The economic recession probably brought healthcare CEOs closer to their organizations' day-to-day activities. New federal HIPAA laws should have too. Daniel Nutkis, CEO of The Health Information Trust Alliance (HITRUST), believes compliance with HIPAA privacy and security starts from the top.
"Our experience shows that the more executive management and the board of directors are engaged in understanding the challenges and issues the more diligent the organization is in addressing information protection," says Nutkis. "HITRUST has seen a significant increase in the number of organizations that have added information protection as a component of their overall corporate responsibility measure or corporate philosophy."
HealthLeaders Media caught up this week with Nutkis for a Q&A about HIPAA privacy and security. The following are some highlights. The full Q&A can be found on the HCPro, Inc. HIPAA Update blog.
HealthLeaders Media: Federal laws on HIPAA changed with the signing of the American Recovery and Reinvestment Act (ARRA) of 2009. Did you see this coming?
Nutkis: ARRA is pushing for the broad adoption and utilization of health information systems, electronic health records, and electronic exchanges of health information. ARRA also recognizes the importance of information security in meeting this objective. Efficiency and reduced costs for consumers was the driver. HITRUST recognized this long before the signing of the bill, and we continue to be an advocate for more effective and efficient information protection in the healthcare industry.
HealthLeaders Media: What were the major flaws in HIPAA rules before the signing of the ARRA?
Nutkis: The primary issues with HIPAA are a lack of clear requirements and enforcement by government agencies. ARRA allows for a risk-based implementation of the safeguards outlined in HIPAA, which are themselves subject to interpretation, meaning there is no consistent application of security controls across the industry. While there are penalties for non-compliance, the industry rarely saw repercussions and subsequently rarely took HIPAA serious. While ARRA does not necessarily provide the prescriptive security requirements needed in HIPAA—like we find with PCI https://www.pcisecuritystandards.org/—it does provide focus for covered entities on breach notification, securing PHI, and business associate compliance.
HealthLeaders Media: What kind of an impact does the move to electronic health records have on HIPAA privacy and security?
Nutkis: The impact from EHRs comes in the form of increased focus on privacy and security. It is widely known to the general public that this is the direction the healthcare industry must go to contain costs and increase efficiency in healthcare. However, without proper security and assurance that personal health information will be kept private, consumers will be no more willing to share their health information electronically than they would their bank account or credit card number.
HealthLeaders Media: How should healthcare facilities be reacting right now to the new HIPAA laws in the Health Information for Economic and Clinical Health (HITECH) Act?
Nutkis: Healthcare organizations will need to revisit and adjust their information security governance practices and make additional areas of investment to align with the new requirements. HITRUST recommends that healthcare organizations focus on the following key areas for their security strategic plans over the next 24 months:
- Develop and implement an overall compliance strategy: Update policies, processes, and technologies to manage and document compliance efforts
- Realign policies: Ensure that internal policies, standards, and procedures are aligned with regulatory requirements
- Perform a gap analysis: Conduct a gap analysis of existing security practices against HIPAA and new regulatory requirements
- Develop a roadmap for compliance: Develop a plan outlining responsibilities, budget, and timelines to address gaps identified during the assessment
- Maintain an audit ready state: Based on recommendations by the OIG in 2008 and the new legislation, HHS will more assertively perform compliance audits in the upcoming years.
HealthLeaders Media: What are some weaknesses you see with healthcare facilities as they attempt to comply with HIPAA privacy and security?
Nutkis: During the development of our Common Security Framework (CSF), a certifiable framework that any and all organizations in the healthcare industry can implement and be certified against to reduce risk, the professionals from healthcare organizations of all segments provided us with input on the top issues affecting the industry resulting in the most severe breaches and loss of covered information. These include:
- Insecure and/or unauthorized removable transportable media and laptops (internal and external movements)
- Insecure and/or unauthorized external electronic transmissions of covered information
- Insecure and/or unauthorized remote access by internal and third-party personnel
- Insider snooping and data theft
- Malicious code and inconsistent implementation and update of prevention software
- Inadequate and irregular information security awareness for the entire workforce
- Lack of consistent network isolation between internal and external domains
- Insecure and/or unauthorized implementation of wireless technology
- Lack of consistent service provider, third party, and product support for information security
Editor's note: This is the first of a two-part series from our interview with Nutkis. In the next installment: The importance of business associates complying with the HIPAA Security Rule.