Health Care IT - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Health Care IT


Stitching Up Health Records: Privacy Compliance Lags



 By: Kevin Fogarty
2006-04-16
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Health Care IT story.


  Table of Contents:
  1. Stitching Up Health Records: Privacy Compliance Lags
  2. ' HIPAA May Make Business '

Rate This Article:
Poor Best
Stitching Up Health Records: Privacy Compliance Lags
( Page 1 of 2 )

Twenty percent of health care companies are unable or unwilling to implement federal privacy requirements, because the rules are vague and the technology is spotty. Meanwhile, another compliance deadline looms.The good news about privacy and the Health Insurance Portability and Accountability Act is that more than 80 percent of companies involved in health care have technology and processes in place to provide the level of patient-privacy protection required by the 1996 law.

The bad news? All were supposed to have done so by April 2003.

More bad news? The percentage hasnt changed since last summer, meaning about 20 percent of health care companies are "unable or unwilling to implement federal privacy requirements," according to a twice-yearly survey of health care payers and providers conducted by Phoenix Health Systems and Healthcare Information and Management Systems Society, or HIMSS.

And thats just regarding the rule designed to make sure patient information isnt sent to the wrong people or accessed by people without a right to know. Securing the data so hackers cant force their way in is another category of compliance entirely.

Meanwhile, as of April 21, another wave of companies will have the chance to be noncompliant, as the deadline passes for companies with less than $5 million in revenue to meet HIPAA Security standards.

Its not that health care companies find privacy and security technology hard to manage, said William "Buddy" Gillespie, vice president and CIO at WellSpan Health, which includes two hospitals; a home health care provider; a pharmacy; and about 40 physicians offices, managed care plans and other outpatient treatment facilities in Pennsylvania and Maryland.

The problem is that HIPAA rules are often vague and technology is developing so quickly that its often hard to decide whether flash drives, hot-site disaster recovery, and other specific storage and file management technologies are covered or satisfy the rules, Gillespie said.

"The regulations didnt have much precision," said Gillespie, in York, Pa. "They were very general in a lot of cases. Regulatory statements said something about the requirements but didnt come out and say what technology was involved. We went through the regulation sections for more than a year to interpret those regulations into technology solutions that seemed to work and meet the regulations too."

Resource Library:

Just more than half (55 percent) of large health care providers and 72 percent of insurers and other payers are able to meet the requirements of the security part of the law, which went into effect last April, according to HIMSS.

Like the 1999 Gramm-Leach-Bliley Act, which was designed to protect the private data of customers in financial institutions, HIPAA was designed to create fundamental change in the way health care institutions treat the data they store about past transactions, the characteristics of their customers and the services they perform for those customers.

Both laws applied to electronic records the kind of rigorous legal control that had been applied to paper documents for decades. The challenge in controlling electronic records, however, is that its harder to lock them in a room and be sure theyre not being misused.

That discipline represents the confluence of database managers, storage technology and records management specialists who have been largely left out of records processes involving IT, but whose priorities and experience exactly match the need to control electronic records in the same way companies control their paper, according to analyses from ARMA, the Association of Records Managers and Administrators.

Click here to read about an earlier survey showing a shortfall in HIPAA compliance among health care providers.

It shouldnt be terribly surprising that the vast majority of companies can comply with the HIPAA rules, given that the technical requirements arent particularly onerous, Gillespie said.

HIPAA requires health care providers, insurance companies and others involved in health care transactions to provide security on any system containing private information, store and transmit that information according to standardized rules, and place an automatic audit on files to help keep track of who should have access to them and whether those access rules have been violated.

What is surprising is the number of companies that not only are noncompliant but also appear to have no intention of ever complying, according to Ross Armstrong, senior research analyst at IT research company Info-Tech Research Group, in London, Ontario.

"A lot of health care organizations have just decided not to implement HIPAA because they see no public relations downside with noncompliance, and there are no expected legal problems," Armstrong said.

Despite the decade-long, multistaged process by which HIPAA rules have tightened control on the circulation of data among physicians, hospitals, insurance companies and claims-processing clearinghouses, breaches of privacy remain common. Respondents to the Phoenix and HIMSS survey, which provides the most complete statistical picture of compliance within the health care community, reported that breaches of privacy at insurers and other payers went up from 45 percent last summer to 66 percent in January.

