Industry Survey Reveals Healthcare Provider Awareness of and Readiness for HITECH Enhancement of HIPAA Regs

On February 17, 2009, President Obama signed the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of his overall economic stimulus plan. HITECH's primary function it to encourage movement to electronic patient records. Such a law became necessary after the Health Insurance Portability and Accountability Act of 1996 (HIPAA) devolved into mere privacy and security requirements, leading most healthcare providers to ignore its own electronic patient record encouragement language.

However, HITECH does include strict data protection regulations of its own, which healthcare providers will ignore at their own peril. In addition, the Federal Trade Commission recently ruled that its "FTC Identity Theft Red Flags Rule," which will be enforced beginning June 1, 2010, will cover healthcare providers, though the AMA is actively fighting for physician exclusion.

HITECH requires healthcare entities to operate under greater transparency. It expands privacy to include antisnooping, prevention of medical identity theft, accounting of disclosures and patients' rights to know who has externally accessed their medical information. Also required are breach notification to the media, patients affected and the government.

To help understand the environment into which HITECH has been inserted, FairWarning®, a provider of privacy surveillance systems for Electronic Health Records, commissioned New London Consulting to develop a survey of healthcare providers. The survey was designed to elicit answers regarding healthcare professionals’ opinions and insights on new healthcare privacy regulations such as HITECH, privacy security and auditing, information technology risk management, and compliance requirements.

New London Consulting and FairWarning® developed a series of 26 questions that sought to
reveal the following:

• Healthcare organizations’ awareness and understanding of new privacy laws and
  concerns surrounding willful neglect and breach notification.
• Perceived impact of ARRA HITECH accounting of disclosure requirements.
• Healthcare organizations’ adoption rate of automated systems and processes that
  will meet compliance requirements
• Perceptions surrounding government enforcement of the new laws and likelihood of
  an audit.
• Deployment and effective use of privacy and auditing tools for compliance.

Highlighted Survey Findings
Focusing primarily on hospitals, the survey found that most providers are familiar with HITECH and the Red Flag rules. Specifically, that they:

• provide a more stringent definition of a privacy breach and mandate specific actions that must be taken in an effort to protect patient privacy.
• define a privacy breach as the “unauthorized access, use or disclosure of protected health information which compromises the security or privacy of such information.
• stipulate specific fines, penalties and notification requirements when a breach occurs.

Now that the law clearly defines a breach, the survey indicated that healthcare organizations are very concerned that they must notify and disclose breaches or, should they choose not to disclose, be prepared to defend their decision to the government.

When asked questions specific to ARRA HITECH, respondents were most concerned about breach notification to the media, patient and the government. Survey respondents’ top three concerns surrounding non-compliance were:

1. reputational impact of a failed audit or major privacy breach,
2. financial penalties for non-compliance and
3. media exposure.

Under HITECH, patients have a right to request an accounting of who has externally accessed their
Electronic Health Record (EHR.) In effect this means that when a healthcare entity shares patient data with any person/entity outside the organization for any purpose including treatment, payment or sharing of clinical data, the patient has a right to request from the healthcare entity an accounting of who this
data has been shared with.

Healthcare organizations using an EHR are required to account for any external access or inappropriate access to the record and disclose this information to the patient upon request. When asked about specific accounting of disclosure requirements set forth in HITECH, the vast majority, 92.1 percent of survey respondents, stated their organization is aware of the requirements.

One HITECH report we studied this week included space for reader comments. We found the following anonymous comment to be important enough to quote. It reminded us of the plethora of stories about what happens when celebrities are hospitalized. In almost every case, their private records are bombarded with unauthorized access attempts, 95% of which are internally sourced. "Just because your patient information is encrypted does not protect you from the main threat, which is unauthorized access to patient information by employees. There have been many more cases of employee theft of patient information than from hackers. If you do not have a system to monitor who is accessing what and notifying you of unauthorized access, sooner or later you will have a problem. The only true solution to this is to monitor clinical systems and report suspicious behavior inside your network."

Overall, respondents feel that their organization is appropriately budgeting for compliance activities and beginning to put policies in place. Although these organizations are working toward compliance, nearly one-third state that they will not meet compliance deadlines. The survey also reveals that there is a need for market education regarding the need to implement automated systems that will monitor, audit, detect and report patient record access to meet HITECH accounting of disclosure requirements.

The survey identified seven cornerstone technologies which complement processes and other automated systems designed to meet compliance requirements. These technologies include:

• User privacy monitoring in EHRs
• Accounting of disclosure log aggregation
• Data leakage prevention
• Patient and user privacy auditing
• Single sign on
• Identity management
• Infrastructure log management

The survey revealed that the healthcare industry is mobilizing efforts to implement and integrate these technologies. However, very few organizations have implemented all of them. These leading organizations account for 7 percent of survey respondents. The most commonly deployed technologies are, respectively: patient and user privacy auditing, identity management and single-sign on. The top three technologies that organizations are planning to deploy are: accounting of disclosure log aggregation, data leakage prevention, and infrastructure log management. More than 4 out of 5 organizations plan to include these technologies in their privacy and security plans.

Although these organizations are moving toward deploying these critical technologies, responses indicate there is a continued need for market education regarding what these organizations must
demonstrate to meet compliance regulations. Nearly half of the respondents believe their organization is in full compliance with state and federal privacy laws and are audit ready however many of them have yet to deploy the technologies that will meet accounting of disclosure requirements, or audit for patient privacy and monitor for privacy breaches.

The survey suggests that the healthcare industry is just beginning to believe that government enforcement of privacy laws is a state and federal priority. Although the industry is not yet fully convinced that there will be increased audit activity, a majority of respondents stated that they were either concerned or very concerned about being audited for privacy compliance. Slightly more than half of respondents believe enforcement of privacy laws is a government priority; however only one-third of respondents believe that compared to 12 months ago, they stand a greater chance of a state or federal privacy audit.

Responses also indicate healthcare organizations do not know or possibly do not understand what the government will be looking for in an audit scenario. Of the organizations that believe they are in full compliance with the laws, just 51 percent of respondents agree or strongly agree that the government will not find any material shortcomings.

Compliance requires organizations to demonstrate effective use of solutions and technologies should permeate all business units, correspond with business processes and integrate with the business functions of the organization. The survey revealed that healthcare organizations are beginning this process. Just 7 percent of respondents have demonstrated that they have both processes and automated systems in place which incorporate the cornerstone technologies designed to eliminate security and privacy vulnerabilities.

Nearly 60 percent of organizations are concerned about the technology challenge of monitoring dozens
of healthcare applications. The survey also revealed that many of these organizations plan to leverage key privacy and auditing technologies but have yet to set a deployment date.

Portions of the above report are quoted from the survey's executive summary. The complete report is available for PDF download at http://www.fairwarningaudit.com/press.asp.