Guarding Against HIPAA Violations

Many health plans protect against HIPAA violations by training their staffs, but with employee turnover and human error in play, how can a health plan defend itself and keep its members' information private?

Here are two ways: develop technology-driven processes and emulate Microsoft and Google.

Many health plans are surely reviewing their processes in the wake of the news that Seattle-based Providence Health & Services agreed to pay $100,000 and implement a detailed corrective action plan after losing electronic backup media and laptop computers containing identifiable health information for more than 386,000 patients in 2005 and 2006. The U.S. Department of Health & Human Services (HHS) received more than 30 complaints about the security breach of the nonprofit health system that includes a health plans, hospitals, and clinics.

The theft potentially violated the law's Privacy and Security Rules, which require covered entities—such as health plans, healthcare clearinghouses, and most healthcare providers—to safeguard health information.

The case shows the difficult nature of protecting member health information. In order to protect your company against HIPAA violations, HHS offers these suggested actions. There is also a compliance checklist.

As the Providence case shows, however, training staff on policies and procedures is sometimes not enough. Michael Dermer, president and CEO of Lyndhurst, NJ-based IncentOne, a healthcare technology company that specializes in incentive platforms, says HIPAA protections need to go beyond training. He says health plans should set up technology-driven checks and balances so employees are constantly reminded of HIPAA regulations. Dermer says health plans are already using technology-driven processes in the areas of e-prescribing and nurse call centers.

Dermer says health plans have been proactive in adhering to HIPAA privacy rules, but could go a step further by challenging third parties and vendors to assist plans with technology compliance. He points to the fact that financial institutions spend a higher percentage of their revenue on technology than health plans.

One of the leading issues in the healthcare technology realm is the entrance of Microsoft and Google into the personal health record market this year.

David C. Kibbe, MD, MBA, principal of The Kibbe Group, LLC, in Pittsboro, N.C., and senior advisor for the Center for Health Information Technology at American Academy of Family Physicians, says the technological giants aren't covered under HIPAA law, but have created protections that go beyond the regulations.

"We have Microsoft and Google publishing privacy practices and privacy policies that are as strong or stronger than what HIPAA requires. And at the same time, they are letting people know that they take this seriously because they have so many financial stakes at risk," says Kibbe.

Kibbe would like to see health plans and providers change from offering patients Notice of Privacy Practices, and instead follow the lead of the business world in allowing patients to consent to information exchanges between specific entities.

"I think that the non-HIPAA world, Google and Microsoft and those folks, have already accepted a higher level of consent obligation than what is currently the case under HIPAA," says Kibbe, adding he thinks the HIPAA law will move toward that model ultimately.

As healthcare looks to technology as a way to improve care and lower costs, Dermer says, the industry needs to protect against breaches that could harm the cause of greater technology integration.

"As healthcare delivery systems get even more complex and the sharing of information gets so important, we don't want disclosure issues to prevent the delivery of great care and the reduction of costs. I think that is what all of our mission has to strive toward," says Dermer.