Providers hoping to improve the quality of their health care delivery practices while sustaining viable businesses
face a slew of new federal mandates, as well as incentives to reach those mandates' goals. One of the most significant areas health care organizations must navigate is patient data security.
Since the release of proposed rules to enforce the Health Insurance Portability and Accountability Act (HIPAA), compliance with privacy and security requirements under federal laws just became a little more complex. Privacy controls have always been required under HIPAA, but it wasn't until the signing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in the 2009 stimulus law that policymakers added enforcement strength to the legislation.
The U.S. Department of Health & Human Services (HHS) recently released its proposed rules to govern that enforcement policy. At their core, the proposed rules aim to strengthen patients' consent over the use and disclosure of their personal health information (PHI). To accomplish that, policymakers have added limitations on using PHI in marketing plans, enhanced patient access to their records and increased financial penalties for data breaches.
Providers are concerned that these myriad regulations will be confusing to implement, but they agree that better protections for patients are needed as the industry moves toward adopting more health IT.
With patient data security controls comes trust
Greater patient access and control over the flow of electronic information will boost consumers' trust in health information exchange and electronic health records, the American Health Information Management Association (AHIMA) said, reacting to the proposed enforcement rules.
"This is important, as our nation works to improve the health of individuals by having accurate health information available where and when it is needed to treat patients," said Rita Bowen, president of the AHIMA board of directors, in a written statement. "These proposed rules represent a striking of the difficult balance between improving appropriate health information access and transfer with the necessary confidentiality and security of that same information or data, and the very important inclusion of patients and their guardians in these activities."
The proposed requirements and heavier penalties in the proposed rules give "teeth to a compliance regulation that people have been able to put on the back burner in the past," according to health care consultancy Beacon Partners Inc. The consultancy released an advisory brief, "HITECH and HIPAA: Missteps Will Cost You and Your Patients," on the enforcement rule.
"HITECH is certainly not the old HIPAA we knew and gave lip service to -- not even close," wrote Kathleen LePar, vice president of professional services, and Rachel Hudspeth, senior consultant, in the brief. "Even though we are still misspelling the acronym, the one thing that will not be misspelled is the health care organization's name on the federal Department of Health & Human Services website or when given to the media when breaches are encountered."
Christopher Paidhrin, security and compliance officer at Southwest Washington Medical Center in Vancouver, had an even simpler assessment of the proposed rules. They are, he said, a "no-brainer."
Evolving HIPAA compliance: More groups are involved
Perhaps the most significant effect the HITECH Act has had on HIPAA compliance is within the structure of business associates and organizations that are considered covered entities. Under previous HIPAA regulations, business associates were governed by contracts with covered entities. Those entities -- typically, the providers and payers who handled PHI -- were subject to HIPAA compliance.
I'm seeing a lot of urgency in the community now. Their attention has been grabbed.
Christopher Paidhrin, security and compliance officer, Southwest Washington Medical Center
But now, a HIPAA business associate will be treated as if it's a HIPAA-covered entity, Paidhrin said. This is a big change for vendors and third-party companies that aren't accustomed to paying attention to HIPAA regulations, but it makes sense to get everyone on the same page with patient data security. Without assurances that every organization handling PHI meets the providers' compliance standards, "how can I trust that I won't be held accountable?" he asked.
New willful-neglect clauses in the HIPAA rules as updated by the HITECH Act should spur health care providers to pay closer attention to HIPAA, because now more than ever, they're on the hook for institutional shirking of privacy rules, said Amy Leopard, a partner at Cleveland law firm Walter & Haverfield LLP.
Willful neglect generally can be described as knowing HIPAA rules but not properly training employees -- and now, business associates -- in them.
"It's evolving. It's going to be like this for the next couple of years," Leopard said about the proposed rules, as well as about HIPAA enforcement strategies now in their infancy.
Urgency to get patient data security right
There is a "nascent" quality to the legal approach of HIPAA because of that lack of enforcement in the last 10 years, according to Paidhrin. Business associate contracts cover common policies and procedures for securing PHI, but there used to be a lot of pushback from contractors in how those agreements were structured. "I'm seeing a lot of urgency in the community" now, he said. "Their attention has been grabbed."
And that attention is growing, even if the health care industry isn't completely prepared to handle the new enforcement rules. Separate surveys conducted by the Ponemon Institute LLC and the analytics organization of the Healthcare Information and Management Systems Society (HIMSS) indicate that there is general awareness of the HIPAA changes under the HITECH Act. Most health care organizations nevertheless are waiting for more guidance from the federal government on implementing those changes before they alter their policies.
Business associates in particular were less aware of the ways the patient data-security changes affect them, according to the surveys. The Ponemon Institute survey of HITECH Act compliance readiness found 31% of business associates were "barely aware" they needed to take any HIPAA compliance action. That survey of 77 organizations, including 42 covered entities and 35 business associates, was released at the end of 2009.
HIMSS Analytics' HITECH Act security and privacy survey, also released in late 2009, similarly indicated that more than 30% of business associates did not know the HIPAA privacy and security mandates had been extended to cover them. In addition, 47% of hospitals said they would terminate their business associate agreements because of patient data security violations.
The urgency has certainly changed, said Larry Ponemon, chairman and founder of the Traverse City, Mich.-based research organization. "The HIPAA privacy rule came in with great fanfare nearly seven years ago but saw very little in terms of enforcement, so over time health care organizations came to believe they could cut corners and get away with it," he wrote in an email. "Under the new rules we've already seen, with the recent action taken by the Connecticut attorney general against Health Net, there are consequences to any information security and privacy failure."
Let us know what you think about the story; email Jean DerGurahian, Executive Editor.