The Health Insurance Portability and Accountability Act (HIPAA) is regarded as the toothless wonder of compliance mandates for its lax enforcement. That perception should start to change this month, when new data breach notification regulations issued by the U.S. Department of Health and Human Services (HHS) go into effect.
Starting Sept. 23, a data breach involving unsecured protected health information of more than 500 people must be reported promptly to the HHS, major media outlets and each individual affected by the breach. Breaches affecting fewer than 500 people must be reported annually to the HHS secretary and the individuals. The data breach notification rules apply not only to health care providers, health plans and other HIPAA-covered entities, but also to business associates of covered entities that handle personal health information. In addition, the names of the institutions with large breaches will be posted on an HHS website.
Not unlike the myriad state data breach notification laws now requiring businesses to notify customers whose personal information has been compromised, the HIPPA breach notification rules will shine a light on the mishandling, theft and potential criminal use of medical data. Whether the threat of public shaming will enhance the safety of patient health information is not yet clear. Most privacy experts, however, agree that the new HIPAA breach rules, at minimum, will spur organizations to pay more attention to the security guidelines long recommended, but rarely enforced, by the 12-year-old law.
"Think of it this way: HIPAA wasn't being enforced anyway, so organizations felt they could do whatever they wanted and call themselves HIPAA compliant and secure, because nobody was ever going to knock on their doors," said analyst Paul Proctor, a security and risk management expert at Stamford, Conn.-based Gartner Inc. "Now they have to take it seriously because breach notification will become a mechanism to put attention on their organizations, and someone may actually come down and look at what they are doing."
The breach notification rules are among a cluster of tougher rules and stiffer penalties designed to strengthen HIPAA, as the health industry moves forward on the federal government's multibillion-dollar push to promote electronic communication in health care, including the adoption of electronic health records. The breach rule implements provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act, or so-called stimulus bill, signed into law in February by President Barack Obama. The stimulus bill toughened HIPAA rules, adding stiffer penalties for noncompliance and expanding the scope of organizations subject to these rules.
The biggest potential change for the health industry, according to Ian Glazer, a senior analyst at Midvale, Utah-based Burton Group Inc., regards new requirements for business associates and their handling of individual's patient data. "What the new rules say is that in this new reality, everyone is being held accountable in the same way," Glazer said. "There is a bit of a leveling of the playing field."
A business associate suffering a breach that could compromise individual patient information is required to report it to the covered entity, which in turn is required to report it to the HSS.
Glazer said he believes organizations will find it easier -- not harder -- to partner because everyone is subject to the same rules and threat of penalty. What's certain is that health organizations -- the bearers of the bad news, under the new rules -- will be paying much more attention to their partners' privacy practices. Ideally, that vetting should be done as contracts are forged.
"Now there is a real need for organization to clearly understand the privacy practices of their partners because their own reputation is at stake," Glazer said. "The CIO and the CISOs really have strong encouragement, both explicitly and implicitly in these laws and other laws, to dig into their partners' or potential partners' privacy practices during the procurement process."
Shift from reactive to proactive information security
The newly released data breach rule issued by HHS has Jamie Welch, CIO of the Louisiana Rural Hospital Coalition, on a fast track to ensure that her organization has the infrastructure in place to support the regulation. It's not an altogether welcome process, she added, stating only half-jokingly that she and the new HIPPA rules "are not friends."
HIPAA wasn't being enforced anyway, so organizations felt they could do whatever they wanted and call themselves HIPAA compliant and secure, because nobody was ever going to knock on their doors
Paul Proctor, analyst, Gartner Inc.
"My lack of friendship with HIPAA comes from the very small amount of time that they are giving anybody to make adjustments," said Welch, who oversees IT for the Louisiana Rural Health Information Exchange (LARHIX), a telemedicine network connecting 24 rural hospitals located in poor areas of northern Louisiana to the Louisiana State University Health Sciences Center in Shreveport.
"We have a small team and this rule will force us to review process, people and technology quickly. We need to ensure we have the technology in place to support this requirement and we need to educate people to the process and ramifications of not meeting the mandated timelines," Welch said. Currently, her two-person staff is adjusting policies and agreements and creating HIPAA business agreements but is still very much "in discovery mode" with regard to changes needed to be compliant.
The security of electronic health records is the cornerstone of Welch's work at LARHIX. The high-speed, securitized network means that doctors and nurses at these rural hospitals can tap into the medical expertise at a large urban teaching hospital. Patients who cannot afford to travel to Shreveport are getting better medical care, thanks to electronic health records and the Internet, she said. She uses identity and access management technology from CA Inc., including its SiteMinder Web Access Manager, to secure the portal, and its Identity Manager and Audit products.
The old HIPAA regulations were "fairly easy" to follow, Welch said. "You made sure that people had authorized access to only what they should have." Her staff ran monthly audit reports to track what was happening in an environment of currently 550 named users with capacity for 2,500 users.
Now she is putting technology policy in place that will alert LAHREX when a doctor, for example, checks 10 different patients within two minutes, a potential "fishing expedition." The next step would be alerting the hospital where the doctor works, then investigating if the incident was a security breach. "Then we'd also have to alert patients -- all this with two staff members," she said.
Welch says her little team has done very well "being reactive" to compliance. "The pain that we are feeling is that we are being required to move from a reaction state to a proactive state," she said. "It's a paradigm shift inside an IT environment."
Let us know what you think about the story; email Linda Tucci, Senior News Writer.