The HITECH Act forces health care organizations to address many facets of electronic health records, especially electronic health record security, because it encourages health care providers to make “meaningful use” of IT to standardize the way organizations exchange EHR information.
We can only assume that the allocation of close to $20 billion in incentives will cause an increase in the deployment of electronic medical record software and medical imaging systems, as well as an increase in the number of service providers offering meaningful use functions in the Software as a Service model. The increase in electronic storage and exchange will increase both the risk of breaches and the focus on electronic health record security and data protection according to the Health Insurance Portability and Accountability Act’s (HIPAA) Security and Privacy Rules.
The HITECH Act also broadens the applicability of HIPAA compliance, making the business associates of covered entities directly responsible for data protection. In the original legislation, covered entities were required to hold business associates contractually responsible for securing electronic protected health information (EPHI). The Act has made business associates of covered entities directly responsible for HIPAA compliance -- and directly liable for damages resulting from a breach.
While the HITECH Act increases the likelihood of lawsuits in the event of a data breach, it may also be a sign that the Department of Health & Human Services will increase the frequency and depth of its audits to include a broader set of covered entities and business associates.
Compliance requirements and EHR security
The passing of the HITECH Act was a wake-up call to covered entities and business associates to look closely at their state of compliance. As both the number of service providers to manage and the volume of data increase, certain administrative and operational aspects of the HIPAA Security Rule become more important.
For example, HIPAA requires all organizations entrusted with EPHI to implement strong access controls, encrypt data where risk dictates, and ensure that their business associates implement all the administrative and technical controls required by the Security and Privacy Rules. None of these activities is a simple task. The three steps that follow, however, will make it easier to address EHR security in a changing regulatory landscape.
Secure your own data: The most important step in achieving HIPAA compliance is to understand and comply with the intent of the law -- the protection of EPHI. While there is value in all the documentation, governance, contractual arrangements and testing required by the Security Rule, by far the most important elements are the controls that protect EPHI data. Aside from the moral and ethical reasons for protecting this data, there is one important business driver: Avoiding a breach goes a long way toward avoiding penalties and lawsuits. With that in mind, risk assessment, EPHI data containment, identity and access management, encryption, vulnerability management and monitoring should be critical activities in your compliance program.
Regardless of which standard you choose, it pays to build an EHR security, compliance and assessment program on a well-defined set of requirements and controls.
Manage your business associates: Once you are confident that EPHI data is safe within the confines of your environment, it is time to look outside. In other words, you have a responsibility to assess the practices of your business associates. Unfortunately, the HIPAA Security Rule is difficult to use as a benchmark for the assessment of EHR security and HIPAA compliance. The problem stems from the fact that the rule is a risk-based standard that leaves many of the controls to interpretation. If we look at the assessment standard problem from another perspective, business associates have no standard way of communicating their practices to a covered entity or another business associate. In other words, it is a difficult situation for all parties involved.
Embrace security standards: For years, organizations have recognized the difficulty of assessing compliance with HIPAA rules both inside their own organizations and with business associates. The natural solution is to look to other security standards and guidelines to supplement the HIPAA rules and map them to more concrete controls. Standards such as the ISO 27000 series, as well as guides from the National Institute of Standards and Technology, have been used effectively for years as frameworks for security programs and as the basis for assessment.
In the past few years, the Health Information Trust Alliance has released its Common Security Framework, a combination of controls and metrics from various standards, for use in structuring and assessing HIPAA security programs.
Regardless of which standard you choose, it pays to build an electronic health record security, compliance and assessment program on a well-defined set of requirements and controls. A program based on well-documented standards will help you meet your own security and compliance requirements and effectively measure your business associates’ practices.
A prudent approach to EHR security
HITECH’s encouragement of the proliferation of technology to support EHR is likely to increase the risk of records being compromised as new technology is deployed and high volumes of information are stored and exchanged among health care organizations. With increased risk comes the need for better EHR security controls and more thorough assessments of security practices.
Given that the HITECH Act has broadened the applicability of HIPAA compliance, all organizations, from covered entities to business associates, should be looking closely at their security programs to ensure that health information is adequately protected. A prudent approach for any organization is to structure a security program based on a set of accepted security standards, and use a well-defined approach to measure the effectiveness of internal and business associates’ security controls.
Richard E. Mackey, vice president of Sudbury, Mass.-based SystemExperts Corp. and an ISACA CISM, is a leading authority on enterprise security architecture and compliance. Let us know what you think about the story; email firstname.lastname@example.org.