Stitching Up Health Records: Privacy Compliance Lags

By Kevin Fogarty  |  Posted 2006-04-16

Stitching Up Health Records: Privacy Compliance Lags

The good news about privacy and the Health Insurance Portability and Accountability Act is that more than 80 percent of companies involved in health care have technology and processes in place to provide the level of patient-privacy protection required by the 1996 law.

The bad news? All were supposed to have done so by April 2003.

More bad news? The percentage hasnt changed since last summer, meaning about 20 percent of health care companies are "unable or unwilling to implement federal privacy requirements," according to a twice-yearly survey of health care payers and providers conducted by Phoenix Health Systems and Healthcare Information and Management Systems Society, or HIMSS.

And thats just regarding the rule designed to make sure patient information isnt sent to the wrong people or accessed by people without a right to know. Securing the data so hackers cant force their way in is another category of compliance entirely.

Meanwhile, as of April 21, another wave of companies will have the chance to be noncompliant, as the deadline passes for companies with less than $5 million in revenue to meet HIPAA Security standards.

Its not that health care companies find privacy and security technology hard to manage, said William "Buddy" Gillespie, vice president and CIO at WellSpan Health, which includes two hospitals; a home health care provider; a pharmacy; and about 40 physicians offices, managed care plans and other outpatient treatment facilities in Pennsylvania and Maryland.

The problem is that HIPAA rules are often vague and technology is developing so quickly that its often hard to decide whether flash drives, hot-site disaster recovery, and other specific storage and file management technologies are covered or satisfy the rules, Gillespie said.

"The regulations didnt have much precision," said Gillespie, in York, Pa. "They were very general in a lot of cases. Regulatory statements said something about the requirements but didnt come out and say what technology was involved. We went through the regulation sections for more than a year to interpret those regulations into technology solutions that seemed to work and meet the regulations too."

Just more than half (55 percent) of large health care providers and 72 percent of insurers and other payers are able to meet the requirements of the security part of the law, which went into effect last April, according to HIMSS.

Like the 1999 Gramm-Leach-Bliley Act, which was designed to protect the private data of customers in financial institutions, HIPAA was designed to create fundamental change in the way health care institutions treat the data they store about past transactions, the characteristics of their customers and the services they perform for those customers.

Both laws applied to electronic records the kind of rigorous legal control that had been applied to paper documents for decades. The challenge in controlling electronic records, however, is that its harder to lock them in a room and be sure theyre not being misused.

That discipline represents the confluence of database managers, storage technology and records management specialists who have been largely left out of records processes involving IT, but whose priorities and experience exactly match the need to control electronic records in the same way companies control their paper, according to analyses from ARMA, the Association of Records Managers and Administrators.

Click here to read about an earlier survey showing a shortfall in HIPAA compliance among health care providers.

It shouldnt be terribly surprising that the vast majority of companies can comply with the HIPAA rules, given that the technical requirements arent particularly onerous, Gillespie said.

HIPAA requires health care providers, insurance companies and others involved in health care transactions to provide security on any system containing private information, store and transmit that information according to standardized rules, and place an automatic audit on files to help keep track of who should have access to them and whether those access rules have been violated.

What is surprising is the number of companies that not only are noncompliant but also appear to have no intention of ever complying, according to Ross Armstrong, senior research analyst at IT research company Info-Tech Research Group, in London, Ontario.

"A lot of health care organizations have just decided not to implement HIPAA because they see no public relations downside with noncompliance, and there are no expected legal problems," Armstrong said.

Despite the decade-long, multistaged process by which HIPAA rules have tightened control on the circulation of data among physicians, hospitals, insurance companies and claims-processing clearinghouses, breaches of privacy remain common. Respondents to the Phoenix and HIMSS survey, which provides the most complete statistical picture of compliance within the health care community, reported that breaches of privacy at insurers and other payers went up from 45 percent last summer to 66 percent in January.

Most respondents experienced between one and five breaches, but 20 percent reported six or more.

"HIPAA is a law completely without teeth," Armstrong said. "It is just not enforced the same way Sarbanes-Oxley and other laws are by the SEC [Securities and Exchange Commission] or the U.S. government.

"These other laws come with yearly audits and compliance standards that have to be followed; there are strict process requirements, and executive management is held responsible if theyre not met," Armstrong said.

"HIPAA is a complaints-driven system. If you or I or any other citizen feels that our health privacy has been violated, it is up to us to initiate a complaint to Health and Human Services. When the onus is on the actual victim, it becomes much less enforceable. Who among us can afford to hire lawyers for an uncertain legal outcome?"

Its not that the Department of Health and Human Services is indifferent to HIPAA compliance or isnt willing to enforce it, according to Stanley Nachimson, senior technical adviser to the Office of E-Health Standards and Services at HHS, in Washington.

HIPAA compliance was set up purposely as a reactive, rather than a proactive, process, Nachimson said.

"It is a complaint-based process and therefore is more reactive," Nachimson said. "We prefer that when there are problems within an organization or between organizations that its settled between the organizations. If not, we have a process to look at those complaints and, if it is a possible violation, to go through the investigational process. If we discover there is a violation, we will work with the covered entity to resolve any issues."

Have the costs of HIPAA reduced health care IT spending? Read more here.

