Health care organizations have had to comply with HIPAA's security and privacy requirements for several years now, but compliance depended on who you talked to. Some companies took the regulation very seriously and worked hard to secure protected health information (PHI). For others, security was far down on the list of priorities, if on the list at all. But how could you blame them? The requirements aren't specific and there was little...
enforcement to speak of.
The HITECH Act aims to change that that with its increased penalties for HIPAA non-compliance and broader enforcement. But will it really be a game changer and increase information security in the health care industry?
It's critical that more health care organizations make an effort to protect sensitive health information. A breach that exposes a patient's confidential data could have serious and lasting consequences. As Khalid Kark, vice president and principal analyst at Forrester Research points out, health care records aren't like credit cards, which can be cancelled and changed if they are exposed in a breach. "Once health care information is gone, it's gone," he says. And according to data from security-services firm SecureWorks, criminals are increasingly targeting health care organizations.
For security teams in health care organizations, HITECH's increased penalties could help win funding for projects that have languished due to the lack of HIPAA enforcement. Studies have shown health care organizations lag in security spending compared to other industries. The new legislation isn't exactly clear on how the federal government will audit compliance with HIPAA's security requirements, but it widens the number of enforcers by giving state attorney generals the ability to file a federal civil action for harmful disclosures of protected health information.
Already, security managers in health care have a case to cite to their bosses: Connecticut Attorney General Richard Blumenthal wasted no time in executing his new authority, suing Health Net of Connecticut for alleged HIPAA violations due to a lost portable disk drive. It's not hard to imagine more lawsuits by attorney generals -- including those wanting to curry public favor for political purposes.
And while HIPAA only offered high-level security guidance, HITECH is specific, at least in some areas. It doesn't require encryption, but it's very clear about what type of data encryption processes are required to make PHI useless and unreadable to unauthorized people in order to avoid notification requirements in the event of a breach. HITECH also requires business associates that handle protected health care information comply with HIPAA, which could help close up holes in patient record privacy and puts pressure on health care providers to verify third-party security. In addition, the legislation imposes new disclosure rules for PHI.
But how realistic are all these provisions, especially for small health care providers that may not have the security resources? Encryption is difficult for any enterprise, let alone a small organization without the money, security skills or staffing to deploy and manage it. Plus, the legislation doesn't do much to clarify HIPAA's security provisions, still leaving much room for interpretation. Let's hope HITECH doesn't simply lead to a plethora of security breach notifications that the public eventually becomes numb to.
At its heart, HITECH aims to encourage adoption of electronic health record technology with lucrative incentives. Kark says HITECH makes it clear that if an organization expects to receive incentives, its EHR implementations must be secure. However, for small organizations the incentives may not be enough to make the switch, he says: "The cost may be too prohibitive for them." Just trying to understand the voluminous federal requirements for "meaningful use" of EHRs could be too daunting for some.
HITECH needs to force some real changes in the health care industry and not be more well-intentioned but ultimately ineffective legislation.
Marcia Savage is Editor of Information Security. Send comments on this column to firstname.lastname@example.org