The privacy and security of patient medical records is receiving a lot of attention lately from providers, patients, and regulatory agencies.
Consider the following examples:
- On Jan. 24, 2007, the first Health Insurance Portability and Accountability Act privacy case to go to trial ended in a conviction of a provider's former employee.
- On Feb. 26, 2007, the Office of Inspector General announced it will conduct the government's first systematic hands-on examination of security compliance at a hospital.
- On March 16, 2007, the Santa Barbara County Care Data Exchange closed down as a result of privacy concerns, although a few days later the California Regional Health Information Organization announced the selection of technology partners that would enable CalRHIO to deliver healthcare information to providers, patients, and health agencies throughout the state. While there have been no "Harris polls" of providers' perceptions about privacy and security, the American Health Information Management Association has surveyed its members annually for the last three years. Consistently, AHIMA members have reported strong privacy compliance.
A Measure of Concern
In winter 2006, a total of 1,117 AHIMA members in hospitals and health systems responded to AHIMA's annual HIPAA privacy and security compliance survey. Nearly 40 percent of respondents reported full compliance with privacy (defined as between 95 percent and 100 percent). Full compliance with privacy has remained virtually the same since 2005, although there was a drop in 2006 of about 6 percentage points in those reporting privacy compliance at the 85 percent to 95 percent level. Respondents report less compliance with security, although there has been an increase (of 7 percentage points at both the fully compliant and 85 percent to 95 percent levels) since 2005.
The Health Information Management Systems Society and Phoenix Health Systems also surveyed covered entities about their HIPAA compliance with similar results, but postulate reasons for less than full compliance. The HIMSS/Phoenix Health Systems survey identified organizational constraints, limited resources, and lack of buy-in from senior leadership as roadblocks, although it also cited "changes/potential changes in regulations/deadlines" and "no anticipated legal consequences for non-compliance." The survey notes that key drivers of compliance appear to be peers/trading partners (including attorneys), press stories, and internal whistleblowers.
There have been many polls taken of consumers, and there is clearly a growing concern. The California HealthCare Foundation's survey from 2005 found that 67 percent of Americans were "very concerned" or "somewhat concerned" about the privacy of their personal medical records, with nearly a quarter of the respondents able to cite specific breaches where personal information was compromised. Harris Interactive Survey on Medical Privacy in 2005 found 70 percent of adults worried that sensitive health information might leak because of weak data security. Health Industry Insights in 2006 found 86 percent of respondents somewhat or very concerned about the health industry's ability to protect the privacy of personal health information in deploying electronic health records.
Vendors are probably least likely to be surveyed on their perceptions-yet one anecdote is probably representative. At HIMSS's 2007 annual conference, a vendor specializing in health information exchange technology lamented that the industry can't yet decide whether individuals should be able to opt in or opt out of participation in an RHIO. He observed that it is virtually impossible to produce products at reasonable cost that allow individuals to do both.
Addressing the Myths and Realities of HIPAA
Privacy and security concerns are largely driven by HIPAA, although identity theft and natural disasters are also key drivers. We continue to find both HIPAA myths and HIPAA risk realities. As healthcare organizations are stepping up adoption of healthcare IT, it may be appropriate to take another look at HIPAA-related practices. The Office for Civil Rights reports that the top reasons for privacy complaints-still being received at a rate of 500 to 600 per month-include:
- Impermissible use or disclosure of protected health information
- Lack of adequate safeguards to protect PHI
- Refusal or failure to provide access to or a copy of records to individuals
- Disclosure of more data than are minimally necessary to satisfy requests for information
- Failure to have the individual's valid authorization for a disclosure that requires one
Although OCR indicates that more than half of all complaints do not merit further review or are not covered by HIPAA, the volume certainly reflects growing consumer concern, and perhaps an outlet for whistleblowers. It may be that after a review of one's policies and procedures, a look at how the organization actually carries out the policies and procedures may be in order. Sometimes a brief but appropriate explanation-other than "HIPAA says"-can alleviate concerns.
The top reasons for security complaints include information access management, security awareness and training, and access control. These issues warrant attention to past practices, where perhaps passwords that were weak or too general were allowed, unique user login was not enforced, or audit trails were turned off. Strengthening these practices may require attention to emergency access procedures (e.g., "break-the-glass" functionality) and enhanced network support and server expansion to support audit trails.
Although not a big focus of HIPAA complaints, the entire area of contingency planning is one of the weakest in most provider settings. As more mission critical IT is put into place, full redundancy and fault tolerance become critical. Removing the "sneakerware" from IT is equally important-strong technical controls can be dashed when backups are mishandled or hardware from which PHI has not been sufficiently removed gets in the wrong hands.
Time for a HIPAA Review?
The HIPAA security rule even has a reminder component. The evaluation standard (§164.308(a)) requires covered entities to "perform a periodic technical and nontechnical evaluation, based ... in response to environmental or operational changes affecting the security of electronic PHI." Two years may seem like a relatively short period of time, but if your last review was the initial review in preparation for the April 21, 2005, effective date and you've subsequently acquired computerized provider order entry, bar-coded medication administration records, or other components of an EHR, you have "operational changes" warranting a HIPAA review!
Margret Amatayakul, RHIA, CHPS, FHIMSS, is president, Margret\A Consulting, LLC, Schaumburg, Ill. (firstname.lastname@example.org).
Publication Date: Tuesday, May 01, 2007