Most respondents experienced between one and five breaches, but 20 percent reported six or more.

"HIPAA is a law completely without teeth," Armstrong said. "It is just not enforced the same way Sarbanes-Oxley and other laws are by the SEC [Securities and Exchange Commission] or the U.S. government.

"These other laws come with yearly audits and compliance standards that have to be followed; there are strict process requirements, and executive management is held responsible if theyre not met," Armstrong said.

"HIPAA is a complaints-driven system. If you or I or any other citizen feels that our health privacy has been violated, it is up to us to initiate a complaint to Health and Human Services. When the onus is on the actual victim, it becomes much less enforceable. Who among us can afford to hire lawyers for an uncertain legal outcome?"

Its not that the Department of Health and Human Services is indifferent to HIPAA compliance or isnt willing to enforce it, according to Stanley Nachimson, senior technical adviser to the Office of E-Health Standards and Services at HHS, in Washington.

HIPAA compliance was set up purposely as a reactive, rather than a proactive, process, Nachimson said.

"It is a complaint-based process and therefore is more reactive," Nachimson said. "We prefer that when there are problems within an organization or between organizations that its settled between the organizations. If not, we have a process to look at those complaints and, if it is a possible violation, to go through the investigational process. If we discover there is a violation, we will work with the covered entity to resolve any issues."

Have the costs of HIPAA reduced health care IT spending? Read more here.

Complaints that arent resolved and violations that arent fixed quickly are subject to a fine of between $100 for an incident or a maximum of $25,000 per year for violation of a specific rule. Rule categories such as Privacy or Security might have dozens of individual rules, and violating any of them could carry a fine of $25,000 per year, Nachimson said.

That enforcement is more theory than practice: "[The U.S. government is] willing to fine companies millions for Sarbanes-Oxley violations, but the only conviction for HIPAA ended in a $9,000 fine and it was the perpetrator who was punished, not the health care organization he worked for," Armstrong said.

That case involved SeaTac, Wash., resident Richard Gibson, who was sentenced to pay $9,000 in restitution, spend 16 months in prison and three years on probation for stealing the identity of and disclosing private information about at least one patient at Seattle Cancer Care Alliance, where he worked at the time.

HHS has fielded approximately 20,000 complaints about privacy violations through its civil rights enforcement office, Nachimson said. It has forwarded about 300 of those to the Department of Justice, which decides whether to prosecute.

Next Page: HIPAA may make "business sense," but new tech challenges the rules.





  Reader Comments: Stitching Up Health Records: Privacy Compliance Lags
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Health Care IT Articles          >>> More By Kevin Fogarty
 


