Ten years after its ratification, there's little doubt that the Health Information Portability and Accountability Act (HIPAA) has provided a strong framework for protecting patients' sensitive medical information against data security threats. What's just as certain, however, is the dramatic way in which HIPAA has changed the lives of the IT professionals in health care organizations charged with implementing the technology supporting the federal legislation.
They figured out from the get-go, for instance, that complying with the law's triple-play of rules — those covering privacy, security and transactions and code sets — would be a struggle. And they've learned all they want, and more, about how to deal with the complex, yet often ambiguous, HIPAA rules and regulations that govern the privacy of patients' medical records.
What they haven't seen, however, is the promised enforcement when they or other health care organizations violate HIPAA's regulations. To date, there's no record of any organization having been fined for violating HIPAA's rules. This despite the fact that more than 100 million data records of U.S. residents have been exposed due to security breaches since February 2005, according to the Privacy Rights Clearinghouse, a nonprofit consumer information and advocacy organization.
Sadly (and despite HIPAA) several million of those lost, stolen or hacked files included medical records. Most glaringly, the list includes one incident alone in which 903,000 patient records — names, Social Security numbers, birth dates and some medical and disability information — were exposed when a server was stolen from the American Insurance Group (AIG) on March 31, 2006.
That would seem to be just the sort of breach HIPAA was designed to prevent. So why hasn't it?
A clear message
HIPAA, signed into law on Aug. 21, 1996, by then-President Clinton, was a clear message from the federal government that the health care industry wasn't taking patient privacy seriously enough, believes Mark Olson, the information security manager at Beth Israel Deaconess Medical Center, a teaching hospital of the Harvard Medical School. "If the government had to step in," he says, "it's a statement that as organizations and professionals we weren't doing an adequate job."
Working to reach HIPAA compliance "certainly is an inconvenience to the institution, and requires more work on our part," Olson adds, "but from a moral perspective, it's something we should have been doing, anyway."
Although its impact on patient privacy has been well publicized in the popular media, health care IT professionals know the real struggle has been in meeting its security regulations. The technical practices and procedures section of HIPAA requires health care organizations to deploy systems for individual authentication of users, to install access controls and maintain audit trails, to implement physical security and disaster recovery, to protect remote access points and external electronic communications, and to perform a full system assessment.
A moving target
Those are all laudable goals, of course. Unfortunately, HIPAA's security regulations are ambiguous, says Mark Maher, a security administrator at Ochsner Health System, a Southern Louisiana-based non-profit chain of health clinics.
For instance, he says they mandate that health care employees must have a user name and password to access patient information and that data must be encrypted when it leaves a health care organization's network. "But they don't tell you the password strength and they don't tell you the level of encryption," he adds.
HIPAA is thus "a moving target, and it's not too difficult to claim full compliance — it's left up to the person who comes in and does the audit," Maher says. "I think that's a disservice not only to the patient of whose records we have oversight, but the institution, because it's left us up in the air."
What many health care IT professionals have done in an attempt to meet the HIPAA security rule set is to "spend more time dealing with the [network] perimeter," says Todd Thomas, the chief information officer at Austin Radiological Association (ARA), which operates 34 imaging centers in the Austin, Texas, area. For ARA, that has meant installing network intrusion protection systems, making sure each of its computers is protected by anti-virus software, and ensuring its internally developed web applications for access to patient records and diagnostic images are secure.
Half do, half don't
Even with the ambiguity of its security regulations, it's a stretch to say that health care institutions have embraced this part of HIPAA with open arms. Just slightly more than half of U.S. health care organizations can claim full HIPAA security compliance, according to a report released by Phoenix Health Systems, a health care IT consulting company.
The report, which surveyed individuals responsible for HIPAA compliance at 220 health care organizations last summer, found that only 56 percent of the providers, clinics, physicians or hospitals, said they have implemented HIPAA's security regulations; that's up one percent from a similar survey performed six month earlier. Not surprisingly, a much higher total, 80 percent, of the payors, or insurance companies and the like, say their systems are compliant with HIPAA's security codes.
There are several reasons for the disparity in compliance, according to those we talked with. Some of these are organizational, others operational.
On the first issue, Kate Borten, president of The Marblehead Group, a health care-focused security and privacy consultancy, says the organizational structure of the two entities is key to their ability to comply.
