The American Healthcare system is getting a complete facelift thanks to incentives to adopt Health Information Technology introduced by the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HITECH Act contains tools for the enforcement of HIPAA regulations, as well as incentives to accelerate the adoption of information systems that reduce costs, gain efficiencies, and ultimately improve patient care while keeping patient health information secure. This paper examines the HITECH Act, the enforcement mechanisms the HITECH Act provides for HIPAA, and the key security challenges healthcare services face in order to protect patient health information as part of becoming HIPAA compliant.
Below is a preview of this whitepaper. To get your own copy, fill out the form to the right.
The American Healthcare system is getting a complete facelift thanks to incentives to adopt Health Information Technology introduced by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Signed into law by President Barack Obama in February 2009, the HITECH Act is part of the American Recovery and Reinvestment Act. It is also part of the broader healthcare reform initiative championed by President Obama. That agenda includes a push for the adoption of interoperable data capture, storage and transmission protocols in healthcare systems.
New health information technology is considered to be a vital step in the drive to reduce costs, gain efficiencies, and ultimately to improve patient care. This perspective is also held by the Healthcare Information Management Systems Society (HIMSS). HIMSS believes that “lives can be saved, outcomes of care improved, and costs reduced by transforming the healthcare system through the appropriate use of IT and management systems.”
However, reports of healthcare data breaches have historically undermined trust in electronic healthcare systems. For this reason, the HITECH Act was designed to both enforce HIPAA regulations, as well as to provide tools to accelerate the adoption of information systems that keep patient health information secure. This paper examines the HITECH Act, describes how the HITECH Act provides enforcement for HIPAA, and outlines the key challenges faced by the healthcare service industry today in protecting patient information in a fashion that meets HIPAA regulatory requirements.
The HITECH Act has come at a time when healthcare data breaches are on the rise. According to the 2009 ITRC Breach Stats Report, healthcare breaches account for over 66% of all records breached in 2009, which is a 20% increase from 2008.2 Among the high profile data breaches in 2009 were those at Blue Cross Blue Shield and AIG – Medical Excess LLC.3 Data breaches from such high profile health service providers, in addition to the overall magnitude of the problem, continue to sound alarm bells at all levels. The Federal Government reacted by proposing mechanisms that would give the security standards in the existing Health Insurance Portability and Accountability Act (HIPAA) more “teeth”. The Verizon Business 2009 Data Breach Investigations Report warned that organizations storing large quantities of data valued by the criminal community should be prepared to detect and defend against very determined, well-funded, skilled, targeted and sophisticated attacks.
The American Recovery and Reinvestment Act (ARRA), also known as the Economic Stimulus Package, provided more than $20 billion to aid in the development of a robust and comprehensive Health Information Technology (HIT) infrastructure, and assist providers and other entities in the adoption and daily utilization of healthcare IT, particularly regarding the adoption and “meaningful use” of “certified” Electronic Health Records (EHRs) in conjunction with a secure nationwide electronic Health Information Exchange (HIE) network. Approximately $2 billion was specifically earmarked to jump start both the development of data standards and HIE support, as well as to initiate grants, loans and demonstration programs. The overall goal of the HIT and HIE provisions in the Act is to update and ensure the security and protection of patients’ Electronic Private Health Information (ePHI), while improving the quality of care and reducing healthcare costs through efficiencies gained by increased data exchange and information system interoperability. This requires covered entities to update not only existing HIT contracts to require vendors to earn any EHR certification that may be required, but also to update existing HIPAA privacy and security policies and procedures.
Patient information collected and stored in hospitals and other healthcare facilities is a prime target for criminals, because these records contain valuable data such as names, mailing addresses, Social Security Numbers, insurance policy information, medical history, dates of birth, and sometimes, credit card or other financial information.
According to one report, “there is more data in one (patient) record than in those of any other source such as banks, schools, or HR departments.”5 The rise of breaches in hospitals, despite more stringent privacy regulations, is due to more hospitals integrating their electronic records. Pam Dixon, the Executive Director of the World Privacy Forum, states: “until recently, we were in an era of privacy through obscurity,”6 meaning that it was possible to get information on a patient from paper records, but that it was not easy to share that information. Now that medical information is often shared electronically, there is a far greater need for increased data control.