Complaints that arent resolved and violations that arent fixed quickly are subject to a fine of between $100 for an incident or a maximum of $25,000 per year for violation of a specific rule. Rule categories such as Privacy or Security might have dozens of individual rules, and violating any of them could carry a fine of $25,000 per year, Nachimson said.

That enforcement is more theory than practice: "[The U.S. government is] willing to fine companies millions for Sarbanes-Oxley violations, but the only conviction for HIPAA ended in a $9,000 fine and it was the perpetrator who was punished, not the health care organization he worked for," Armstrong said.

That case involved SeaTac, Wash., resident Richard Gibson, who was sentenced to pay $9,000 in restitution, spend 16 months in prison and three years on probation for stealing the identity of and disclosing private information about at least one patient at Seattle Cancer Care Alliance, where he worked at the time.

HHS has fielded approximately 20,000 complaints about privacy violations through its civil rights enforcement office, Nachimson said. It has forwarded about 300 of those to the Department of Justice, which decides whether to prosecute.

Next Page: HIPAA may make "business sense," but new tech challenges the rules.

HIPAA May Make Business

Sense, but New Tech Challenges Rules">

Nachimsons group has responded to about 400 complaints on issues such as which clearinghouses or middlemen could participate in a particular transaction, what protocols or standards should be used in a particular situation, and whether a business partners evaluation of "compliant" security was good enough.

"A little more than half of those were dismissed as not really being in violation, 100 or so were settled before final determination and about 100 are still open," Nachimson said.

"We think a lot of the standards make a lot of business sense, so the entities will develop them voluntarily. Weve worked with the industry to develop the standards, after lots of debate, relying on industry standards organizations for the standards on transactions and electronic records," Nachimson said.

The privacy, security and data standard rules were not the primary focus of the 1996 HIPAA law, which was designed to guarantee Americans the ability to change jobs without losing their health insurance.

The technical rules fell under a set of provisions titled Administrative Simplification, which didnt so much define as require standardized electronic transmission of administrative and financial transactions, and unique numbers to make it easier to identify patients, employers, and health plans and providers.

The Act didnt define most of the standards, however, leaving HHS to fill in the details.

In its turn, HHS left most of the standard setting to industry groups and health care organizations on the assumption that they knew more about the requirements and technical challenges than HHS staffers would, Nachimson said.

Unlike financial compliance regulations like Sarbanes-Oxley, which were rolled out to the public as a complete set of regulations and instructions for how to avoid violating those regulations, HIPAA has been evolving sedately over the last 10 years.

HHS laid out a series of deadlines by which time industry groups would have to work out data-interchange standards among themselves, define file formats and transaction protocols, and help define the rules governing the role claims clearinghouses and other transaction middlemen were allowed to play.

The hardest part of the compliance process, WellSpan Healths Gillespie said, was setting up an EDI (electronic data interchange) network, which large health care companies had agreed to standardize on as a way to satisfy the requirement that transactions be conducted electronically in a secure way.

By contrast, the privacy and security requirements were simple, more of an extension of what any good IT organization does to protect its data than anything a HIPAA-compliant medical company would do to satisfy industry-specific requirements, Gillespie said.

The biggest ongoing question is how to stay compliant while adapting to new storage technology, such as flash drives and other easily portable storage media, and how to fulfill criteria such as the requirement that patient data be easily available even during downtimes or other minor technical disasters, Gillespie said.

To answer that specific need, WellSpan is developing hot-site disaster recovery systems so its able to continue operating electronically even in the face of a "Katrina-like situation," Gillespie said.

"Weve achieved a reasonable level of compliance, as good as any health care company in the country can expect to achieve," he said. "Compliance will be an ongoing expense; things change. We grow as an organization; we have more users, newer tools [with which] to detect intrusion into the Net. The firewall has to expand and grow.

"Its not that we dont have the desire to be totally HIPAA-compliant," Gillespie said. "It will continue to be on our radar screen; it will be something we will have to monitor on an ongoing basis. Every health care organization has to provide the proper level of privacy and security. We think were in pretty good shape."

HIPAA procedures checkup

Like other regulations that focus on the control and disclosure of specific information, HIPAA requires far more process than product.

The rules that require technical implementation include:

  • That all medical records be stored in electronic format
  • That the electronic format be standardized
  • That each health care provider (hospitals, physician offices, clinics) and each payer (insurance companies, employers) be issued a unique identification number it can use on all the medical forms it touches
  • That standards for exchanging records be established and all records adhere to them
  • That each organization provide security and a file-auditing capability that will prevent outsiders from accessing files and that it give regulators a record of who has had access to each file and what each person added to it

    Organizational challenges include:

  • Educating both medical and clerical employees about the existence and requirements of HIPAA
  • Assessing and documenting an organizations privacy policies and practices
  • Developing new policies and procedures to ensure privacy and enforce security
  • Building agreements with business partners to be sure file and financial exchanges comply with HIPAA stipulations
  • Developing and maintaining internal enforcement officers, including employees with the power to enforce policy acting as privacy and security directors

    Source:, Phoenix Health Systems

    Check out eWEEK.coms for the latest news, views and analysis of technologys impact on health care.

  • Rocket Fuel