The health care industry was buzzing with the news: For the first time ever, a hospital was being audited for compliance with HIPAA security requirements. The audit of Piedmont Hospital in Atlanta by the U.S. Department of Health and Human Services' inspector general in 2007 was surprising for hospitals, health insurers and others in an industry accustomed to a lack of enforcement of federal privacy and security requirements.
A year later, HHS took another unusual step, meting out a $100,000 fine to Seattle-based Providence Health & Services for HIPAA security and privacy violations. The organization had lost backup tapes, optical disks and laptops containing unencrypted protected health information on more than 360,000 patients.
But those enforcement actions could be small potatoes compared to what's ahead. The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act signed into law last year, earmarks about $19 billion in incentives to encourage adoption of electronic health record technology but also expands on HIPAA's security and privacy requirements. In addition to instituting new breach notification rules and extending the rules to health care business associates, HITECH implements a new tiered system that increases civil monetary penalties for noncompliance and also allows state attorney generals to file civil actions for HIPAA violations.
"HITECH is perceived as the enforcement arm of HIPAA," says Barry Runyon, research vice president covering health care providers at Gartner. "The stakes are higher and more people can enforce it.
"What it's done has kind of jump started HIPAA. Health care delivery organizations' programs languished for a while," he adds. "When there's no enforcement, people tend to get complacent. HITECH is making them revisit their security plans and look at their controls -- essentially what they should have been doing."
Let's take a look at the ramifications of the HITECH Act on security and privacy in the health care industry and its impact so far.
HIPAA: UNEVEN COMPLIANCE
For years, organizations that had to comply with HIPAA were frustrated not only by the lack of enforcement but the lack of specifics in the federal law's requirements for protecting electronic personally identifiable health information. The Health Insurance Portability and Accountability Act was enacted in 1996; health care providers, health plans, clearinghouses and other covered entities were required to comply with the law's privacy rule in 2003 and the HIPAA security rule in 2005.
"HIPAA security [compliance] is all over the map. The security rule is just too open to interpretation," says Bryan Cline, director of information security at Newtown Square, Pa.-based Catholic Health East.
Some organizations do the bare minimum to comply while some take a mature, risk-based approach to information security and devote enough resources and training to have a strong program, he says.
Historically, the health care industry hasn't spent as much as other industries on security, says Khalid Kark, vice president and principal analyst at Forrester Research. "There's always this tension: Do you want to improve service and how you treat people, or would you rather spend that money on security?"
A survey of 196 health care IT and security professionals by the Chicago-based nonprofit Healthcare Information and Management Systems Society (HIMSS) released last fall showed that security accounts for three percent or less of overall IT spending in a majority of health care organizations.
Even if HIPAA wasn't ambiguous, it had "no teeth or enforcement," says David Finn, health IT officer at Symantec and former CIO at Texas Children's Hospital. "The fines weren't significant enough to raise the risk management flag for a lot of institutions." HITECH removes a lot of ambiguity with its breach notification rules and increased penalties, he says.
Under rules released last August by HHS, an organization with a breach involving unsecured protected health information (PHI) must notify the affected individuals. The notifications must be provided no later than 60 days following the discovery of a breach and must include a description of the breach and what the organization is doing to investigate it, among other details. If more than 500 individuals are affected, then the organization must notify major media outlets in affected states and HHS; HHS will list the breaches and the entities involved on its website.
"That's not something any hospital wants to do," Finn says of the media notification.
Organizations need to have a process to assess whether there's been a security breach that requires notification, says Kathryn Coburn, founder of Pacific Palisades, Calif.-based Coburn IT Law, which focuses on health care IT. The security or privacy of protected health information is deemed to be compromised only if the disclosure poses a significant risk of harm to the individual, she says.
The process requires a risk assessment that considers the amount of data lost and potential exposure of that data to determine whether notification is required, says Joseph Granneman, CTO/CSO of Rockford Health System in Rockford, Ill.
"If a folder of information is left at a restaurant and someone returns it to you, there may not be much risk for that patient information. Whether you consider this a breach or not will be based on what the information was," he says. "If it was just a listing of names without other financial/medical identification, it may not be considered a breach because there is little risk to the patient."
Notification isn't required if the PHI is unreadable or indecipherable through encryption according to National Institute of Standards and Technology (NIST) standards. Paper records must be shredded so the PHI can't be reconstructed, and electronic media purged or destroyed per NIST guidelines.
Many health care organizations are looking closely at encryption and need to assess the appropriate levels of encryption for their systems, says Beau Woods, solutions architect for SecureWorks, an Atlanta-based security-services firm. "Some of the older software doesn't allow you to encrypt to a standard that is compliant with HITECH," he notes.
|Study reveals increased attacks on health care|
SecureWorks detected doubling of attacks targeting its health care clients last year
Cyber attacks targeting health care organizations doubled in the fourth quarter of last year, according to a data compiled by Atlanta-based SecureWorks.
