IS YOUR HEALTH CARE ORGANIZATION PREPARED FOR THE HITECH ACT?

If so, it appears your organization is an exception to the rule.

Last week, the Healthcare Information and Management Systems Society released a survey suggesting that healthcare IT personnel may not be prepared to meet the data security requirements of the HITECH Act. The survey, which was sponsored by Symantec, examined the security practices of 196 health care IT and security professional in U.S. health organizations. The results confirm that although health care security professionals recognize the need to secure patient data, many health care providers fail to do so. According to the survey:

• health care security budgets remain low


• organizations do not have a response plan for data security breaches


• most health care organizations do not have a designated chief privacy officer or chief security officer


• health care organizations are not utilizing current security technologies to keep data safe


• only 67% of those surveyed utilize encryption to secure data in transmission and less than half of those surveyed encrypt stored data.

These results confirm what many (including myself) have suspected: many health care organizations are implementing the use of electronic health records without ensuring their organization has the appropriate data security precautions in place. The lack of security is not surprising given that 60% of these organizations spend 3% or less of their budget on IT security. Given the new data security regulations imposed on health care providers, organizations that continue to operate without the necessary security protections, including encryption and a data breach incident response plans, do so at their own peril.

MASSACHUSETTS FINALIZES ITS MUCH PUBLICIZED DATA SECURITY LAW

On November 4, 2009, the Massachusetts Office of Consumer Affairs published the final version of the state's data security regulation. The law, which goes into effect on March 1, 2010, is widely considered the most stringent data security regulation in the nation. As I have stated previously, the law applies to any Pennsylvania business that owns or licenses personal information on a Massachusetts resident.

The final version of the regulation can be viewed here. Most significantly, the recent amendments clarify that the regulation applies to any business that stores information on a Massachusetts resident in addition to businesses that receive, maintain or process personal identifiable information.

PENNSYLVANIA HEALTH CARE PROVIDERS NOW FACE INCREASED PENALTIES FOR HIPPA VIOLATIONS

The Department of Health and Human Services recently released an Interim Final Rule amending HIPPA enforcement regulations relating to civil monetary penalties. The Interim Final Rule, which was published in the federal register on October 30, 2009 incorporates the HITECH Act's categories and tiered ranges of civil monetary penalties that reflect increasing levels of culpability. According the the Interim Final Rule:

• If a covered entity did not know (and by exercising reasonable diligence would not have known) that it committed a violation, the minimum civil penalty is $100 per violation not to exceed $25,000 in one year;
• If the violation was the result of reasonable cause (and not wilful neglect) involving circumstances that would make it unreasonable for the covered entity to comply, the minimum penalty is $1000 per violation not to exceed $100,000 in one year;
• The minimum penalty for a violation arising out of willful neglect which is subsequently corrected is $10,000 per violation not to exceed $250,000 in one year;
• The minimum penalty for a violation that is the result of willful neglect and not subsequently corrected is $50,000 per violation not to exceed $1.5 million a year.

By incorporating these categories, the Interim Final Rule strengthens the civil and criminal enforcement of HIPPA by imposing penalties based upon the nature and extent of the violation. Pennsylvania health care providers should familiarize themselves with the new minimum and maximum penalties under the rule.

FTC EXTENDS DEADLINE FOR COMPLIANCE WITH THE RED FLAGS RULE AGAIN

Last Thursday, the Federal Trade Commission announced that it is extending the deadline for compliance with the Red Flags Rule until June 1, 2010 for financial institutions and creditors. This is the fourth time the FTC has extended the deadline. The Rule was previously scheduled to go into effect on November 1, 2009.

The FTC explained that the most recent delay was requested by members of Congress who are currently considering a bill which would exempt health care providers and accounting practices with twenty or fewer employees from complying with the Rule.

The Red Flags Rule requires financial institutions and certain defined "creditors" to implement written identity theft prevention programs designed to help identify, detect and respond to patterns and practices of identity theft.

ARE HEALTH CARE PROVIDERS TAKING APPROPRIATE STEPS TO PROTECT PERSONAL IDENTIFIABLE INFORMATION?

According to a recent study conducted by the Poneman Institute, the answer appears to be no. In fact, a recent survey indicates that more than half of US hospitals fail to take appropriate steps to protect the personal health information of patients.

On October 15, 2009, the Ponemon Institute released the results of a study entitled “Electronic Health Information at Risk: A Study of IT Practitioners.” The study, which was sponsored by LogLogic, was designed to determine how IT practitioners view the security of electronic patient health records.

Many indivudals would be surpirsed to hear that the great majority of those surveyed believe their organizations do not have adequate resources to protect patients' sensitive or confidential information. Most notably:

• 61% of IT practitioners believe they do not have enough resources to ensure privacy and data security requirements are met.
• 80% say senior management does not view privacy and data security as a top priority.
• 80% of organizations have suffered one or more data breaches involving patient health information.

These statistics are disturbing especially considering that health care providers collect a variety of data ranging from Social Security numbers, addresses, health insurance information and credit history. Given these statistics and the new requirements contained in the HITECH Act, Pennsylvania health care providers should consult with an attorney to ensure they have the appropriate data security protections in place.