x}r㶲s\@♵M푦dKƶ,8:U I)R|IN~b:?qtMJ%3Yg-`n4w~vv IM לٔN\Sãww$wv]2q-*rdz&j9%G jT7R}f]S wGl&J{'AT1vRu1F㠦Y=+[}D}q^~d w .hrLIlGtuGѦ%yHLERNȏm@|׶Cַ0>t@ߨVANÉ,}!*{:|@J%hʏᐨ1"|x\'gOг;/PQ~X?2]hj:TE$*cO^3lc䅠1FE/tI%_:I!4G*v`4EOmCcWPpm׃)sTQ3C}bـYG|ݑ|YCXw:QtQ 3Muq/#!_TBp`ÅzSKW<{m6) |@ɤ:aأZq9e̛ f4öۼCٰo5TתrXJqy/^[,ip'oZ/sj_t/gW9@(֝[`mKVa(.םnG.;ZA@ X_d}#5& D%\.'I&_c=.gv}j] ty[n/4E; KHr SdXIC/YTUGf9jzMҺ쵮鵎ώۭdo̲1<JEӀ Zvd"?Y5Mٹ钓5i>[]d#t2 +?9VV'?{_C&wA5$!|Бd6ml8-" ,70}HG:¤7X0=cOg6%_¤>< &ztmP``#eg! uG νdrgoMC?Ft z7t t,/G`\@8)Hpy E]ub3B[>ȁ=`Mt &QsfPBԁ.q<ɜK) )P CRRP$S$hI#r Bг,`@o%`G`[X;.VKŤ\*y"JM':ݑWKRx&,S,BV-KᗄPf%i2mhƲń(VFNl(0Vf)F4~hN/a2*)4>vwİϞZC>c+UVG,m+ZrijXL[6`aPeQ@3MVRQy5:zȃ`=r36O7]<<f]?&BXct+@9Z'VUmTHbzq 0b={2rt\Xdj²w잴ה!Υ_0'׭y+D*>1f&6XC˦>oُqAʫ%Uf z6,ƴL~5<2eX]2XrmٔAutn\?01CL- ˙@0ρ6UT8[.O#BE-Dd ??uPV.;OYͨlEkJc\CКy]։;lRjzȦ\Q݀+E)'>5 cd]XzmAS0" un‚_xHE&A|Z+hp \@U.(L19r2b*XPTB$&EPg`u0$PoXL+*9K.pϟ  sFWyQFfZ?Kh<]HjP֓C+jrXT+ qvJ8 iJ d1ct<}Oef~Pz~gn-%W#s3/Gx/ ƌ1;h'0`c7\ +RUSkOWbL['ȂX hO7`sk'k=z&:`LTnЬ 0ԴgKZ-,?AlA |~CJhI[dE:Բ'**5P6>*0GnG<W֔H+  c4}5:*jAe߯YYXY:چHi3 9& ~gHy3V9y]%fZ+a1,*=:^4AP,2ϦyęynU ֕Əec<M-xSsͳi4=/ V$8У4 H>Wӳ(cM8W^&&}G TӻjZ)/19W|6t8YW]TMgw_boQ*\ 6-УG'~Uc2~:i 1-a`OO- r uhՂrO'(3߅rf>ra;9Qo@Hms11 `;G=!`n ~/I0'|N:@"#f.3_wj<]~oLƱ4>JkG2cdQhVz\ 4r}cLB.MDo"iBq=C H\}PK{(,~w9ـo |\V* rF2R@BZB$d1~'߾b[D ‚'T.n_\'Wƒ"Eq Dm_/i;k~/[R^s%z08o^(d0 s|j\g#6bW `[&IyD=S5C2ҝa+vH[!PRb_:5g |% \I\5g0Y pe7c_Β0 Z`!灙w1ߐdxPRC (ʡH\R ~tDݽ:o|suN'rm ,Щ c~?OFrA&zRG>gqOQAQ):*9Q_Zakѷo9Aߐ>O1Ok7tEh[(+h,UdsJ;D:{dNlp j`ySrg4/3_{QZinu zs@ƖiR'DZ3pu*h hw?m-~=`rvBC:DHA2S1 F]nĖ9)ŔN yr4 AGJ脊bye5))e3O5NRMLC]OC/$$;+B:zs ݫgaM6mn3j/Nn_"=O&8v\d0G`qk7É@P VްG[(ŤYGJ^KjpVKU^4@ #: 3eZ& 3/wг^w&Z{yr@gq?Ilظ2U(3Xrw{eB s~nߡ'9v$st7'#&Ս1A0n=w>=`M\g7hG(V-w-h* rXs Zt gcBxa1~hrN4{kҸ;5LZ0e,H~ CwGH|5|ÿ§G r;kקOƭtov/zMdaSfoݷ~vsW}㆟yP1n'vlL'#I"ɫ:7}\8%++x|42q/nP2Q^;pG cÙcmf<ݸw[f1vfwo=|]& {~ ]ݣPIݣw);~=Ғ(r۝ZD܎q5Q4'{qI9.x}?K`\Ty^Af6vo"YVN Ȧ7S'{cef7XCŸ@!