"Insurance companies tend to be top-down structured," she says. "Ultimately, everyone reports to the boss, who can articulate and enforce security policies such as HIPAA's."
That's not the case at most hospitals, particularly research and teaching hospitals. "There's no straightforward structure, with one person who can dictate policy," Borten says. "And many hospitals are not-for-profit, so when the economy goes bad, they have operational budgets in the red, with layoffs," leaving little in the way of money for security-related expenditures.
There are three or four operational issues that hinder HIPAA security compliance among health care organizations, says William Miaoulis, the HIPAA privacy and security leader at Phoenix Health Systems. For one thing, many health care organizations don't know how to complete a solid risk analysis, and then how to create a risk management plan that meets the requirements of the National Institute of Standards and Technology (NIST) SP800-30, he says.
They also have difficulty implementing proper auditing procedures and disaster-recovery plans. These are all key parts of SP800-300 compliance, he says.
While all of these problems seem straightforward to solve — after all, commercial solutions are available for every area — each health care organization's unique situation makes it difficult to comply with HIPAA's regulations, says Miaoulis. Acceptable risk for one organization, he says, may not be for another. So, many organizations, especially smaller ones, find assessing their risks difficult, and thus fail to follow through with HIPAA regulations.
The lack of real penalties for violating HIPAA is another key issue in many organizations' failure to comply. "Enforcement of HIPAA is lacking," says Mike Zamore, a policy advisor to Rep. Patrick Kennedy (D-R.I.), who has made medical care security a top priority during his tenure in congress.
"The grand total of penalties assessed for violating HIPAA is zero," Zamore says. "There have been only three prosecutions by the Justice Department and tens of thousands of complaints filed."
Without penalties, there's no incentive for health care organizations to comply with HIPAA's regulations, says Tom Walsh, an independent contractor who helps health care organizations perform risk assessments. Still, he tries to encourage those he works with to fix their problems for a simple reason: "If you do so, it will improve your chances of not making news in a bad way, and getting negative publicity."
- Jim Carr is an Aptos, Calif.-based freelance business/technology writer, and a news correspondent for SC. He can be reached at [email protected].
INSURE TO ENSURE:
Covering your assets
If you can't ensure that someone won't steal the medical records in your company's care, then how about insuring against such a breach?
That's the promise of Tech/404, a new insurance policy targeted to health care organizations from Darwin Professional Underwriters, a specialty insurance company based in Farmington, Conn.
According to the company, Tech/404 will pay a health care organization's expenses to cover regulatory mandated notifications that a security breach has occurred, as well as fines, fees or penalties arising from privacy or consumer protection errors.
Among those eligible for coverage are physicians groups, hospitals, ambulatory surgery centers, health care data processors, health care software providers, image delivery systems, long-term care facilities and managed care organizations.
— Jim Carr
THE NEXT HURDLE:
EMRs on the way
The next HIPAA-related privacy and security hurdle many health care organizations face will come when they deploy one of the new sophisticated electronic medical records systems (EMRs) now available. Hospitals and small medical practices in particular will find that integrating HIPAA and EMRs is the biggest challenge in health care right now, says Scott Wallace, the president and CEO of the National Alliance for Health Care Technology.
"Initially, when you go from paper to electronic forms, security has the potential for getting worse," agrees Kate Borten, president of The Marblehead Group. "I don't think the products provided today have the level of security functionality we need," adds Borten, who leads classes in HIPAA compliance for medical care professionals.
The security issues surrounding EMRs are the tip of the iceberg in the expansion of electronic medical record keeping, says Mike Zamore, Rep. Patrick Kennedy's health care policy advisor. Most notably, Zamore says that HIPAA must be updated to account
for the growth of so-called Regional Health Information Organizations (RHIOs), consortiums developed to share patient records among multiple health care providers and payors.
With the data networks of hospitals, physician offices and health plans all linked together by a RHIO, "we're talking about [creating] a mechanism for aggregating a person's health information," he says. "We need to be careful about privacy and security in that sort of environment."
The RHIOs, he adds, "are not covered entities under HIPAA, and the first step we need to take is to have some sort of privacy rules that apply to them."
— Jim Carr