The most prevalent electronic security risks in the health care industry are the same as other industries, Nahra observes, such as the hacker. A hacker can break into an electronic system and obtain credit card numbers and payment mechanisms. Health information is also at risk for misuse of insider access--witness the unauthorized dispensation of celebrities' private health information (Britney Spears, Christina Applegate, Patrick Swayze)-- the "leaks" misuse the information out of curiosity or personal gain by selling to a tabloid. There are also people with access to medical information examining the records of people they know for malicious or curiosity reasons (i.e., getting information on a neighbor or ex-spouse). Identity theft is also a problem. "We are seeing a lot more of those instances," Nahra says. Health information technology is designed to be easier to use, but it then becomes easier to misuse.

Does the technology help to ensure compliance through its management of information? Ms. Rauzi felt that "well designed technology would, but buyers need to have a clear idea of the security features they want or need before they settle on what to buy." From the information Ms. Rauzi has reviewed, implementation of electronic health records (EHRs) is a complicated process and should not be underestimated, although not particularly because of problems with HIPAA compliance.


Ms. Rauzi notes that the Obama Administration is completely behind HIT. "There are huge provisions for additional funding for electronic health records in the 2009 American Recovery and Reinvestment Act (ARRA)." The Administration's new legislation encourages health entities to use EHRs to bring efficiency, quality of care, and reduced errors to the industry. Incentives are offered but also imposition of new obligations. Whether the new obligations offset any gain is uncertain at the moment, Nahra says. In addition, the new rules in the ARRA have little to do specifically with electronic records. Major parts of the legislation involved provisions across the board on general privacy issues, including the new legal obligations of health care entities' business associates, now directly covered under HIPAA, and the new rules concerning patient notification upon breach. Both those rules apply to all formats of patient information.

As health IT becomes more broadly implemented, there will be new issues to watch. Nahra says one issue that has been much debated and now partially addressed though the new legislation is the regulation of those entities not covered by HIPAA that offer services for an individual to store his or her medical information. This includes companies such as WebMD, Google Health, and Microsoft. These entities often have privacy policies even stricter than HIPAA, but are also in effect unregulated, and can change their user policy as to how they handle an individual's information (such as the recent controversy with Facebook). Regulation is basically through commercial competition. A company has to convince the user that the benefits outweigh the risks with its service, with the competitors also trying to convince the consumer of their superior and more secure service. Now, HHS and the Federal Trade Commission will be regulating the services and so the FTC will play a bigger role in the industry. In addition, state attorneys general are now given enforcement powers to pursue HIPAA violations, so it will be interesting, Nahra feels, to see how they handle this task.

Watch DOTmed News for continuing coverage of health IT issues and be sure to read our March 2009 issue of DOTmed Business News, devoted to digital issues.

Back to HCB News

More Industry Headlines