{ Rf曜Αil&Ƕs{$;grЇ5@*Yv8..ݍnL M A;"J [<[N->4 2UCnUk-Ǭ§u,'i/!IFܱSo-*_1;o*N{cE f™)ꈧ Wך|ebƚ.̼V&Q~p*kwOƥE/.qĨ`lowx7GX#fo<:Qg5U/a.ZşnbpKS;kՏ։vRy Jf+qWLMlt+h&6%KR$]q#qI/.+1J "]E&Qpl*bq8?>>dn _MEFe$Ly$@oph15C˺Mo(NX(-M87IT3Rb_mhƢ 0I%~%ذ HC.~LA,JkT޼""ԟVY7kU$^p U :)MXߤ֖*Zݔ=.:[ m_nRS3w&CԻc $בh.*9:nw05 =YFahetQw3k)L݊-Kl,nʖWc˶c`i(,\C8/|vkdF*[m-o׶R:3(sYS6tqo85x()n`r/}oS.V^^^<@qs7O7O7O7O뿷US =n|y+l+El/p6&%KPz87}A:xA> {?_=:M_3Ho\uCN^RaKhд|A1Gk5O @+[w6g& aB%ᗗ$TmCߐ^يc]g!l9Llp6>@͆a 1KvmOyLq8 p <: AÃK9|&/fC-:<.P< [Z06:~D)/9dR!I:],Mb_j|Xyt ڱҙRwde8 Bi.yk "<H OX&1<]-h߶JɯnY?w6݄zf@~A.q-}b•  Hb\=u_眻%OQ7K\zq,)]O)/f"{Ӹ0d3s >E2JO6|= bVKy7G7G7G7G7Gt.jksDgaEs;PI1xcRS#JIG?9km@-w)b$Ob_maS_dCRV8+_q@  ;'!U0F]A,lC=c / xvyf/C|48Qjrc2Fq% ;u 5^Ǡ]%G=x!ǺmSgDWQ|IT=";F7Cqtk nYo ݒճ_#1aVѥ]HMGҕ9;p9?e/c2/xW,t=1j}ZYU@oK,ݦo2,$UU0BusgqA6}~\3w8LV7ySa M7& E) k4.@I([JQi韗i!,YxYLso||H'S_p 0ohy |廉Fh bHTEC$GصhK2AWrWmkM`9u`|ھ&.⫽;PZdݕ[=s!L02%wNB(5=6[7ol]vjme:0kk35"{A-[oY6௶aulay3^/{t Ȫhֲƞ=:qB⿷Y, eeGbp{,MӺٜ{3փ=؆_ JR yV$HߍNM'L4sKx"(0O7{"2rp@'tM;{ITsZP'|Oq"xiᅞ#qS˃˼ ؛ ۞Nړ!N~X т,#;Ћ'Ld3ţG!̈bD7<l3b6+t{&cٿgGsi=vU{iΞCK/ 3g#0{j4$t|-:[IcdRW~Z73, !e>,h6٦`am_`c\7nmwٛ=uT;эDk2u@ww;OaR,:'7 v2~(Cx8n ݶs1;=v{oe'|{]3?1eѵg Z.Goio/T5|5ѱ L >dw t7,G?PM=яw ƈ> V6V8E -96i[>dJ]I a!/(!/D@~aI{ťd&{Ϙ$2: auIMm&^A ka*bl\M'p.d%ˋ}AE!Lc'm/-Iyp\o ]m95͂E t1^U}u"^ZX:bK2&/ #zЩ>3&^mME*ނ0HR&"+@JVH4ic2-F55R9}fZbfچX50ZVz^3vX5Į[Vںƽq yK-y -J4sc5 :غs,8 ! 1|H 2bq\; =B6٦kKp-Gmt {HTa6A*esW5Uj*r`.J5r/XieZ{r#u]ϋqϝ5=/bZN{#? Rtac8#ˑ`8+G J]{O~Ky g?