We know you have plenty of spare time as you lead your hospital through an economic recession where the uninsured knock on your door and the insured don't answer the door when you come knocking for payment.
In your search, you will find 13 references, all under the Health Information Technology for Clinical and Economic Health (HITECH) Act, or Title XIII. Each one affects your HIPAA Security Rule compliance program in light of the new laws.
The problem?
No one knows what that means, exactly—at least not at this moment.
Congress gave the Department of Health & Human Services (HHS) 60 days from the February 17 signing of the Act–or Friday, April 17–to define "unsecured protected health information." So far, there has not been an announcement. If no definition is released, it goes to a default–one that includes all protected health information that is not secured by an encryption standard endorsed by the National Institute of Standards and Technology (NIST).
So how do you prepare now without that key definition? After all, the HITECH Act calls for strict notification requirements, all of which hinge upon breaches of "unsecured protected health information." The new requirements include:
Notification of all individuals whose unsecured PHI may have been disclosed or accessed
60-day window to notify those patients
Requirement to explain why you had to use the full 60 days to notify
Notification of prominent media outlets when breaches of unsecured PHI include 500 patient records or more
Immediate notification of the secretary of HHS on breaches of at least 500 patients
So, you can kind of see why this definition is important. Or is it? Should you be watching ever so closely for a definition?
"Don't hold your breath," says Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA.
Borten thinks the definition will matter, but she does not see it including any earth-shattering content that strays too far from what's already out there.
For instance, the Security Rule of 2003 already establishes encryption as a necessity for PHI flowing over the Internet and open networks. That encryption mandate goes back to the 1998 proposed Security Rule, Borten says. And the Healthcare Financing Administration came out with an Internet Security Policy in 1998.
"We've known we need to encrypt confidential data over the Internet for over a decade," Borten says.
Further, when you've got a federal department with no permanent leader–President Barack Obama nominated Kathleen Sebelius as the new secretary of HHS, but she has not been confirmed–how much can you do anyway?
Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer for St. Dominic Jackson Memorial Hospital in Jackson, MS, says organizations have come a long way encrypting data already.
"We've come so far along making sure we've got under the Security Act everything protected, encrypted, and how to have a secure firewall, a hacker-proofed system and all of that," she says.
Organizations that have encrypted data are in good shape.
However, as Johnnie Cochrane might say, if you don't encrypt, you must equip. Look for any potential unsecured PHI and evaluate the need for encryption.
"It's free," Borten says. "We pay for it with our tax dollars. The resource is fabulous."
For the record, the general default definition of unsecured PHI in the HITECH Act is: "Protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute."
When can they change the default definition? That's unclear now. Ultimately, things may not change a whole lot.
"As long as you're buying products that use known algorithms, you really should be fine," Borten says. "I don't think HHS or Congress expect organizations to throw out what they've done so far."
JPS Health Network administrators say several patient safety issues could be addressed if the Texas-based, taxpayer-supported hospital district does away with handwritten records and combines its paper files and various computer systems under one electronic medical record system. But the estimated cost of the project is $150 million, about one and a half times the cost of building the 108-bed pavilion that opened last year. JPS board members are expected to vote soon on a strategic plan to overhaul medical records.
Moses Cone Health System in Greensboro, NC, has sent letters offering free credit monitoring to 14,380 patients after a laptop computer containing confidential information was stolen from a vendor in Canton, GA. The health system said the information on the computer was not encrypted but was password-protected and contained a software program that requires training and expertise to use. Moses Cone said the health system does not know of any instance in which the information has been disclosed or misused or if the laptop was taken for that purpose.
Google Health and others in the fast-growing personal health record business say they are offering a revolutionary tool to help patients navigate a fragmented healthcare system. Some doctors, however, fear that inaccurate information from billing data could lead to improper treatment.
New federal HIPAA laws are here. Anxiety at hospitals is not.
That wasn’t the case in 2003, when providers scrambled for answers to comply with the new privacy and security rules of HIPAA.
Then, many even had trouble even getting the acronym right (admit it, we’ve all written "HIPPA" at one time or another).
Here we are today, six years later, and with a Congress eager to move the industry to EHRs by 2014—and even more eager to protect patients’ privacy in the process.
Now that Congress (finally) strengthened HIPAA enforcement and toughened compliance requirements through breach notification processes and accounting of disclosures on EHRs, what’s the reaction in the industry?
Well, picture this. It’s kind of like the Boston Celtics just signed Larry Bird. Not Larry Bird, the NBA Hall of Famer, three-time NBA champion and three-time NBA Most Valuable Player of the 1980s.
We’re talking about Larry Bird today—the 52-year-old, out-of-shape president of Basketball Operations for the Indiana Pacers.
If you’re the rest of the league, you’re not really sweating it.
Analysis: HITECH Gives HIPAA New Teeth
HITECH Act will impose stricter HIPAA requirements and stiffer penalties for violations. But at this point, the changes aren't worth losing a lot of sleep over. —Elyas Bakhtiari
"I'm afraid that at this time we are not moving too quickly with any changes in our practices," one privacy officer told us. "The corporate direction we have been given does not have us moving immediately to revise applicable policies/procedures. As we both know, once a bill is signed there are timetables by which compliance will be required and that, generally, allows organizations sufficient time to bring their practices up-to-date. We are, merely, digesting all the material that is coming out with respect to this Act."
That’s the Cliff’s Notes version of our research at this point. The key phrase here is reluctance—not ignorance.
Hospitals certainly plan to do something in light of security provisions in the HITECH Act. In fact, 98% of respondents in our HITECH survey of 300 privacy and security officers said they plan to revisit their HIPAA compliance and training programs.
"One thing I do see is people taking their policies off the shelf and revisiting them to see how they will need to be amended to accommodate those requirements and definitions which are soon to be established by those governmental entities as identified within the HITECH Act," says Frank Ruelas, MBA, the creator of www.hipaabootcamp.com who is based out of Scottsdale, AZ. "Sometimes it takes an event such as the passage of new legislation to serve as the tipping point to get folks to take action."
So why the reluctance now?
Our feedback tells us hospitals don’t want to move too much with regulations that have yet to be defined. And there are a host of them, including:
The definition of "unsecured protected health information"
What must be included in an accounting of disclosures in EHRs
When the Secretary of HHS will conduct audits of organizations
What "meaningful user" means on EHR
And in a shocker, hospitals said they just can’t invest money right now.
Furthermore, some providers told us they’re more worried about the Red Flags Rule deadline—May 1. Hospitals considered to be creditors must set up a policy and procedure that helps them identify "red flags" on identity theft, prevents them and corrects them through self-audits (the FTC last week came out with some nice guidance to help comply).
So where is your organization on the HITECH Act? Is the panic button a 2 or 3, or is it up to a 9 or even a 10?
If you’re like most of the industry it’s probably the former. And essentially, those hospitals with a strong HIPAA compliance and training program in place should be fine with the new regs. If you are confident your facility won’t have a breach, then you need not worry about federal auditors or breach notification requirements.
But for those who don’t have a policy in place—and perhaps those who have suffered a breach of privacy at one point (see: CVS)—then, well, maybe your panic level should be a 10.
Because after all, federal law is federal law. Just like Larry Bird is Larry Bird.
President Obama announced that his administration will create an electronic record for veterans that will "contain their administrative and medical information from the day they first enlist to the day that they are laid to rest." Obama has made electronic record-keeping a key feature of his healthcare reform effort, but a problem is how the military and VA hospital systems will be able to communicate with each other.