New regulations put pressure on providing secure, accurate data.
Providers are still fumbling to meet the new, stricter HIPAA regulations that took effect this past September. The challenge for physicians and healthcare institutions is that the legislation didn't outline specific technologies or systems that providers and their business associates need to have in place. The privacy rule says "it is a good idea that you encrypt your data, have individual accounts, and log information," explains Leo Dittemore, director of IS Security at Torrance, CA-based HealthCare Partners, which has 400 employed physicians and some 2,000 physicians in its independent physician association. The regulations don't lay out specific requirements so that you can know you have done everything you need to do, he says.
Under the regulations, which won't be enforced by the Department of Health and Human Services until Feb. 22, 2010, providers have to notify their patients if personal health information is disclosed and alert prominent media outlets and the HHS secretary if the breach includes 500 or more patient records. Providers face stiffer financial penalties, as well. But that is not the biggest concern, says Dittemore. "The major penalty is that loss of trust with the patient," he says. "If we continue to have these breaches, our patient population is going to say, 'I can't trust you to handle my data properly.'"
Not exactly the outlook the healthcare industry wants Americans to have.
Some providers may not even know there is a risk to what they are doing, or they may know the risk but are significantly concerned about cost, says Steve Katz, an information security analyst and president of Security Risk Solutions, LLC, in New York. The healthcare industry has very thin margins, so how much can providers afford to put into security and privacy? From a financial and business perspective, there is a concern of doing too much, as well, says Dittemore. "Why should HealthCare Partners put all of these technologies in place when the guy down the street doesn't and he gets the same reimbursement?"
In general, providers want to do the right thing, says Katz. "But they need to know what the right thing is."
"My approach has been to be a leader and to put the technology in place that I felt needed to be done even if no one else had done it," says Dittemore. HealthCare Partners has a risk matrix that it updates twice a year. Dittemore's first priority was securing their perimeter around the Internet. He also formalized internal processes to ensure the right people had access to the right information at the right time.
"Talk to your infrastructure people and have them develop a self-assessment around the risk of where your data gets exposed. Then you can start to prioritize," says Dittemore. "Security is never-ending. You'll never be 100% secure."
Providers should also determine what an acceptable level of privacy is for their organization and compare that to what is outlined in the HITECH Act. "The worst mistake people can make is not defining where they are," says Katz. "Are you at least as good as where you would be if you had paper records?"