Healthcare leaders should foster a culture of privacy and security protection within their organizations or risk facing adverse consequences, according to Joy Pritts, a lawyer and the chief privacy officer at the Office of the National Coordinator for Health Information Technology at HHS.
Pritts' message, delivered to attendees of a sunrise session on the closing day of the College of Healthcare Information Management Executives' 2012 Fall CIO Forum, was more good cop than bad cop.
Health IT vendors have a responsibility to create “easy to use” privacy and security technology in their systems, Pritts said. “The more that it is baked into products, the better it will be for everybody.”
But, ultimately, most of the burden—and legal liability—for privacy and security protection will fall on healthcare providers who create, hold and use most of the medical records that require protection under federal and state privacy laws.
“We cannot sit or watch the halls in an organization and monitor what people are doing on a daily basis and we cannot do this alone,” Pritts said. “We really do believe it is important for us to create this culture where privacy and security are valued. Creating that culture is a very important piece here between the provider and their staff. Leadership is important in doing this.”
The alternatives for ignoring the law can be severe. The penalties for privacy and security violations were increased substantially by the American Recovery and Reinvestment Act of 2009, Pritts said, graphically making her case with a slide projecting on giant screens beside her listing four different violations in which penalties to the perpetrators could soar to $1.5 million a year.
Pritts brought the point home with another slide pointing out that the Office for Civil Rights at HHS, the federal agency charged with HIPAA privacy- and security-rule enforcement, recently reached a $1.5 million settlement agreement with the Boston-based Massachusetts Eye and Ear Infirmary
for security-rule violations of the Health Insurance Portability and Accountability Act.
Pritts highlighted several projects the ONC is working on in the privacy and security area, including a pilot project in western New York to use tablet computers as educational tools to inform patients about their privacy rights and to obtain their consent for the exchange of their medical information.
Another is a pilot with technical assistance by the Veterans Affairs Department and the Substance Abuse and Mental Health Services Administration. It demonstrated the use of metadata to persistently tag mental health records to help providers comply with stringent state and federal privacy laws
limiting the sharing of those records without patient consent.