HiTECH Takes Effect: How Secure is Your Data?
The American Recovery and Reinvestment Act (ARRA) has drastically altered the way healthcare organizations and their third-party vendors secure data and manage a data breach. As these rules begin to take effect—and become requirements—healthcare organizations are just starting to learn and understand the implications of these new regulations.
The ARRA established nearly 20 statutory requirements for privacy and security in areas such as personal health records, enforcements and penalties, limitations on marketing and sales, access restrictions, and breach notification.
Many healthcare organizations are just learning about how these rules could change their processes. “We are still very much in an awareness and education phase,” says Lisa A. Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS).
In order to assess the preparedness of hospitals, HIMSS Analytics conducted a web-based survey, sponsored by Symantec, of 196 senior IT executives, chief security officers and chief privacy officers, in August and September 2009.
Despite changes in the security and privacy landscape, the survey found that healthcare organizations have made few proactive modifications in the past year. In fact, about 60 percent of respondents reported that their organization spends 3 percent or less of its IT budget on information security.
The survey found that the use of technical security is high in certain areas—in particular, use of firewalls and user access controls are “reaching a level of saturation,” according to HIMSS researchers. Email encryption and single-sign-on were the most frequently identified as technologies planned for future acquisition.
Encryption is an “easy win” for the future of security protocols, according to David Finn, Symantec’s health IT officer and HIPAA privacy and security officer. “Encrypted data at rest behind your firewall is good practice and a safe harbor for the breach of notification requirement, so if your data are encrypted according to the standards that have been prescribed, that actually is a level of security that can exempt you from the notification requirements,” he explains.
Gallagher adds that C-suite-level hospital employees need to be aware of the expectations surrounding the ARRA and its final rules. “CMIOs need to familiarize themselves with the privacy and security sections of the HiTECH [Health IT for Economic and Clinical Health] Act, as well as the schedule of rule-making, so as to participate in the process because it will directly affect them,” Gallagher states.
Breach notification
Breach notification is the most “visible” of the new statutory requirements because healthcare organizations are already required to comply with it, according to Gallagher.
Under the ARRA, the breach notification requirement states that if a healthcare organization experiences a breach—which is defined as an “unauthorized acquisition, access, use or disclosure of personal health information”—the facility needs to notify the individuals affected within 60 days; and if the breach affects more than 500 individual patients, they need to notify the secretary of Health and Human Services (HHS) and prominent media outlets within 60 days.
“The benefit is that the patient is now aware that his or her data have been breached, the HHS secretary will be made aware of large-scale breaches, and he or she will most likely include that information in their annual report to Congress,” Gallagher explains. “This is one way to keep tabs on how the industry is doing.”
With regard to breach notification, ARRA also stated that HHS had to issue rules about the statutory requirement, which have been completed. The interim final rule, which is already in effect, changes the breach notification threshold. “HHS has added the harm provision, requiring facilities to perform a risk analysis to determine the risk to the individual whose data has been breached. If that risk exceeds a certain threshold, then there is [an additional] notification process,” Gallagher says.
“This is a requirement that CMIOs need to know about because it’s already in effect. This new stipulation requires them to establish both technical and administrative processes,” she says.
The HIMSS Analytics survey found that about half of the 196 respondents do not have a plan in place for responding to threats or incidents relating to a security, and another 41 percent reported that their organization is currently developing a plan. The final 6 percent currently have no intentions to develop a plan.
“Unfortunately, there is very little positive to incentivize organizations to go looking for breaches—except maybe for lawsuits—because the stature only kicks in once a breach has been discovered,” Gallagher says.
Third-party vendors
The ARRA also extended the HIPAA security rule to directly cover healthcare organizations’ business associates, such as billing companies, credit bureaus, insurance brokers, pharmacy chains, accounting firms and offshore transcription firms. When the regulators added the breach notification provision (an additional requirement beyond HIPAA), they determined that the same rules apply to business associates.
Therefore, when business associates detect a breach, the same rules apply and they also need to inform the covered entity. It is then the responsibility of the covered entity to inform the patient.
Gallagher attributes the lack of preparedness to the quick implementation of the new interim final rule. “The ARRA was passed in February 2009, and the interim final rule on breach notification was passed in August 2009. Since these [business associates] never had to comply with this rule on the federal level before, it’s fairly certain that none of these practices are in place,” she says.
However, healthcare organizations could play an active role in counteracting this trend among business associates, as 85 percent of healthcare providers responded that they will take steps to ensure that data held by business associates will not be breached, and nearly half of the hospitals surveyed would terminate contracts with business associates if they were responsible for a data breach.