The company's findings were based on a 12-month study of 38 of its health care clients using the SecureWorks' Managed Intrusion Detection and Prevention service. Attempted attacks increased from an average of 6,500 per health care customer per day in the first nine months of 2009 to an average of 13,400 per client per day. In other industries, attempted attacks did not increase in the fourth quarter
From October through December 2009, SecureWorks blocked hundreds of SQL injection and Butterfly/Mariposa bot malware attacks launched at its health care clients, according to Hunter King, SecureWorks security researcher.
Criminals can use SQL injection attacks and the Butterfly/Mariposa malware, which SecureWorks says surfaced last fall, to steal sensitive data. Health care companies often store valuable data and have a large attack surface because of the nature of their business, making them targets for cybercriminals, the company says.
HITECH ups the ante on enforcement and penalties for HIPAA violations in several ways. The new law provides a tiered system of civil monetary penalties based on the level of knowledge of the non-compliant organization (from knowing to willful neglect), and corrective actions taken, says Lisa Gallagher, senior director of privacy and security at HIMSS.
For example, if a violation was due to reasonable cause and not willful neglect, the penalty is $1,000 for each violation. But if the violation was due to willful neglect and not corrected, the penalty is $50,000 per violation with a maximum fine of $1.5 million for all such violations in a calendar year. Previously, the civil penalties for HIPAA security and privacy violations set a maximum civil fine of $100 per violation and up to $25,000 for all violations of an identical requirement during a calendar year, according to Gallagher.
HIPAA also provided for criminal penalties of fines of up to $250,000 and up to 10 years in prison for disclosing or obtaining health information with the intention of selling it for commercial or personal gain, or for malicious purposes. Previously, the U.S. Justice Department ruled that a covered entity could be criminally liable for HIPAA violations, not individuals, but HITECH makes it clear that individuals -- hospital employees or others -- can be held liable, Gallagher says.
"There are some real teeth in there," Symantec's Finn says.
In addition, the new law broadens the number of potential HIPAA enforcers. It allows state attorney generals to file a federal civil action on behalf of residents of their states who they believe were adversely affected by a HIPAA violation, Gallagher said. Already, one such lawsuit has been filed: In January, Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut, alleging the company violated HIPAA when it lost a portable disk drive containing health and financial information of about 446,000 enrollees last May.
"There's a bigger army coming after you now," Finn says of the new state-level authority to enforce HIPAA.
Having enforcement at the state level increases the chances that a health care organization's HIPAA compliance might be examined, which could help bolster a security department's ability to win funding, says Jeff Pentz, assistant director of information technology of the University Health Center at the University of Georgia.
"More teeth, more money," he says. "Going to your administrator with details of the HITECH Act may help to get more funds for security or at least reduce the amount that might be cut for security."
HITECH also requires the HHS secretary to provide for periodic audits to ensure covered entities and their business associates comply with HIPAA's security provisions.
|New disclosure rules|
Organizations will need to provide three-year histories of disclosures of protected health data
Among the Health Information Technology for Economic and Clinical Health (HITECH) Act's expanded privacy requirements are new rules for disclosure of protected health information (PHI).
Organizations using electronic health record (EHR) technology must be able to provide a patient with a three-year history of PHI disclosures, including disclosures previously considered exempt, such as those for treatment like lab work, and those made for payment purposes.
"That will require logging of all those disclosures and creation of a process to prepare a disclosures list," says Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS).
"The volume of audit logging that is going to is kind of mind numbing," says David Finn, health IT officer at Symantec and former CIO at Texas Children's Hospital. "No human could comb through all that, so at some point it has to be automated."
Also, if a company keeps a patient's data in electronic format, it must provide an electronic copy if the patient requests one. "You can't just print something on paper," Gallagher says.
Federal guidance on accounting of disclosures is expected June 30.
Perhaps one of the most far-ranging changes HITECH makes is in its extension of HIPAA's provisions to business associates. Effective Feb. 17, companies that provide services such as claims processing and billing and handle personal health information for health care providers are directly covered by the HIPAA security rule.
"The biggest impact the HITECH Act will have on health care companies are the requirements on third-party security," Kark says. That's a challenge, even for companies with mature security programs in other sectors, he adds.
For CIGNA, the expanded requirements for business associates cuts both ways. The health insurer is both a covered entity that works with vendors that handle protected health information and a business associate in cases where it operates as a third-party administrator for clients who fully insure their workforce.
"We are now looking at not just being a covered entity but also a business associate under those enhanced provisions," says Georgia Dodds Foley, chief compliance, ethics and privacy officer at CIGNA."We want to make sure with both of those hats that we're doing what we need to do to evaluate our current processes, programs, and documentation."
