Tougher state privacy and security laws are only part of the challenge provider organizations and other medical information handlers could face in the future, according to the authors of a white paper on privacy and security, Stemming the Rising Tide of Health Privacy Breaches, from Booz Allen Hamilton.
New, stiffer federal privacy and security penalties—with the civil penalty cap raised from $25,000 to $1.5 million—were added to federal law in February with passage of the American Recovery and Reinvestment Act of 2009, also known as the stimulus law, which modified the key federal privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996.
The stimulus law also empowered state attorneys general to enforce HIPAA privacy and security provisions.
In recent subsequent rulemaking, however, HHS' new interpretation of the federal breach-notification provisions of the stimulus law inflamed patient privacy groups. They charge that the HHS breach rule, released in August and effective Sept. 23, relaxed patient protections in the stimulus law.
Meanwhile, six congressmen, led by Energy and Commerce Committee Chairman Henry Waxman (D-Calif.), and the committee's ranking member, Joe Barton (R-Texas), wrote HHS Secretary Kathleen Sebelius an Oct. 1 letter basically agreeing with the privacy groups, adding that her agency's rulemaking was “not consistent with congressional intent” and urged revision or repeal of the offending provision.
The threat of heightened enforcement comes at a time when the healthcare industry is not even fully up to speed with current privacy and security laws, rules, technologies and methods, according to industry experts.
In addition to a recently released survey of IT professionals by the Ponemon Institute and the white paper from Booz Allen Hamilton, both of which contained ample evidence of breaches and less than robust security practices, a survey of 196 healthcare information technology and security professionals released last week by the Healthcare Information and Management Systems Society found similar problems.
Only two-thirds (67%) of respondent organizations in the HIMSS survey reported using encryption in data transmissions and less than half reported using it to secure data at rest. Firewalls and audit logs are “widely used” according to a HIMSS statement summarizing the survey results, but only one in four respondents said their organizations used some sort of electronic analysis of data from audit, application and server logs. The HIMSS survey was sponsored by Symantec Corp., a data security firm.
In their white paper, co-authors Kenneth Kizer and Glen Day wrote that part of the problem with the privacy and security rule promulgated under HIPAA is that the rule itself runs counter to a key tenet of healthcare culture—the rugged individualism of the treating physician, “glorified in television shows such as ‘ER' and ‘House' and movies like ‘Patch Adams.' ”
“Indeed, such sentiments underlie the professional autonomy valued so highly by physicians and contribute to the reluctance of many clinicians to embrace evidence-based practice guidelines and other standardized approaches to providing care,” they wrote.
“These cultural underpinnings of healthcare confound the implementation of HIPAA and other information security provisions that sometimes create impediments to what is perceived to be the more important job of ministering to the ill and infirm,” they wrote. “Therefore, it should not be surprising that many practitioners do not enthusiastically embrace the HIPAA rules and their processes, even when they fully agree with their intent.
Finally, Kizer and Day wrote, the complexity of healthcare has created two separate professional “realms”—administrative and clinical—with information security being viewed by many clinicians as an administrative function “instead of a core clinical responsibility.” Until that attitude changes, “it will be difficult to get clinicians to take ownership of the matter.”
Kizer and Day advise, however, that change is possible, even though healthcare operations are peopled with “many independent and often competing participants who are intelligent and have different needs and desires. Control of such systems is distributed among the participants: no one entity is in charge.”
Some gifted salesmanship is also required, they wrote.
“To get broad buy-in, the new requirements must be packaged in a way that is clear to everyone how they align with the organization's culture and values,” they wrote.
You do that, according to Kizer and Day, by creating an awareness that change is necessary—that the legal and reputational stakes have been raised by the new privacy, security and disclosure provisions of the stimulus law—and by appealing to the culture and guiding principles.
They acknowledged that in some organizations, however, “the culture may need to become better aligned with policies and required procedures.”
Day said in an interview that in the past, healthcare leaders rationally could have taken a wait-and-see approach and not jumped to remediate privacy and security problems.
“It was believed that there was no true enforcement, and based on the diminished threat, they really never took it seriously,” Day said. In fact, providers “were hearing directly from HHS that they were not going to take a pro-active stance on this, they were going to try to mitigate the complaints.”
Today, however, with the stimulus law revisions and increased interest by the states, the tools of enforcement and the potential consequences for the user population became much greater, he said, with a big wild card being the future role of state attorneys general in enforcing the federal privacy and security law.
Unlike HHS bureaucrats, state attorneys general stand for election and, often, re-election, and want to build a public record.
“They're not going to let these things go by easily,” Day said. “It would be seen as in the public interest if you were tough on these hospitals when it came to enforcement.”
Kizer said there is an appropriate role for penalties as a compliance mechanism, “but I think you need some inducements, and balanced more in favor of inducements than penalties.” HHS would do well to come up with some form of reward system for participants that protect privacy, he said.
“Penalties don't achieve the sustainable change you want to occur,” he said.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.