Dumped patient records underscore tougher HIPAA compliance rules

As any health care worker could tell you, document dumping runs afoul of the federal Health Insurance Portability and Accountability Act (HIPAA), a 12-year-old regulation that covers patient privacy. That law, which is overseen by the Department of Health and Human Services (DHSS), has been infamously toothless throughout the Clinton and most of the Bush administrations. But health care providers that might have been tempted to play fast and loose with HIPAA compliance rules in the past are in for a rude awakening, as a feistier DHHS combines with new HIPAA provisions that strengthen enforcement and stiffen civil penalties for violations.

Remember: Stories like the Chattanooga snafu created the impetus for HIPAA back in the mid-1990s, when similar tales of health records carelessly disgorged from doctors' offices and hospitals started turning up in newspaper headlines and evening news broadcasts. They're all the more remarkable now, six years after HIPAA's so-called Privacy Rule governing the disposition of patient health information (PHI) in both paper and electronic forms went into effect. That rule was supposed to put an end to loose handling of PHI by instituting clear guidelines on how PHI is handled by medical providers and tough penalties for violators. But years passed with little evidence that the government was taking note of which health providers were being naughty or nice.

That started to change in 2007, when DHHS zeroed in on Seattle-based Providence Hea...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Compliance Tips FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing New evaluation criteria for Web application security scanners Priorities for your sound regulatory compliance management policy Data loss prevention technology matures but is still no cure-all Threat management for information systems relies on categorization HIPAA-covered entities' first step should be a quality assurance plan Discovery of data breach under HITECH raises big compliance questions D.C. CTO sees compliance, cost savings benefits to cloud computing Does using ISO 27000 to comply with PCI DSS make for better security? HIPAA and other healthcare compliance requirements Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more HIPAA-covered entities' first step should be a quality assurance plan HITECH moves electronic health records forward; standards to come HITECH FAQ: What is the impact of the HITECH Act on IT operations? Discovery of data breach under HITECH raises big compliance questions Healthcare, cybersecurity policy and privacy on legislative agenda Record locator service a step to health information exchange FTC pursuing HIPAA violations as a matter of consumer protection New HIPAA data breach notification rules put health industry on notice HIPAA-covered entities, business associates confront HITECH rules Industry-specific requirements for compliance Compliance news quiz: Test your knowledge of FTC, SB 20, PCI and more NERC CSO warns of cybersecurity threats, risk to electric grid FTC compliance mandates new rules for social media marketing How to design an FTC compliance program for social media marketing McCain answers new FCC net neutrality rules with Internet Freedom Act SAP sees green in sustainability software for carbon compliance Electronic privacy integral to identity management standards, says DHS GPS devices, geolocation data create privacy, security risks Threat management for information systems relies on categorization Data breach notification law SB 20 strikes right balance: Simitian

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Dossia  (SearchCompliance.com) personal health record (PHR)  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

lth & Services, which was accused of misplacing or losing backup tapes, laptop computers and optical disks containing data on around 386,000 patients. In July 2008, DHHS and Providence announced a deal in which Providence agreed to pay $100,000 in penalties for violating HIPAA compliance rules. It also agreed to implement a corrective action plan to ensure that electronic patient information is secured against theft or loss. DHHS said it was the first such agreement for a "covered entity," though the agency claimed there have been more than 6,700 cases in which HIPAA violations were cited and changes to security procedures or PHI handling procedures were recommended. I don't know about you, but if I got ticketed once for every 6,700 times I got caught speeding, I'd drive a lot faster.

But that's all ancient history, and if the fine levied on Providence wasn't enough to get health care providers to sit up and pay attention (and it was), changes passed into law by Congress this year sure will. The updates are part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was signed into law in February as part of the larger American Reinvestment and Recovery Act. Though HITECH's funding of a switch to electronic medical records grabbed the headline, the act outfitted HIPAA with some pretty sharp fangs. Among other things, HITECH:

• Directs DHHS to conduct periodic audits and expands DHHS oversight from HIPAA "covered entities" to the much larger community of business associates -- data processors, third-party labs and other firms that contract with covered entities and handle PHI.
• Requires HIPAA-covered entities to notify individuals of any PHI breaches, not just cases where notification is necessary to mitigate damages to the consumer. Business associates are required to notify the covered entity of breaches, as well as the individuals affected.
• Broadens criminal enforcement of violations of HIPAA compliance rules to include business associates and gives states' attorneys general the ability to bring civil actions against violators in federal court.
• Adds new civil penalties ranging from $100 to $50,000 per HIPAA violation, with higher penalties (up to $1.5 million) for organizations that show willful neglect of the law and are lax in addressing mistakes.

What does this mean for the health care industry and the companies that serve it? Even in the absence of penalties, HIPAA has led to wholesale changes to the way hospitals and doctors' offices run. Beefed-up network security, better access control, staff training around record handling and small tweaks to clamp down on inadvertent sources of data loss have removed much of the low-hanging fruit in the past decade. Stiffer penalties and the prospect of criminal charges and perp walks will go a long way to eliminate lax practices like those on display in Chattanooga.

But as the case against Providence Health & Services suggests, there's much more to be done to secure PHI data stored on laptops, backup tapes, mobile devices and in applications accessed over the Internet. In the short term, there will be increased investments in data encryption technology by health care organizations and their many suppliers. Within the last month, the secretary of HHS has released guidance (based on National Institute of Standards and Technology guidelines) for acceptable methods for destruction and encryption of data under HIPAA.

In the long term, the health care sector -- like other verticals -- will need to get much smarter about how it manages and uses PHI. Some forward-looking hospitals are already using frameworks like application virtualization, Software as a Service and so-called private cloud computing deployments to centralize and manage access to sensitive patient data through hosted applications. Tackling the problem of data security -- rather than network security -- will be especially important as Uncle Sam steps up with tens of billions of dollars in subsidies for health care organizations to move to electronic medical records, thereby increasing the amount of PHI floating around in digital format, rather than harder to disseminate hard copies.

Paul F. Roberts is a senior analyst at The 451 Group. Let us know what you think about the story; email editor@searchcompliance.com

Rate this Tip To rate tips, you must be a member of SearchCompliance.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.