Compliance and Security of PHI Build a Trustworthy Framework in Healthcare
Some say there’s nothing like a little controversy to spark interest in your organization. Others say there’s no such thing as bad publicity. Call me old fashioned, but I contend, in healthcare, being featured on the Office for Civil Rights’ Wall of Shame or plastered on a news headline about a breach of personal health information (PHI) bad publicity, bad business and bad medicine.
As health information exchanges, mobile health, patient portals, new medical devices and telehealth proliferate, the opportunity for PHI to go astray during electronic transactions is escalating exponentially. In fact, according to the latest annual Redspin Breach Report, the number of HIPAA data breaches has jumped 138 percent since 2012 — and there’s no end in sight. Every day in the news headlines some health system, a laboratory, insurance company – even a county government – is lambasted, if not penalized, for disclosing PHI inappropriately, eroding public trust in sharing data.
To date, nearly 39 million people have had their PHI compromised in HIPAA privacy or security breaches involving 500 people or more, according to data from the Department of Health and Human Services (HHS). The threat landscape is shifting rapidly. Recognizing that nations beyond our borders sometimes lob threats, John Halamka, MD, CIO of Beth Israel Deaconess Medical Center in Boston, vividly describes today’s situation as a “cybersecurity cold war.” With “healthcare institutions threatened by cyberterrorists,” he cautions: “It’s time to rethink security in a substantive way.”
Concerned and on the alert, the OCR, the HHS division in charge of investigating HIPAA violations, is cracking down on violations of the HIPAA Omnibus Rule. Starting this fall, OCR will conduct 200 desk audits – fewer than they originally planned — but more comprehensive in nature. OCR will cast its net across a wider spectrum of stakeholders – investigating covered entities and business associates with whom they share their patients’ PHI. If continues to stiffen fines up into the millions of dollars for infractions.
Compliance is not Sufficient
It’s important to note that a breach is not essential to prompt an investigation. Non-compliance alone can trigger a violation. And as Mac McMillian, chair of the HIMSS Privacy & Security Policy Task Force, points out, it is vital not to confuse compliance and security. I agree with him that they are “two different animals” with many organizations placing emphasis on compliance and not enough on security.
The distinction between compliance and security is critical. Compliance means meeting the letter of the law, conducting an annual risk assessment and complying with government regulations. Full security involves having such tactical and physical identity and access management measures in place like appropriate password controls every 90 days, role-based access to data so only those with a need to know can view information and ensuring data being shared between entities is authenticated and encrypted.
In addition to the federal government, some state governments, like in Florida and California, are passing laws that are even more stringent than OCR’s, with state attorneys general assuming oversight and enforcement of these laws. The state of Texas is a true innovator in protecting the privacy and security of patient data through both public and private HIEs. The Texas Health Services Authority (THSA) is driving a very successful state-mandated program to ensure all public HIEs operating in the state are accredited by a third party entity to ensure the safety and security of protected health information. According to Tony Gilman, chief executive officer, THSA, “Increasing market confidence in organizations involved in exchanging and maintaining electronic health information through regular assessments is one way to support greater participation and ultimately the sustainability of HIE efforts in Texas and across the US.”
Value of Independent Oversight
All healthcare stakeholders – from providers to payers to vendors – share responsibility for the credibility and integrity of data exchange. Healthcare IT vendors are in a unique position to take the lead in demonstrating adherence to a higher standard of quality, privacy and security – creating a trustworthy framework between themselves and the providers they serve. Providers and others, however, need to be proactive as they review and select vendors to support their requirements. Similarly, payers need to add language in their contracts that their systems have been vetted and accredited by an independent third party so users do not assume more risk than necessary. A third-party overview and accreditation ensures not only compliance with national and state regulations, it also provides a “Good Housekeeping” type seal of approval that appropriate security controls are in place.
Independent oversight and accreditation strengthens and protects businesses while delivering important benefits. It demonstrates leadership in adhering to a higher standard of quality, privacy, security and confidentiality as well as data management. It provides a competitive edge over others in the field. Plus the regular evaluation and risk assessment built into the rigorous accreditation process identifies gaps in security and compliance, and shores up efficiencies. That positions organizations for even greater success.
Impending OCR audits will focus on a variety of issues, including compliance with HIPAA breach notification rules; documentation of policies, practices and procedures; and computing device and storage media security controls. The feds will review staff training for compliance and security; and transmission security. OCR also will examine vulnerabilities that can change annually, like intrusion detection reporting and automated tools to detect unauthorized hacking and to isolate new viruses introduced. Independent third party review and accreditation covers all these aspects and more in ensuring full compliance and security.
More than Technology
In addition, an independent review reinforces that compliance and security are not only IT problems. They are enterprise-wide issues that must be endorsed and funded by the C-suite and incorporated systemically in an organization. It is not sufficient for organizations to employ automated auditing tools. Someone must be tasked to monitor the automation and responsible for taking certain actions, if and when necessary. For example, if threat or intrusion detection software flags that your organization is under siege, who is responsible for detecting those alerts and implementing other foxfire walls and controls that further reduce the opportunity for others to hack into your network?
Readiness is Essential
Organizations thinking of waiting until they receive notification of an upcoming audit to fly into action, must ask themselves “are you feeling lucky?” because you’ll only have a couple of weeks advance notice –- not nearly long enough to implement comprehensive compliance and security plans. The time to act is now.
As breaches continue to make news headlines, patients are starting to get the word and fret about the security and privacy of their personal health information. If patients are not absolutely confident of the privacy and security of their PHI, given the opportunity, they will not opt in to have their information shared. They will instead opt out, forbidding their health data to be shared on a network, rather than risk having their PHI compromised. If that happens, we all lose.
Patients, the hub of healthcare and the generators of data, need to have peace of mind that their personal health information is private, secure and confidential to ensure good business and good medicine.
About the Author: Lee Barrett is the executive director for EHNAC, the Electronic Healthcare Network Accreditation Commission. Mr. Barrett has a 10-year track record of leading healthcare professional service organization, as well as 20 years of experience in senior management roles in payer organizations. He speaks nationally on a variety of healthcare industry topics and is involved in a number of industry coalitions promoting the use and implementation of health IT, including both administrative and clinical transactions. Mr. Barrett also is involved in the development and proliferation of EHR systems and meaningful use across the National Health Information Network and HIEs. He can be reached at email@example.com.