|t|PSz1߾ZۍrÀEv1%>xo/%5&¯I{e>:b'!M:q_aci*qwM[*{=yJ-h>#Թ<׉cB^tbusι=}@qeYD+ 66mIU+ 7g%۹aiJ1Xp,C"Na8yG*%_[EJzVޏ{6ڈjN1<<5DvŴUh9!MFV(ĠOW1h=`0͈C c  Ą)bUfwܠ~z*ڟOe^f#nZU}{F5dM,K|UAq|%w[fvCGtMG =& )<]С reOJoIg4 Pmļ܏@B )}o M,ӴiDLRO\q\X!,D||0XV$̽Og-<SWld""@Ո&[7F\n^uE@;C}m!y;&e? 8EpAxDG1 '<0~l0W ^΂  [z>0[HGh c6zS?u|1[GB(9Ĝ#MX̸֨n>\_v}< ۗ'0 ឩ0X-4Șh MQ ҖHxDvtVnOKZ&G6@@P0Ho =wBpbZ!Ř!b`V>^r {fĄ1{ɣ5A+$ȧN1Js\-uC@ebqzy'y/@$@Q:AU 7T,5cn Q&@Ĕ͍$u~gvK .X`SYej xp&F-c8dzǸ+ӴF'jbZ``> \)u l9 :UeO g>򽉁{0u3ksRC´vx@X-B<䱤P <'%+R?$ 3V&utlCah),f,TՊR &uU} !2,j)Q@Qy}e蠿,_XD0M蕴B9^Ȑq/w4 }:>1ƺs1Wo\]&'k '׭~<_z%9jwnp4>Vu;WOڗe/W?<1 ky/m2_T 3%,C rrٸh1;eFq('\h^E<^;OK"顱8?/UI{k(%lFyrUzu7L213Sh6[ݮMֆC}^CVՉt.53;bAn^Z+!PU8i67axBIP "v[\rФo%uCF/PKF5_.?n62;P(GN.o c(?^]~9ɠ)G(ڭ.o7sv3kgeF9C7W( W 0/2 {A E}. ϋ D'(Q~gd_@EF9e^\f%euN? /WWq_e s?]7]7=^~W_SV9SF>>eoʁo2ڿh&s$eCPȐ.Np2KQʠ/ޯu|緶xvY^]Z;T_;Yo%P/Y[2y}³2iA}:*K6搉WY-JbġčOJnAm;] j`/i=tfZ}ǠIP4P3 !G0d<ScEx @=ѯFν6v;a[;R#l VT+[-WJr]~ A{(.#&T$`vX엊rF(RB4|;ӌW)57tSsu̚Hͯ˘)͛K~æHp^v,P0~Y$P*`.3I֞.^$ zrg~cm|LڸAoޞ3,ٕ&"m,wz81pgx7"h[Ì,aށzm 466;B~ 2RV@'TЫ ȅ>M&Dr&߼=jOG! T*AZ`HH*|_3> Z<6T?rކwr$\>,+c˃~:= Iߤ\=u{Ȫydaw./C?y% ]1s%1Q6`=)} e)1BV\ddk,,GnČk,q/^'zE7=^[6|n:ˎKl7c@ԯL`Xk/J7'M5"f̯ܞS5z~nm@] 6w1o6Nώ{;Y:kwhy -g"d`.fB~ne.%лx^3S2|e'Oq]ZfKᎧMĮKfAj|n93k6{.yӃs,YZcm\$&aBc M=X`׽E<94vB9 H|Y\+,##1Y Mк ZsJdBN}M(˯9ao5RFXk[MAct:h}rW[4ÃW|cläLcPxUE0@;Cf Ka=GcЁ_454t\зkdQ9Hr&ze h$.7=/k"6DwΆbOIN1^RlsmqSun{Xj9#<}"lE a'@hya 9"Q?g2T~kB=*P=eښS v",IoF}c_V`ńKl;F>4.L$CbF8] "!_S anioyNqI0 `{mC>Xɿl܅eNUhJl[:›rlQ޺׸6Vx}°Ҁ O1SpY ѫv.9|x@loM/e~/9-/p,ZftO#6C|%Joxi}r:Y W96-  `zMeF6iRDR*l'f , ~sf_-r樹Wvm:kmlQ/>uG]Q籺naRWt{.!Xi[e1bdKq=3ӲG(qu<,@P̰SхK e$it qS`-hup#b }tKe!.0w:WXޫlہP#jȅ-`j+7DmEtA<;=+={+`:igNb+:*φŀp̖sW=?5j3lvjsx[wByҹI'RI>Q}v,\J\SK$%W/VfDN˚Ҿ w"6BKFslx6 g"t-