That's meant verifying all its business associates, making sure any necessary contractual amendments are made or additional oversight is added. It's also meant dealing with a lot of contract amendments from clients for whom it is a business associate, which is administratively complicated, Dodds Foley says.
Despite the complications, the entire industry is dealing with them at the same time and "there's a certain amount of collegiality and [sense of] community going through the compliance efforts," she adds.
However, Gallagher of HIMSS says many health care business associates aren't aware of their HITECH obligations. A survey by HIMSS Analytics, a HIMSS subsidiary, last fall showed that while many health providers are aware of the new requirements, few business associates are.
|HITRUST Framework aims to bridge the compliance gap|
Tool updated to reflect new HITECH requirements
Health care organizations looking for some help in meeting HIPAA and HITECH security requirements might want to check out the Health Information Trust Alliance (HITRUST) Common Security Framework.
Frisco, Texas-based HITRUST, in collaboration with health care, IT and professional services executives, introduced the CSF last year. The CSF, designed to be used by any organizations that stores or exchanges personal health or financial information, incorporates security requirements from HIPAA and HITECH as well as other standards and frameworks, including the Payment Card Industry Data Security Standard, NIST and COBIT.
HITRUST released the 2010 version of the CSF last month with updated references to HITECH and improvements based on industry feedback. The CSF is available free of charge at HITRUST Central.
Daniel Nutkis, HITRUST CEO, says HITRUST has worked to reach out and educate organizations on risk management and how the CSF can help. Tracking the level of adoption is difficult, but HITRUST is working with about 30 states on their use of the CSF, he says. Under HITECH, states health information exchanges and the organizations that connect to them must be secure.
Khalid Kark, vice president and principal analyst at Forrester Research, says the CSF fills a void in the health care industry and that adoption of it by states could have a huge impact on its acceptance.
HITRUST also offers the CSF Assurance program, which the company says can help streamline the process of security assessments for health care organizations and their business associates. The program, which has authorized CSF assessors, aims to provide a consistent approach to assessing and reporting compliance to multiple parties.
The HITRUST CSF "indicates there's a focus on security in our industry that didn't exist in the past," says David Finn, health IT officer at Symantec and former CIO at Texas Children's Hospital.
ELECTRONIC HEALTH RECORDS
Many health care providers, of course, are focused on HITECH's incentives for "meaningful use" of EHR technology. Some companies have calculated that the combination of federal reimbursements and efficiencies gained in switching to electronic health records would mean a big return on investment, Forrester's Kark said.
In late December, the Centers for Medicare & Medicaid Services (CMS) released proposed provisions for meaningful use of EHR technology and the Office of the National Coordinator for Health Information Technology (ONC) released an interim final rule that specifies standards and certification criteria for EHR technology. While ONC's document includes a baseline of security controls such as encryption and authentication, the meaningful use document only cites the need for a security risk assessment, which is what HIPAA requires, Gallagher says.
Catholic Health East is working to fully understand the meaningful use criteria before conducting a gap analysis, Cline says. "Probably every hospital in the country is doing this but apparently working in a silo," he says, adding that industry-wide collaboration would be helpful.
CIGNA's operations include some health care delivery facilities, which are ready to do what is known to be required for EHRs at this point, Dodds Foley says. But like other health care organizations, it's waiting for additional federal guidance on EHR standards for other types of providers, like pharmacies, which likely won't be released until later this year. The company has project plans and has done some high-level gap assessment work, but has no choice but to take a wait and see approach in that area, she says.
The federal schedule for incentives is accelerated, but compliance with HITECH will be a long term process, Kark says. In building out compliance programs, organizations should focus on process rather than technology, he says.
"Don't lead with technology," Kark says. "Build a program and use technology to augment it."
Gallagher says meeting HITECH's security requirements require a lot of work and organizations will be preoccupied with establishing meaningful use of EHRs, which involves extensive requirements for quality and efficient health care delivery. But the basic requirement for a security risk assessment is something that companies should have already been doing under HIPAA, she says.
"That's a process that needs to be institutionalized. It's something an organization should be doing on a regular, continual basis," she adds.
According to Coburn of Coburn IT Law, other steps organizations should take to comply with HITECH's security and privacy requirements include: documenting security policies and procedures; workforce training on the procedures; implementing physical safeguards; and restricting disclosures of protected health information to the minimum necessary information.
Faced with either budget or human resource constraints, health care organizations need to realize they can't meet every one of HITECH's security requirements all at once, Symantec's Finn says: "You're going to have to prioritize based on level of risk."
Overall, HITECH escalates the importance of security and privacy in the health care industry, he says. "It's no longer just the CIO's problem."
Marcia Savage is Editor of Information Security. Send comments on this article to firstname.lastname@example.org.