VioPoint

As healthcare adopts ever expanding catalogues of digitized information, many organizations face the daunting task of striking a balance between the portability of information and importance of data privacy. Advances in on-demand access to all types of patient information show no sign of slowing down...and the rapid adoption of new technology is forcing healthcare providers to re-evaluate the importance and challenges of effectively protecting patient data.

Enacted in late 2009, the HITECH act provided Federal stimulus funding to support the widespread adoption of Electronic Health Records (EHR); but the adoption of EHR frameworks accelerates risk in an industry that notoriously lags behind others for security spending. Recognizing the evolving privacy challenges in healthcare, top government officials updated HIPAA privacy standards to increase the required security controls for patient data.

HIPAA Re-Stimulated

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was adopted by Congress to help protect the privacy of our nation’s patients. While the motivation for adopting these controls appeared to be high at first; over time, the HIPAA Security rule was relegated to an underwhelming industry-wide implementation. Even with widespread awareness from top government executives, experts agree that a driving force in the lack of adoption for the HIPAA Security Rule was the perceived lack of enforcement. In short, the HIPAA Security Rule was a paper tiger.

Enacted in late 2009, HITECH was designed is to accelerate the growth of information exchange and portability of medical records for all citizens. Coupled with the HITECH funding were significant changes to the existing HIPAA standard. The scope of these changes is widespread and includes not only large scale healthcare enterprises, but local doctor’s offices, affiliates, insurance organizations and payment clearinghouses. The new HIPAA standards include specific penalties for organizations that do not effectively protect patient information…first time offenders now face up to hundreds of thousands of dollars in fines with repeat offenders reaching a potential of $1.5 million in fines.

The HITECH mandate (formally referred to as the Health Information Technology for Economic and Clinical Health Act) was included as part of the American Recovery and Reinvestment Act of 2009 (stimulus bill). The mandate provides incentive funds for organizations to adopt electronic health record systems, establishes a national health infrastructure, and focuses on portability of patient information. HITECH has also provided a new and renewed focus for HIPAA Security Rule enforcement. To ensure the ongoing privacy of online patient data, HITECH legislation also updated the HIPAA security standards to increase the penalties, fines and overall culpability for inappropriate disclosure of patient data. As a result, HIPAA compliance now includes healthcare providers, insurers, and business associates. Other enforcement changes of the HIPAA Security Rule include:

• Repeat offenders can be fined up to $1.5 million.
• New tiers of fines for "accidents" and "reasonable cause"
• Proactive audits on healthcare related organizations
• Organizations are expected to have reasonable controls to detect breaches. Some situations require organizations to notify local media and every patient. The organization will be publically listed as a breached entity.

Looking Toward the Future

HITECH and the improved Security Rule standards provide a leading indicator that compliance is no longer a luxury. Healthcare organizations, insurers, and business associates are now tasked with uncovering ways to effectively protect patient data against disclosure and manage potential incidents within their environment. The role of compliance and “information security” for healthcare will continue to evolve as the standards for compliance are now more critical than ever. In many ways, the technology that has driven change in managing patient records will also revolutionize the process and for securing those records. Healthcare organizations can expect to see increased focus in GRC, log management/event correlation, and data tracking/encryption solutions to help them meet the varied demands of the HIPAA standards.

For more detailed information on the changes to HIPAA, contact VIOPOINT to schedule an educational webinar.