Organizations might not be prepared to comply with the Health Information Technology for Economic and Clinical Health (HITECH) Act’s security and privacy provisions that go into effect this month, according to two surveys of covered entities and business associates.
Separate surveys conducted by the Ponemon Institute LLC and the analytics organization of the Health Information and Management Systems Society (HIMSS) indicate there is a general awareness of the changes to Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations that the HITECH Act mandates. But most health care organizations are waiting for more guidance from the federal government on implementing those changes before they alter those policies.
Business associates -- organizations that become involved with personal health information through their contracts with providers and payers -- in particular were less aware of how the changes affect them, according to the surveys. The Ponemon Institute survey of HITECH Act compliance readiness found 31% of business associates were “barely aware” they needed to take any compliance action. That survey of 77 organizations, including 42 covered entities and 35 business associates, was released at the end of 2009.
Starting this month, business associates such as personal health records vendors and health information exchanges will be held accountable under HIPAA’s privacy and security provisions as if they were covered entities.
Since the institute’s report was released, awareness of the changes as grown, said Larry Ponemon, chairman and founder of the research organization. “The urgency has changed, certainly,” he said in an email. “The HIPAA privacy rule came in with great fanfare nearly seven years ago, but saw very little in terms of enforcement, so over time health care organizations came to believe they could cut corners and get away with it. Under the new rules we’ve already seen, with the recent action taken by the Connecticut attorney general against Health Net, there are consequences to any information security and privacy failures,” he added.
HIMSS Analytics’ HITECH Act security and privacy survey, also released in late 2009, similarly indicated that more than 30% of business associates did not know the HIPAA privacy and security mandates had been extended to cover them. In addition, 47% of hospitals said they would terminate their business associate agreements because of patient data violations.
The key to compliance is having a flexible model, said Ashish Shah, senior vice president and chief architect at Medicity Inc. The Salt Lake City-based company develops applications for interoperable health information exchange, including clinical transactions and health record review.
Medicity has been working on the federal level to help standardize how business associate agreements are established. That standard document -- dubbed the Data Use and Reciprocal Support Agreement -- is being developed for the ongoing national health information network. Having standard language around such things as technical security and clinical authorization rules (for example, who has the right to see data) helps with HITECH Act security and privacy compliance, Shah said. “We take into account the role of the user and the patient.”
One of the biggest changes to the HIPAA provisions includes new data breach notification policies, which Medicity has spent a lot of time evaluating, Shah said. “It’s really one of those never-ending discussions.”
Data breaches are on the rise among health care providers. Half of large hospitals experienced a data breach in the past year, in addition to 33% of medium-sized hospitals and 25% of smaller hospitals, according to the HIMSS Analytics survey. Even though most hospitals conducted a risk assessment at their facilities, breaches still occurred, according to the survey.
Under the new rules we've already seen … there are consequences to any information security and privacy failures.
Larry Ponemon, chairman and founder, Ponemon Institute LLC
The notification policy changes could affect how Medicity does business, but many of the HITECH Act’s security and privacy requirements about capturing and accessing auditing information are capabilities that currently exist. The next step is to communicate those capabilities to providers, Shah said.
Organizations might not be as prepared to handle privacy and security changes when information is flowing across a provider community, among hospitals, primary care doctors and specialty physicians. “I wouldn’t say anyone has got this fully answered, but they’ve got to think about it,” Shah said.
HIMSS Analytics said more training and education are required to help both providers and their business associates reach compliance.
Improving compliance helps an organization’s bottom line. Developing security, improving staff awareness and increasing response preparation are less expensive to do than is cleaning up after a data breach, according to the Ponemon Institute.
The health care and pharmaceuticals industries lost customers after a data breach, and those breaches cost them $294 and $310 per record, respectively -- significantly higher than the overall average of $204, the institute said. “In general, organizations with someone in an information security leadership role -- a chief information security officer, CIO, or chief privacy officer or equivalent title, also showed significantly lower per-record breach costs than those organizations without such a position.”
Let us know what you think about the story; email Jean DerGurahian, News Writer.