ORLANDO, Fla. -- As U.S. Department of Health & Human Services secretary Kathleen Sebelius delivered the Wednesday keynote address at HIMSS 2011, along with national health IT coordinator David Blumenthal, the news broke that her agency has issued the first civil penalty fines -- $4.3 million -- for violations of the HIPAA Privacy Rule. In a twist on the usual Health Insurance Portability and Accountability Act case, Cignet Health of Prince George's County in Maryland was fined for denying patients access to their medical records, as well as for not cooperating with HHS Office of Civil Rights (OCR) investigators.
More often, OCR's enforcement actions follow a data breach at a HIPAA-covered entity. According to the Deloitte & Touche LLP "Privacy and Security in Health Care: A Fresh Look" report issued during the show, health IT leaders have a lot of work to do to shore up potential patient data breaches.
Effective data security doesn't require just technology tools to protect patient data, said Deloitte principal and report co-author Mark Ford in an interview with SearchHealthIT.com. It also takes such organizational measures as risk assessments and actively enforced security policies to get the job done.
Getting administrators to invest in patient data security
Convincing upper management to invest in the technology and manpower to improve security is a tough task for CIOs, for several reasons. First, HIPAA enforcement hasn't been around long enough for administrators to feel much pressure. But if what happened with the financial industry is any indicator -- prominent Sarbanes-Oxley Act prosecutions inspired businesses to clean up their acts -- administrators probably will start bowing to pressure as more HIPAA cases make news.
"The financial industry would be at the same state as health care if it weren't for the regulatory piece," Ford said. "Bottom line is, what really drives it home is an immediate need if there's a breach. That's a pretty significant issue. Even more significant is when there's a regulatory issue coming down."
Sometimes, even that isn't enough, Ford said. Security technology can be a tough sell to hospital CEOs, even when regulators have inspired fear of HIPAA enforcement. His client CIOs have had success selling data security initiatives to administrators, he said, by emphasizing how new processes and technology will create efficiencies, consolidate efforts and save money -- for example, by monitoring many facilities' data flow at one central location, or otherwise making the job easier.
Monitoring and logging employee access of patient data might sound like Big Brother, but being monitored is part of business life.
Mark Ford, principal, Deloitte & Touche LLP
Future of patient data security
What hot new security tech will be coming to the CIO's rescue? In surveying the technology at HIMSS 2011 and watching how Deloitte clients are starting to manage security, Ford believes the wave of the future will include hospitals monitoring and logging who is accessing data at all times, and applying analytics on the fly to help limit access control.
Some data breaches are inadvertent -- for example, a nurse or doc didn't actually mean to open a record they shouldn't be seeing -- but are tough to prevent in health care because access control poses complex security problems, especially for hospital departments where multiple providers can sometimes work with multiple patients -- in intensive-care units or obstetrics, for example.
Analytics will help detect these situations and provide warnings to practitioners to help prevent breaches in such busy environments as emergency rooms, Ford believes. In this way, CIOs will be able to impose access control policies that help bolster HIPAA compliance without constraining physicians' and nurses' ability to care for patients.
Monitoring and logging employee access of patient data "might sound like Big Brother," Ford said, "but being monitored is part of business life. There's no expectation of privacy [among employees] these days inside the company."
Advice for CIOs
Ford and his peers offered ways to make data more secure: developing risk management strategies that begin with reviewing audit logs, assessing security controls and identifying risks, for example.
HIPAA rules, as expanded by the HITECH Act, require a hospital's business associates -- previously held to less-stringent standards -- to follow HIPAA as well. The Deloitte report recommends that hospitals review business associate agreements, tighten them up to prevent data breaches and establish liability in the event of a breach.
The report also addresses employee training, and advises hospitals to establish procedures for handling patient data, training employees in the policies and ensuring their compliance with monitoring programs.
Let us know what you think about the story; email Don Fluckinger, Features Writer.