Compounding this issue is the fact that the stimulus act set aside $23 billion for health IT with much of it earmarked for incentives to increase the adoption of electronic health records and connectivity through state HIEs.
Unfortunately, these exchanges present new issues and risks in the form of data protection and trust between organizations, consumers and government agencies. With the interconnectivity of the HIEs, the ability to trust the security mechanisms of an organization becomes even more vital. While there are national initiatives under way to ensure the interoperability of the exchanges, little has been accomplished nationally to ensure the HIEs and the organizations connecting to them are appropriately protecting sensitive health information.
Unfortunately, the ambiguity of HIPAA has been a major driver in the increase in state regulations and requirements for healthcare organizations. For instance, Massachusetts already has defined an organization's responsibilities for the protection of personal health information of its residents, and California is moving to establish security requirements for any organization connecting to an HIE in the state. These are only two examples of what will soon be many as the State Health Information Exchange Cooperative Agreement Program, which establishes the guidelines for HIE incentives, requires the adoption of information security requirements by every state.
Our concern, supported by 45 states adopting their own breach notification requirements, is that healthcare organizations will be subject to myriad disparate, unclear data protection requirements and enforcement actions. While the complexity and inefficiencies are an issue, we understand the states' motivations and intentions for establishing these requirements.
As it stands, HHS' civil rights office has publicly stated its intention to take a proactive approach on HIPAA privacy and security enforcement. It has also been communicated by the states that organizations should expect audits against state-specific information privacy and security requirements. State attorneys general have also been given the power to enact penalties in addition to those of the civil rights office.
Healthcare organizations are left without clear, consistent guidance with respect to information protection and a cost-effective approach to managing and reporting compliance. Managing the multitude of compliance requirements has always been a challenge, and the current path we are on will assuredly see an increase in time, money and manpower.
The good news is much of the industry understands its responsibility and has the desire to increase efficiency and keep health information private and secure. It is our strong belief the best method to secure health information is to give organizations the opportunity to proactively verify their compliance with federal and state privacy and security regulations.
Specifically, we believe organizations should have a vehicle through which to assess their level of information protection with a consistent approach to determine their compliance with various state and federal regulations. In turn, each organization can then report to a multitude of third parties, including the government, without the cost of multiple overlapping audits and reviews. Government agencies should identify an acceptable means to oversee and accept these certifications or attestations as sufficient evidence that an organization is in compliance.
As a first step, we recommend the industry adopt a common security framework, or frameworks, for compliance that encompasses the various federal and state regulations. This proactive approach will allow organizations to focus on the building blocks of security to achieve a state of compliance. One such option is the Health Information Trust Alliance Common Security Framework, developed in collaboration with healthcare, business, technology and information security leaders and already widely adopted by healthcare organizations.
In addition, the framework, publicly available at no charge, has been selected or considered for adoption by a number of states to support their HIE information protection requirements. Regardless of which vehicle is adopted, much work is needed to ensure a consistent approach nationally.
It is also our belief that government agencies should take into consideration these proactive security efforts and focus their compliance actions—and attention—on organizations not demonstrating a commitment to improved security and privacy and those continuing to view information protection as a low priority.
As the broader healthcare reform debate looks at how to lower costs and create greater efficiencies, the industry needs to cooperate with the states to ensure information protection doesn't lead to unnecessary costs and increasing complexities. Moreover, as the public's trust in the protection of their health information decreases with the continued notification of security breaches, it is not evident that an increase in regulations and related audits equals greater information protection.
Daniel Nutkis is the CEO of the Health Information Trust Alliance.