It's no secret that the federal government is promoting adoption of healthcare IT-with fervor.
Take a quick glance at the website of the Office of the National Coordinator for Health Information Technology and you'll see a dizzying array of new commissions, panels, and communities that are working on many initiatives, activities, and breakthroughs in the area of healthcare IT. Federal funding is flowing, even if the amount of funding is perhaps less than desired. Relief from Stark and anti-kickback laws is being proposed, creating more opportunities for the use of technology in the exchange of health information. Regional health information organizations are forming, and a nationwide health information network is being prototyped. Insurers are starting pay-for-performance programs that are heavily vested with IT support.
But could all of these initiatives be derailed by potentially greater enforcement of the Health Insurance Portability and Accountability Act?
How Do You Measure HIPAA Compliance?
Many industry analysts believe civil monetary penalties may be imposed for violations of the Health Insurance Portability and Accountability Act, now that the HIPAA enforcement rule has become effective. Providers should consider an ongoing HIPAA compliance program that includes:
- Periodic auditing
- Triggered reviews
- Continuous monitoring
More Teeth Than Some Realize
The long-awaited final HIPAA enforcement rule became effective March 16, 2006. This rule makes it mandatory for the U.S. Department of Health and Human Services to impose a civil monetary penalty if it determines a HIPAA violation has occurred. Although criminal penalties are still the domain of the Department of Justice, the final enforcement rule may have more teeth than some providers may realize.
Perhaps the greatest incentive to ensure compliance is the fact that HHS can now use information from HIPAA-related investigations for other investigations relating to any of the five titles within HIPAA, including fraud and abuse and all aspects of administrative simplification (transactions and code sets, privacy, security, and identifiers). In addition, the final rule specifies that investigations may be initiated by HHS not only in response to complaints, but as part of a compliance review.
The key question is whether HHS will continue its "voluntary compliance" stance, or whether it will use this final rule as an opportunity to finally impose civil monetary penalties. The Office of Civil Rights, responsible for enforcement of the privacy rule, has consistently dispatched about two-thirds of its complaints, either by determining that no violation has taken place or through its voluntary compliance stance. Prior to finalization of the enforcement rule, the director of OCR, Rick Campanelli, was quoted as saying, "Sometimes, it just requires a little education on our part … but it remains to be seen what [will happen] with the other 33 percent" (Insider, 2005).
The risk of being among "the other 33 percent" seems to be a risk at least some providers are willing to accept. A survey taken last winter by the Healthcare Information and Management Systems Society and Phoenix Health Systems on HIPAA compliance included 261 providers, about two-thirds of which were hospitals. The survey found that about 80 percent of providers reported compliance with the HIPAA privacy rule, a figure that is consistent with other recent surveys. However, only 55 percent of providers reported compliance with the HIPAA security rule, though this figure is up from the 40 percent of providers who reported compliance in summer 2005.
Despite compliance levels, approximately 60 percent of providers reported having experienced a privacy breach, an increase of 15 percent since summer 2005. The majority of providers experienced between one and five privacy breaches, but more than 20 percent experienced six or more breaches. At least one-third of respondents reported having had a security incident within the six months prior to the survey. If one compares the number of complaints OCR reports to have received between April 14, 2003 (the date the privacy rule became effective), and July 31, 2005, which is 14,331, with the percentage of hospital respondents that reported having experienced a privacy breach, and if you consider that there are about 4,000 hospitals in the United States, you could naturally conclude that there could be at least one complaint filed with OCR for every hospital, every year. The chances are clearly quite good for having a complaint filed.
Although no attempt was made to correlate level of compliance reported with complaints filed in the HIMSS/Phoenix surveys, compliance does not guarantee that a breach will not occur. Neither is there such a thing as 100 percent security, a fact that perhaps many providers are relying upon. Yet with the addition of public reporting to the final enforcement rule, it is likely that the chances of incurring a complaint to OCR will become even greater, as the press has a way of stimulating such actions rather than stifling them.
We also know that the public is on edge about health information security. In October 2005, The Wall Street Journal found that 78 percent of those polled strongly favored or somewhat favored use of an electronic health record to capture medical information, 81 percent favored e-mailing their providers, and 76 percent favored using a personal digital device to record health information. Yet a survey by America's Health Insurance Plans in July/August 2005 found the public to be very concerned or somewhat concerned that sensitive personal medical record information might be leaked because of weak data security. Interestingly, 62 percent of the AHIP survey respondents also believed that existing federal health privacy rules protecting patient information will be reduced in the name of efficiency.
Time to Reassess Your Risk
Where do all these survey results leave us? Many industry observers believe that, at least in the near future, at least some civil monetary penalties may be imposed for privacy breaches or security incidents. This may suggest the need for a reassessment of your risk: If the last time you performed a HIPAA assessment was immediately before the HIPAA privacy and security rules went into effect, it might be worth instituting an ongoing compliance program.
Many providers seem to be spending most of their HIPAA resources on responding to complaints rather than proactively assessing their current processes. A compliance program should do more than just benchmark complaints or incidents. Such a program should include periodic auditing, triggered reviews, and continuous monitoring. The HIPAA security rule calls for risk management as an ongoing activity and a periodic technical and nontechnical evaluation in response to environmental or operational changes affecting the security of electronic protected health information. This suggests that when your computerized provider order entry system goes live, you should make sure your security measures complement the scores of new users and uses of ePHI.
Diligence Is Key
There is no crystal ball that can predict the future. But no one wants a future that includes either more enforcement or more privacy breaches and security incidents. Diligence in managing complaints so they do not escalate to the federal level is an important activity, but as more states are also requiring reporting of privacy breaches and security incidents, such coaching may be moot. The best way to reduce your risk is to be diligent in applying privacy and security controls.
Margret Amatayakul, RHIA, CHPS, CPEHR, FHIMSS, is president, Margret\A Consulting, LLC, Schaumburg, Ill. (firstname.lastname@example.org).
Publication Date: Monday, May 01, 2006