HIPAA concerns emerge
with new focus on Health IT
with new focus on Health IT
Health Information Technology and Privacy
April 02, 2009
by Astrid Fiano, DOTmed News Writer
In a continuing series on the new push for implementation of health information technology (HIT) and the concerns that HIT has raised, DOTmed spoke with Wayne J. Miller, of the Compliance Law Group in Los Angeles, CA. Mr. Miller has had a 26-year career specialty as a health care law attorney and he frequently conducts audioseminars on legal and regulatory issues for health care providers through Audioeducator.com. A recent Audioeducator presentation described in detail the substantive changes in HIPAA privacy and security requirements imposed by the American Recovery and Reinvestment Act (ARRA) and the substantially increased costs in the event of non-compliance.
HIPAA presents some compliance problems for HIT, Millers says. "The new HIPAA laws added by the ARRA present several additional burdens for implementing and maintaining electronic medical records. First, the law extends more stringent obligations on contractors that disclose or use electronic records on behalf of health care providers. This ranges from technology companies, to managers and professionals like lawyers and accountants. It's widely believed that these companies have not been as closely scrutinized as traditional health care providers with respect to HIPAA compliance. Traditional providers and their business partners may need to do compliance audits to see how well these contractors live up to privacy and security standards for electronically maintained records."
Miller points out the new law also "beefs up" standards specific to disclosure and security of electronic records. Systems will have to adopt new standards to be developed by the Centers for Medicare and Medicaid Services as to what is the appropriate "minimum necessary" material to be released as required by the law. "Also, the law requires providers and business associates using electronic systems to keep track of every disclosure of information for each patient (previously only unauthorized disclosures needed to be logged). In addition, the new law imposes a mandated procedure to follow if there is a breach of electronic information security, which includes tracking down and notifying those that are affected, as well as evaluating the damage caused by the breach.
"These requirements are likely to add to administrative headaches and costs for both planning and implementation," Miller said. "Added to that are increased costs if mistakes happen. "Now up to $1,500,000 in penalties could be assessed for violations that are not fixed and are found to be caused by negligence."
Miller explained that health care providers and business partners often rely on the representations of the hardware and software providers as to their products' HIPAA compliance, as well as accept the HIPAA certifications that the vendors have obtained. "With the recent law changes and the high cost of failure, we recommend using an independent qualified consultant to review compliance and even do 'dry run throughs' to see how well an IT system fulfills HIPAA privacy and security basics and if the system has any Achilles heels in this regard."
The developing use of technology is compatible with information security; the challenges are in implementation. "HIT systems are usually designed to specifically address HIPAA concerns of privacy and security, but it's often left to the vendors to figure out what needs to be included. One of the difficulties of complying with the HIPAA security rule is that the rule establishes standards like requiring access security but doesn't provide any specifics as to how to achieve this." Miller says that the ARRA now requires CMS to provide specifics, however, the specifics may take many months to develop. "In the meantime, providers should be aware of the basic interventions that they can do to make sure the privacy and security attributes of HIT are most effective, like changing and using strong passwords, preventing people from circumventing security measures, and migrating the same measures on portable devices like on laptops and iPhones."
The new administration's support of HIT is expected to have significant impact. It is well publicized that the ARRA sets aside $20 billion for HIT, and health reform proposals are expected to include further financial and other incentives to adopt electronic records, Miller says.
"A central belief of the new administration is that information technology is critical to making the health care system work better and more efficiently. Beyond funding and plans, the administration should focus on at least three areas in order to have maximum impact on widespread adoption of HIT: 1) making HIT more affordable for solo and small physician groups and community hospitals even after applying the incentives, 2) promoting approaches that enhance the flow of information between providers and patients; and 3) encouraging the adoption of a single 'parent' system or approach to HIT from among the many vendors and systems."
HIPAA presents some compliance problems for HIT, Millers says. "The new HIPAA laws added by the ARRA present several additional burdens for implementing and maintaining electronic medical records. First, the law extends more stringent obligations on contractors that disclose or use electronic records on behalf of health care providers. This ranges from technology companies, to managers and professionals like lawyers and accountants. It's widely believed that these companies have not been as closely scrutinized as traditional health care providers with respect to HIPAA compliance. Traditional providers and their business partners may need to do compliance audits to see how well these contractors live up to privacy and security standards for electronically maintained records."
Miller points out the new law also "beefs up" standards specific to disclosure and security of electronic records. Systems will have to adopt new standards to be developed by the Centers for Medicare and Medicaid Services as to what is the appropriate "minimum necessary" material to be released as required by the law. "Also, the law requires providers and business associates using electronic systems to keep track of every disclosure of information for each patient (previously only unauthorized disclosures needed to be logged). In addition, the new law imposes a mandated procedure to follow if there is a breach of electronic information security, which includes tracking down and notifying those that are affected, as well as evaluating the damage caused by the breach.
"These requirements are likely to add to administrative headaches and costs for both planning and implementation," Miller said. "Added to that are increased costs if mistakes happen. "Now up to $1,500,000 in penalties could be assessed for violations that are not fixed and are found to be caused by negligence."
Miller explained that health care providers and business partners often rely on the representations of the hardware and software providers as to their products' HIPAA compliance, as well as accept the HIPAA certifications that the vendors have obtained. "With the recent law changes and the high cost of failure, we recommend using an independent qualified consultant to review compliance and even do 'dry run throughs' to see how well an IT system fulfills HIPAA privacy and security basics and if the system has any Achilles heels in this regard."
The developing use of technology is compatible with information security; the challenges are in implementation. "HIT systems are usually designed to specifically address HIPAA concerns of privacy and security, but it's often left to the vendors to figure out what needs to be included. One of the difficulties of complying with the HIPAA security rule is that the rule establishes standards like requiring access security but doesn't provide any specifics as to how to achieve this." Miller says that the ARRA now requires CMS to provide specifics, however, the specifics may take many months to develop. "In the meantime, providers should be aware of the basic interventions that they can do to make sure the privacy and security attributes of HIT are most effective, like changing and using strong passwords, preventing people from circumventing security measures, and migrating the same measures on portable devices like on laptops and iPhones."
The new administration's support of HIT is expected to have significant impact. It is well publicized that the ARRA sets aside $20 billion for HIT, and health reform proposals are expected to include further financial and other incentives to adopt electronic records, Miller says.
"A central belief of the new administration is that information technology is critical to making the health care system work better and more efficiently. Beyond funding and plans, the administration should focus on at least three areas in order to have maximum impact on widespread adoption of HIT: 1) making HIT more affordable for solo and small physician groups and community hospitals even after applying the incentives, 2) promoting approaches that enhance the flow of information between providers and patients; and 3) encouraging the adoption of a single 'parent' system or approach to HIT from among the many vendors and systems."