HIMSS: HIPAA, EHR regulatory process is 'not pretty'
ORLANDO, Fla.--“HIPAA and EHRs will bring about new challenges, yet also new opportunities with encryption of health IT to improve a patient’s privacy and an organization’s security,” said Adam H. Greene, JD, MPH, senior health IT and privacy specialist at the Office for Civil Rights at the Department of Health and Human Services, during an educational session Feb. 21 at HIMSS11.
Technology changes faster than governmental regulations, said Greene, who identified potential areas of HIPAA noncompliance. “The regulatory process is not pretty,” he said.
Some emerging challenges include defining reasonable and appropriate safeguards and updating risk analysis; new opportunities are improved transparency as well as patient access.
“Including portals and personal health records, this is a real exciting area,” Greene said. HIPAA has allowed patients to obtain a copy of their medical records, but sometimes the process can be ugly. According to Greene, getting the record can take time or it can be expensive, for example, so portals and personal health records could provide great opportunity for patient access.
Implementing a new EHR system requires a new risk analysis. “Adoption of an EHR is reason enough to revisit [safeguards such as] encryption and access controls,” although implementing an updated risk management plan can also be cumbersome, Greene said. “You can’t have security program in place without risk analysis.”
Privacy complaints rose steadily, from 6,534 in 2004 to 8,701 in 2008. Since then complaints have leveled off, with 8,524 reported in 2010, said Greene. The top five privacy issues include:
“A little less known fact” is that there have been more than 14,000 breach reports involving less than 500 affected individuals, Greene stated. “We’ve been averaging over 900 breach reports per month so it’s been keeping us busy and shows there’s a lot of work to be done in the industry to keep systems secure.”
Breaking down the data, 51 percent of the breaches involving 500 or more individuals are due to theft, Greene said. The next largest category is unauthorized access/disclosure (21 percent), followed by loss (15 percent), hacking/IT incident (7 percent) and improper disposal (6 percent).
For breaches affecting 500 or more individuals, laptop computers account for 24 percent, the largest share, followed by paper records (21 percent). “You’re going to have to do something with those records, as facilities move to EHRs,” said Greene, who advised making sure that paper records are disposed of properly. These types of breaches can involve paper records ending up in a landfill or a dumpster, according to Greene. Desktop computers account for 16 percent; portable devices 13 percent; network server 11 percent; email 3 percent and EHRs 2 percent.
“Theft and loss are 66 percent of large breaches,” Greene stated. “You can’t underestimate physical and administrative safeguards in the privacy arena; [make] sure you have corporate policy with procedures in place.”
The top administrative issue was security incident procedures related to response and reporting. “Oftentimes, covered entities are the last to know about the particular privacy violation because they didn’t have the proper security systems in place to protect it,” Greene noted.
The top issue for physical safeguards was workstation security. “Do you have something in place to make sure laptops and workstations are not walking off the facility?”
“Oftentimes, the greatest way to stay off the breach radar is to take advantage of the encryption safeguards,” Greene noted.
The interim breach notification rule that’s been in effect since September 2010 has not been withdrawn, said Greene. “There’s been some confusion, yet breach notification continues to be an ongoing requirement," said Greene. The breach rule will be finalized in conjunction with other provisions, he added.
Greene concluded that the final HITECH rule, breach notification, enforcement and Genetic Information Nondiscrimination Act (GINA) will be issued together sometime this year.
Greene encouraged HIMSS attendees to view OCR’s website for further information.
Technology changes faster than governmental regulations, said Greene, who identified potential areas of HIPAA noncompliance. “The regulatory process is not pretty,” he said.
Some emerging challenges include defining reasonable and appropriate safeguards and updating risk analysis; new opportunities are improved transparency as well as patient access.
“Including portals and personal health records, this is a real exciting area,” Greene said. HIPAA has allowed patients to obtain a copy of their medical records, but sometimes the process can be ugly. According to Greene, getting the record can take time or it can be expensive, for example, so portals and personal health records could provide great opportunity for patient access.
Implementing a new EHR system requires a new risk analysis. “Adoption of an EHR is reason enough to revisit [safeguards such as] encryption and access controls,” although implementing an updated risk management plan can also be cumbersome, Greene said. “You can’t have security program in place without risk analysis.”
Privacy complaints rose steadily, from 6,534 in 2004 to 8,701 in 2008. Since then complaints have leveled off, with 8,524 reported in 2010, said Greene. The top five privacy issues include:
- Impermissible use and disclosures.
- Lack of reasonable and appropriate safeguards. “This could be as simple as not having locked cabinets,” Greene.
- Failure to provide individuals with access to designated record set.
- Failure to use or disclose the minimum necessary standard.
- Inadequate complaint process.
“A little less known fact” is that there have been more than 14,000 breach reports involving less than 500 affected individuals, Greene stated. “We’ve been averaging over 900 breach reports per month so it’s been keeping us busy and shows there’s a lot of work to be done in the industry to keep systems secure.”
Breaking down the data, 51 percent of the breaches involving 500 or more individuals are due to theft, Greene said. The next largest category is unauthorized access/disclosure (21 percent), followed by loss (15 percent), hacking/IT incident (7 percent) and improper disposal (6 percent).
For breaches affecting 500 or more individuals, laptop computers account for 24 percent, the largest share, followed by paper records (21 percent). “You’re going to have to do something with those records, as facilities move to EHRs,” said Greene, who advised making sure that paper records are disposed of properly. These types of breaches can involve paper records ending up in a landfill or a dumpster, according to Greene. Desktop computers account for 16 percent; portable devices 13 percent; network server 11 percent; email 3 percent and EHRs 2 percent.
“Theft and loss are 66 percent of large breaches,” Greene stated. “You can’t underestimate physical and administrative safeguards in the privacy arena; [make] sure you have corporate policy with procedures in place.”
The top administrative issue was security incident procedures related to response and reporting. “Oftentimes, covered entities are the last to know about the particular privacy violation because they didn’t have the proper security systems in place to protect it,” Greene noted.
The top issue for physical safeguards was workstation security. “Do you have something in place to make sure laptops and workstations are not walking off the facility?”
“Oftentimes, the greatest way to stay off the breach radar is to take advantage of the encryption safeguards,” Greene noted.
The interim breach notification rule that’s been in effect since September 2010 has not been withdrawn, said Greene. “There’s been some confusion, yet breach notification continues to be an ongoing requirement," said Greene. The breach rule will be finalized in conjunction with other provisions, he added.
Greene concluded that the final HITECH rule, breach notification, enforcement and Genetic Information Nondiscrimination Act (GINA) will be issued together sometime this year.
Greene encouraged HIMSS attendees to view OCR’s website for further information.