions whether the patient will be pointed to the appropriate forum or if the employee will tell the patient that the record is not available or perhaps not even know how to answer the question.
The healthcare community was not very concerned in the past about performing these steps, says Gallagher, because it was convinced there was not adequate enforcement. But, HIPAA audits probably will render that thinking outdated.
Battling breaches
New government regulations requiring the public reporting of patient data breaches has caused great controversy and confusion. "There has been a lot of discussion about how the legislation is worded," says Gallagher. The language reads that if a breach is detected, it must be reported, which "does not encourage detection."Organizations with breaches that affect more than 500 people are now required to notify the individuals, the government and the media. "If you put your head in the sand and don't exercise reasonable diligence," says Greene, "you are potentially liable for not making required breach notifications, beginning from the time the breach would have been discovered with proper controls in place." Penalties can cost up to $1.5 million per year for failing to appropriately notify individuals, and millions more for failing to notify the government and, in some cases, the media.
| Biggest breach sources |
Three areas are the biggest sources of privacy and security breaches, according to Adam Greene, JD, MPH, partner at Davis Tremaine Wright in Washington, D.C., and former senior health IT and privacy specialist at the Office for Civil Rights:
|
"Every organization I've ever worked for had a goal of maintaining a solid reputation in the community," says Walsh. "Nobody wants to go public with a breach. It shatters the trust between patients and the healthcare system." While most large systems know the rules, Walsh says many smaller clinics are not even aware of the newer requirements on reporting breaches.
They may become aware due to increasing investigations and resulting fines. There has been a marked increased in settlement agreements over the last year-and-a-half, Greene says. The first was in 2008 and the average penalty amount has been $1.3 million.
Another rule that has been published by OCR, Gallagher points out, is a draft rule for accounting of disclosures, which is "really important for organizations to examine." Any use or disclosure of patient data must be logged, and the organization must prepare a process for response to patient requests for an "Access Report" or an "Accounting of Disclosures." The biggest challenge here is that there are massive amounts of data to be stored to meet the criteria, she says. "We're waiting for the final rule, but the healthcare community is very concerned about implementation costs."
Managing mobile devices
However, the most urgent security risk might result from the proliferation of mobile devices. From smartphones to laptops, mobile devices are "definitely a big source of security problems," says Gallagher. The constantly advancing technology makes it difficult to keep policies up to date, plus applications are "sold directly to physicians or other staff, skirting any policies and procedures," she says. "It's really tough to control and it happened so fast that we have to go back and try to get control of it."Organizations should be facing the mobile device debate head on, says Herzig. "Look at your environment. Instead of shying away from mobile devices, look at use cases. Be aware of what's out there and what people want to do with the technology." If you initiate a dialog with users head on, he says, they are more likely to work with you on security to prevent a large breach.
IT leadership needs to "know what devices are on your network," says Gallagher. "You've got to know what is connected to your network." That includes mobile phones, laptops, PCs and medical devices. That's the first step and organizations do not always have a handle on that, she says.
Once you have an inventory of devices, providers need policies and procedures covering acceptable use. Gallagher says the first question should be whether employees are downloading patient data onto portable devices and if so, why? Policies should determine whether downloading is permissible and if so, are those data being protected. "The risk is so high that if you can't protect those data, don't allow [downloading]," says Gallagher. "At the very least, consider all this as part of your risk assessment."
"Mobile devices represent a significant vulnerability," says Greene. Users download patient records and can use the device to communicate about patients in a potentially insecure manner. "The nature of the devices won't necessarily expose huge numbers of patients since the devices do not lend themselves to data analysis," but organizations need policies in place to help maintain privacy. "There are ways for physicians to text message patients or clinicians in a way that is compliant with HIPAA," says Greene, "but that doesn't happen naturally. The organization has to have an approach as part of its risk management strategy."
Organizations need a plan for implementation of encryption if they haven't already done it, says Hofman. "We're just finishing our encryption project and it wasn't cheap or easy. You better understand how to mitigate risk if you're not rolling out encryption. You need a really good way to protect those data. If they are breached, the only way to have a safe harbor is with encryption. Be prepared to follow up with a breach notification. There is no other way to mitigate that disclosure."
| More to consider: Factor these concerns into your privacy and security efforts: |
 Training. "From a privacy and information security officer standpoint, providers always can do more training and education," says Judi Hofman, privacy and information security officer for St. Charles Health System in Bend, Ore. The teams that deal with clinical, patient and facility safety have "myriad opportunities to push privacy and security information. You want to be very particular about how you're presenting education so that it's digested well and it's not just white noise," she says. "Target departments, as well as specific issues, so the organization always has different opportunities to learn." Include training in your work plan. Auditors will ask about education so track your efforts, which should be tangible and measurable. You'll need to be able to prove that you've educated your workforce. |
 State regulations. "In Oregon, we have HIV protection laws that are over and above those stemming from HIPAA," says Hofman. She recommends regularly checking in with organizations such as HIMSS and AHIMA which may have state chapter representation to help catch under-the-radar regulations for such conditions. "We're seeing states more heavily involved [in privacy and security]," says Adam Greene, JD, MPH, partner at Davis Tremaine Wright in Washington, D.C., and former senior health IT and privacy specialist at the Office for Civil Rights. It will vary state by state, he says, but many have shown an interest. Be aware that there is no double jeopardy for privacy breaches. Organizations can be fined by several state agencies for the same incident. |
 Willful neglect. "In the future, there likely will be more aggressive enforcement if an investigation reveals that noncompliance was due to willful neglect, such as reckless disregard of compliance obligations," says Greene, adding there is great potential for willful neglect. "The audits and more aggressive enforcement will start this year and we'll see the ramifications over the next few years." |
Beth Walsh,
Editor
Editor Beth earned a bachelor’s degree in journalism and master’s in health communication. She has worked in hospital, academic and publishing settings over the past 20 years. Beth joined TriMed in 2005, as editor of CMIO and Clinical Innovation + Technology. When not covering all things related to health IT, she spends time with her husband and three children.