CAMBRIDGE, Mass. -- In the face of generally declining reimbursements and tightening budgets, it's tough for healthcare IT leaders to advocate for budget increases. That goes double for new capital investment in patient privacy and data security initiatives, because it's hard to prove the ROI on preventing HIPAA compliance calamities.
But that's exactly what health IT professionals are going to have to do, in light of the new regulations going into effect later this year. Speakers at the PHI Protection Network Forum 2013 offered health IT leaders some strategies for pitching the C-suite for more budgetary support to ramp up investments for the Sept. 23 HIPAA omnibus rule compliance deadline. Among their tips:
Don't focus on financials. Patient care and the overall mission statement of the hospital puts revenue lower on the totem pole than it would be in, for example, a financial institution. Focus on how privacy and security investments will improve patient care and build trust between the community and your organization.
"If your message is dollars, you're dead on arrival," said James Anderson, principal at Risk Masters Inc. "They'll just send you down to the morgue floor -- that's in the basement." Furthermore, he added, do not confuse cost savings with cost reduction; saving a hospital from data breaches will cost more money.
If you can prove cost savings, be ready to be held accountable. Maybe you can find a tangible time-saving security implementation that gets practitioners logged in faster or a single sign-on that merges many current passwords into one. If you claim an investment will yield cost reductions or increased productivity, assign someone to monitor and document those savings, because you're likely going to be tested on it later. If not, network with senior leadership individually and share with them the benefits of their investment so it will be easier to renew or increase that investment when the time comes, Anderson said.
Frame the argument well. Debunk logical fallacies that senior leadership might believe, such as "HIPAA is a cost center" by saying something like this: "If it weren't for HIPAA, would we throw privacy investment in the trash and forget about patient trust?" Explain that information velocity throughout the enterprise doesn't necessarily lead to a reduction in privacy when it's supported with proper security, said James Christiansen , chief risk officer at RiskyData.
Show how HIPAA compliance helps insurance rates. Controlling internal threats -- such as unsecure email, dumpster diving, device theft, and intentional deletion or corruption of data by rogue employees -- can help reduce liability rates. This is enabled by putting a plan in place to control them, executing on that plan and documenting results.
Sometimes we lose the importance of people and processes in the attempt to mitigate data privacy losses.
AIG Lexington Professional Liability group
In this plan, don't forget the human element, such as policy enforcement and quickly cutting off terminated employees from network access. "A lot of folks think technology is the answer to solving security and privacy [issues], and technology is absolutely a very important layer," said Chris Andrews, underwriting manager at AIG's Lexington Professional Liability group. "But I think sometimes we lose the importance of people and processes in the attempt to mitigate data privacy losses. They're just as important."
Explain financial protections gained from new business associate agreements. Market research on data breaches from multiple firms shows business associates cause about 28% of data breaches. Resources must be allocated to tighten up business associate agreements for the new HIPAA law because IT can protect the hospital by developing and executing new BAAs to require more security. That is, require business associates to follow physical access controls for their buildings and carry data breach insurance, and call for specific data destruction practices. Also, make a "prenuptial agreement" that outlines how you will get your data back upon termination of the contract, and implement a program to audit your business associates for compliance with the agreement, said Brian Selfridge, managing director at Meditology Services.
Make the case for data breach insurance. Many hospitals are putting off these policies for economic reasons, according to Kimberly Holmes, deputy health care product manager at Chubb Specialty Insurance. She expects that procrastination to end once HIPAA enforcement picks up after the Sept. 23 omnibus rule compliance deadline and as awareness grows that data breaches are more likely to happen in the bring your own device (BYOD) era of smartphones and tablet devices. It's unrealistic to believe you can stop BYOD, so adding layers of security on data for those devices, as well as remote wiping capabilities, can reduce the risk of data loss -- as opposed to ignoring BYOD and letting it happen organically in your facility. That can mitigate risk, but data breach insurance still is a smart buy, judging from the cases she's worked on, she said.
Quantify risk by showing what happened to other hospitals. Depending on whose research is cited, Holmes said, a data breach costs a hospital $200 to $250 per patient record lost. Using the more conservative figure, quick math says a 10,000-record breach will cost $2 million -- and that's before crisis management costs, legal fees, forensic tracking of the lost data and potential federal penalties are factored in. Furthermore, that figure doesn't factor in the costs of possible civil suits and settlements.
Risk Masters' Anderson cautioned that very little information about reliable risk vs. protection costs exists right now for healthcare data privacy -- if you're citing data in a proposal, use the best you can find and annotate your sources in detail. But Michael Sullivan, Ashcroft Law Firm partner and potential Massachusetts Republican U.S. Senate candidate, said it also doesn't hurt to cite anecdotes from other healthcare providers' experience.
"It's okay every once in a while to share a horror story," Sullivan said. "There's nothing like getting somebody's attention when they can relate to the circumstances of somebody else's consequences. I'd tee them up, talk about something they can easily connect with in terms of the industry, a competitor, a colleague."