HITECH Giving a Boost to HIPAA Compliance

I recently had the pleasure of listening to Sue McAndrew, the Deputy Director for Health Information Privacy of the HHS Office for Civil Rights, at the annual 2012 NCHICA conference. Lately I’ve been spending hours reviewing documentation with sales, customers, and partners at McAfee, and it was refreshing to hear from an industry leader on the current state of HITECH and HIPPA. McAndrew laid out the goals and current state of the industry, but not without some criticisms.

McAndrew noted the reality of HIPAA is not about absolutes. You cannot guarantee sensitive data will remain secure, but it is more about building trust with customers and hoping the data stored will improve patient care. In order for patients to confidently participate, McAndrew reinforced that appropriate measures must be taken to ensure privacy.

The problem HITECH tries to solve is that a culture of voluntary compliance is not enough – and the latest industry data supports this notion. According to the Information Security Media Group’s 2011 Survey Executive Summary, “Safeguarding Patient Information – Unfinished Business”, 26% of organizations have failed to conduct a risk assessment required by HIPAA.

HITECH ups the ante, and brings to the table breach notification, auditing, and the ability for State Attorney Generals to litigate. Breach notifications (also referred to as the “wall-of-shame”) are meant to bring transparency and give customers tangible evidence of the process at work. During McAndrew’s presentation, one attendee asked if “you can ever get off the wall-of-shame”? McAndrew noted a yearly archive is currently in development, and will allow only current offenses to be prominently displayed. Another attendee replied, “even prisoners get pardons”.

One of HITECH’s objectives was to create incentives and therefore encourage adoption of digitized systems through the “Meaningful Use of Electronic Health Records Systems”. However, reality is the incentive payout doesn’t come close to overall cost of the systems, implementation and additional security controls required. Estimates from attendees speculate cost coverage would only be about 30% from these incentives (at best).

With the rapid and daunting changes in the healthcare industry, priorities are shifting from reactive to proactive when it comes to security. Healthcare organizations are looking to create and sustain a privacy policy for their customers, and more are starting to see security as mission-critical. Due to HITECH, audits are becoming a common occurrence and breaches are recorded (“wall-of-shame”), increasing the need for a new approach in healthcare. There are no absolutes, but having broader security and more measurable effectiveness is a requirement we’re seeing from all of our healthcare customers.

Visit our refreshed healthcare website to learn more about how McAfee can help your organization, and follow us on Twitter @IntelSec_Biz.

 -Kim Singletary

Leave a Comment

17 + seventeen =