Lisa Gallagher

Breaches of patient information have become a significant problem in the healthcare industry during the past few years. From 2005 to 2008, around 10 million records were breached, according to information gathered by Premier, Inc. (Charlotte, N.C.), with the average cost estimated at $6.3 million. Costs come in the form of internal investigations, attorneys fees, customer notifications, call center support and crisis management, along with damage to an organization's reputation.

And now, with the passage of the American Recovery Reinvestment Act (ARRA), the risks could become even greater. The Health Information Technology for Economic and Clinical Health Act (HITECH), the section of ARRA that will allot $19.2 billion in health IT funds, includes a large portion dedicated to privacy and security. The legislation features new provisions regarding protected health information that organizations must follow if they want to receive incentive payments - and avoid serious penalties. It's a measure that could significantly impact a C-suite leader's strategy, according to Lisa Gallagher, senior director of Privacy and Security for the Chicago-based Healthcare Information and Management Systems Society.

“People have been operating under the HIPAA paradigm for a dozen years. The HITECH Act contains provisions that change some of those terms,” says Gallagher (see sidebar). She believes hospital leaders have been more focused on the funding aspects of the bill when, in fact, the changes regarding breach notification and accounting of disclosure are just as critical. “They need to devote time to creating additional policies, procedures and processes for meeting these requirements,” she says.

ARRA establishes the first federal requirements on health data breach reporting and notification, extending the traditional covered entities under HIPAA to include business associates and non-covered entities that handle protected health information (PHI). What this means, according to the Chicago-based American Health Information Management Association, is that PHI is now protected no matter where it resides.

It is an idea whose time has come, says Dale Sanders, vice president and CIO, Northwestern Medical Faculty Foundation at Northwestern University in Chicago. “For the most part, I'm very supportive of the changes. They're going to be painful and that part is not appealing. But I think this was overdue.”

The new rules

Arguably the most significant aspect of the proposed rule is the requirement that patients who are affected by a breach are notified within 60 days, says Gallagher, with a breach defined as “inappropriate or unauthorized access” to PHI. If the number of individuals affected is 500 or greater, the organizations involved must report the incident to the Secretary of the Department of Health and Human Services, and notify the community through prominent media outlets. This way, says Gallagher, patients will likely be informed of a breach, even if the organization is not able to reach them using the contact information on file.

But it isn't as simple as merely sending out a letter. According to Kate Healy of Verrill Dana LLC, notice must be sent by first class mail to the last known address of the individual, and any delays must be explained. “The burden is really on the notifying entity to demonstrate that all the required notifications were made,” says Healy, who is partner and chair of the Health Technology Group at the Portland, Maine-based law firm.

If organizations do not comply with the requirements, there could be serious penalties. “From what I've seen of HITECH, there's been a change in the enforcement philosophy, so I think providers would be well-advised to anticipate more rigorous enforcement activity on the part of the government,” says Healy.

Another facet of the HITECH Act that should be of concern to CIOs and other hospital leaders, Gallagher says, is the new regulation surrounding accounting of disclosure. Covered entities are now compelled to track all PHI disclosures, including those made for the purposes of treatment, payment and operation. In addition to that, they must be able to provide to patients, upon request, an accounting of every disclosure for three years preceding the request. “That's a significant change,” Gallagher says. “The issue is going to be figuring out how to put in place a process that makes the accounting available without a disruption to operations or patient care.”

Time for action

While security issues are often delegated to IT and security managers, Gallagher says the HITECH requirements are a critical matter that warrants attention from the C-suiters. “Because of the overall risk to the business, you need to be on top of this issue, whether that means putting together committees or writing policies - whatever it's going to take to get this done in your organization.”

At Northwestern, Dale Sanders is heavily involved in privacy and security issues. In addition to the CIO role, he also serves as chief security officer for Northwestern Medical Faculty Foundation (NMFF), a multi-specialty physician organization that supports the research and academic endeavors of the Feinberg School of Medicine at Northwestern University.

“We've been developing a checklist that was put into place so that if there was a breach, we could quickly go through it and identify the actions that we needed to take,” he says. The checklist includes names and contact information for individuals who must be notified, and identifies who can respond to media inquiries.

NMFF, however, takes it a step further. “We even have pre-established relationships with some of the credit reporting bureaus, so we can turn on the automatic protection of personal identification from a credit bureau and financial standpoint,” says Sanders. “We need to be able to respond within a couple of days and tell people if the exposure of their information is going to encompass any kind of financial or red-flag events for them, in addition to the PHIs being disclosed.”

At Adena Health System, protecting patient data has been one of CIO Marcus Bost's top priorities from day one. When he first arrived at the Chillicothe, Ohio-based system three years ago, he assembled network and security staffs with a very specific purpose: to keep Adena out of the papers. “That's pretty much how I interviewed them,” he says. “Their primary goal is to not let that happen, so they're actively monitoring it.”

Safeguarding patient information is a key concern at an organization like Adena, where data is shared among 14 locations, including two hospitals and 36 practices.

“All of our facilities are linked via a privately switched fiber backbone and everything is encrypted as it goes across those connections,” says Bost. “We can share all manner of data. Anything that's available at one is available at the other, so we're sending a lot of information all over our network.”

But while it's critical to protect data, Bost says it is also important not to burden clinicians by making it too difficult for them to access information. Bost's staff has been able to achieve this by implementing a single sign-on solution (from Andover, Mass.-based Sentillion) and integrating as many applications as possible around its core clinical application, Meditech (Westwood, Mass.). This way, “They sign in once and get access to all the different modules,” he says. “We do everything we possibly can to make it easier, because you're always walking that fine line between how much you're asking your clinicians and employees to do versus what's due diligence for security.”

As far as the breach notification procedures in place at Adena, Bost wasn't directly involved in drafting the document, which was led by compliance and legal officers. However, he did review the document before it was submitted to the board.

Such involvement, says Healy, is extremely important. “Hospital executives need to stay engaged and have a few sources that can give them some of the nuts and bolts about the changes that the HITECH Act brings,” she cautions. “If a large enough breach occurs, it can result in a lot of negative publicity. Hospitals are non-profit; they're trying to retain patients, increase satisfaction and obtain contributions. The risks are very real for them.”

Sidebar

Financial Data vs. EMR

Below are results from an informal poll conducted by Dale Sanders, vice president and CIO of the Northwestern Medical Faculty Foundation in Chicago. The question, which asked whether readers were more concerned with protecting personal identity and financial data or EHR data, drew an overwhelming response, with more than 400 people voting.