The ARRA designated $20.2 billion in funding earmarked for healthcare IT through the HITECH Act for facilities that adopt “meaningful use” of “certified” electronic medical records. In the words of Robinsue Frohboese, Acting Director and Principal Deputy Director of Office of Civil Rights at the HHS, “these protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is enforced by the Department of Health and Human Services (HHS). HIPAA began as a “portability act” to help individuals keep their health insurance coverage as they moved from one job to another, but it has evolved to include much more.
Title I deals with HIPAA’s original intent in that it protects health insurance coverage for workers and their families when they change or lose their jobs.
Title II extends that original intent by protecting the privacy, confidentiality, integrity, and availability of an individual’s personal healthcare information. Its Administrative Simplification (AS) provisions, the most significant part of Title II, address the security and privacy of healthcare data.
These rules apply to “covered entities,” as defined by HIPAA and HHS, including all healthcare organizations that create, receive, maintain, or transmit patient healthcare information. These include:
Security provisions for HIPAA compliance are designed to help healthcare service providers and their business associates mitigate the risk of becoming a victim of data loss. Theft of valuable patient information leads to the loss of trust in the usage of electronic health records (EHRs) that are used by healthcare providers to share information. This loss of trust reduces the adoption of EHRs, which erodes patient care. To protect patient information, the HITECH Act has tied the utilization of EHRs back to adoption of the HIPAA Security Rule. The Security Rule is addressed in Title II of HIPAA as part of the Administrative Simplification (AS) provisions which address both the security and privacy of electronic health data as part of the three rules: the Electronic Data Interchange Rule, the Privacy Rule, and the Security Rule.
To achieve HIPAA compliance, covered entities must demonstrate adherence to the Security Rule. The Security Rule mandates protection of all electronic Personal Health Information (ePHI) created, received, maintained, or transmitted by any covered entity. This is primarily achieved through the application of requirements in three main categories of safeguards: Administrative, Physical, and Technical.
The most relevant Administrative Safeguards are:
A contingency plan should be in place for responding to emergencies. Covered entities are responsible for backing up their data and having disaster recovery procedures in place. The plan should document data priority and failure analysis, testing activities, and change control procedures.
Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. Policies and procedures should specifically document the scope, frequency, and procedures of audits. Audits should be both routine and event-based.
The category of Technical Safeguards is also important. The most relevant of those are:
In addition to policies, procedures and access logs, IT documentation should also include a written record of all configuration settings on the components of the network, because these components are complex, configurable, and always changing.
Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act.
All of these HIPAA regulations designed to protect the privacy of patient information have meant that many healthcare organizations routinely conduct internal audits of their IT environment and produce reports that demonstrate their HIPAA compliance. HIPAA auditors perform HIPAA Risk Assessment Audits using a comprehensive checklist based on Health and Human Services (HHS) regulations and guidance in NIST Special Publication (SP) 800-66. This audit checklist is used to gather evidence that specific administrative, physical, and technical safeguards are in place, and available for inspection by the HHS Office of Civil Rights (OCR).
In terms of security, the audit must provide evidence that the organization meets the electronic Personal Health Information (ePHI) protection regulations required to achieve HIPAA compliance in accordance with relevant sections of §164.308 to §164.316 of the HIPAA Security Rule. HIPAA does not restrict the risk assessment to a single methodology. Instead, HIPAA requires covered entities to periodically review and update its security measures and documentation in response to environmental and operational changes that affect security of its ePHI, and to refer to the comprehensive risk assessment program described in NIST SP 800-30.
Despite HIPAA’s extensive and detailed sets of rules and regulations, healthcare organizations tended to ignore HIPAA provisions since the regulation had not been rigidly enforced. But that has all begun to change, thanks to the passage of the HITECH Act as part of the ARRA. The $20B in ARRA funding earmarked for healthcare IT provides the funding to begin serious audit enforcement measures to support HIPAA.