This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
● Think Tank Grand theft data

Have HIPAA and HITECH lived up to their billing? By Rick Dana Barlow


he headlines blaring data breaches are staggering – not only in their frequency but in the fact that they’re making noise and not resigning people to lower their privacy and security expectations in an increasingly electronic world

presumably accessible by anyone. Back in December, a data breach at one healthcare system aff ected 49,000 patients; another impacted more than 32,000 patients. In fact, last year alone (2013), there were more than 50 media reports of data breaches at healthcare facilities around the nation that apparently compromised the information of more than 75,000 patients – not counting the 90,000 patients of a Washington state incident, or the class-action lawsuit against a Florida health system for not prevent- ing the theft and sale of personal and health information of 763,000 patients, or a New Jersey payer’s admission that unencrypted laptops were stolen that held information on nearly 840,000 patients. Here we are, barely 25 years into the general public’s Internet

Age (if you count the debut of the accessible World Wide Web as a strategic starting point) and we’re fi nding that keeping the growing amount of information private and secure online seems to be outpaced by voluntary and involuntary access to that information. Whether it involves information gleaned from onsite or off -site hacking, employee mistakes or inappropriate viewing or missing or stolen computers, a patient’s personal and health information seems more at risk than if it were kept in paper folders in offi ce fi ling cabinets. Congress passed and President Bill Clinton signed into law the

Health Insurance Portability and Accountability Act (HIPAA) in August 1996 in part to facilitate electronic healthcare transactions for effi ciency and eff ectiveness, including securing the privacy of health data. Back then, electronic data interchange was new, inspiring hope and wonder about a reformed healthcare system. Fast forward to today with the debut of a new healthcare reform

initiative, preceded by the Health Information Technology for Economic and Clinical Health (HITECH) Act in February 2009 to promote the adoption and meaningful use of health information technology while addressing privacy and security issues stemming from electronic transmission of health data via HIPAA. Despite these developments, the idea of EDI and electronic storage since has inspired fear and loathing about a reformed healthcare system at the mercy of malicious ne’er-do-wells and nincompoops. Looking back at HIPAA’s initial passage, and anticipating the ensuing explosive development of information technology capabilities and horsepower, has the legislation’s existence really made a diff erence? Has it kept pace with the abundance of data? Or has it opened doors to motivate privacy and security challengers? Health Management Technology tapped a group of security-minded information technology executives for their impressions. Here’s what they shared.

HMT: Has HIPAA lived up to its premise and promise, or is it still too soon to tell? Why?

8 February 2014

Mac McMillan, CEO, CynergisTek, and Chair, HIMSS Privacy & Security Policy Task Force

I believe in many ways HIPAA and its comple- mentary legislation the HITECH Act have made strides

toward their initial intent and promise. I was new to healthcare in 2000, but it did not take long to realize the industry was way behind other industry sectors in its ability to exchange information, and that systems allowed parts and pieces of my medical record to exist in multiple locations – but not as a whole picture of me – and that was less than optimal for my health or the healthcare professionals who served me. Even within health systems, the over-reliance on paper records hampered efficiency, capability, collaboration, etc. Today, as a result of HIPAA and HITECH, and certainly other developments, we have a much more robust healthcare system that is capable of doing things that weren’t possible before. Have we achieved everything in terms of goals yet? No, but huge improvements have occurred in the last decade, and HIPAA can take part of the credit for that.

Barry Chaiken, M.D., Chief Medical

Information Offi cer, Infor I am not a HIPAA expert, but are you referring to health insurance portability or protection [of pro- tected health information]? I am thinking the latter, as it makes the most sense but am not sure HIPAA was truly focused on privacy, and it surely could not have anticipated the rise in healthcare information technology. HIPAA surely needs to be rethought by experts to determine the correct level of safeguards to privacy while allowing for the effective transfer of PHI among caregivers to deliver high-quality, efficient care.

- Rich Temple, National Practice Director,

Beacon Partners In part, I would say. The HIPAA legislation has raised general awareness about the importance of securing protected health information; however,


as evidenced by the almost continuous drip of breach events, it has been less successful in actually ensuring that PHI is properly secured. For many years, HIPAA enforcement was extremely lax, but with the advent of the HITECH Act and the requirements for security and risk assessments as required core items for meaning- ful use, enforcement is starting to get a lot more rigorous, and provider organizations are taking notice. With the Office of Civil Rights taking a lead role in HIPAA auditing, and the ability of district attorneys to order security audits at a local level, there is a much greater risk for providers of being found in non-compliance with HIPAA. This non- compliance now carries much bigger financial sanctions than it used to. So, we as an industry are not there yet, as far as HIPAA, but we are gaining momentum.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32