In-Depth
Health-care Providers Racing to Comply with New Security Safeguards
Health-care providers are once again racing to ensure compliance with another set of information security safeguards.
Health-care providers are once again under the gun, struggling to ensure compliance with yet another set of information security and privacy safeguards. It’s a familiar, if reactive, stance.
In the early part of the decade, health-care shops found themselves in a race against time to comply with the security and electronic document interchange (EDI) provisions of the then-sort-of-new Health Information Portability and Accountability Act (HIPAA). HIPAA proved to be so disruptive that Congress repeatedly extended HIPAA’s EDI deadlines (first through 2003, then -- on a “contingency basis” -- through 2005), giving IT organizations additional time to comply.
This time around, health-care IT professionals are grappling with the information technology provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which Congress passed earlier this year as part of the Obama administration’s omnibus economic stimulus package.
HITECH -- which is scheduled to take affect in February of 2010 -- extends HIPAA’s information security and privacy provisions. HITECH has a decidedly toothy character: among other changes, it updates HIPAA with additional enforcement, audit, and penalty provisions. Organizations have ample incentive, then, to ensure compliance with HITECH mandates.
The rub is that a majority of shops -- more than half, according to researchers -- aren’t sure they can comply with HITECH’s new information security and privacy guidelines. For example, according to a survey of 77 U.S. health-care organizations conducted by accounting firm Crowe Horwath LLP (at the behest of information security specialist The Ponemon Institute), just 47 percent of shops feel they’ve got the resources or budget money to comply with HITECH mandates. Overall, the survey found, 94 percent of shops say they aren’t yet ready to comply with HITECH’s privacy and security provisions.
Call it HIPAA redux. In fact, researchers say, one reason shops aren’t yet ready to grapple with HITECH is that many aren’t yet fully up to speed on HIPAA -- in spite of the fact that most HIPAA mandates are in effect.
The first round of HIPAA information management and security requirements kicked in at about the same time -- 2003 and 2004 -- when the U.S. was recovering from the dot-com implosion. The result, of course, was that IT organizations were understaffed and underfunded (in some cases, drastically so) just as they were racing to comply with HIPAA mandates. Ditto for HITECH.
“We believe that most organizations are not ready for HITECH as a result of compliance issues within their existing HIPAA programs," said Raj Chaudhary, a principal with Crowe Horwath's risk consulting group, in a statement. “Even though most organizations acknowledge that their HIPAA compliance programs are deficient, our survey found that implementing necessary controls or securing third-party assistance to help ensure compliance may be limited due to budgetary restraints.”
Sponsorship is another problem: HIPAA garnered a great deal of press, thanks in part to its unprecedented enforcement provisions.
Although HITECH has plenty of teeth, management isn’t on board: more than half (55 percent) of shops cited a lack of management support or sponsorship for HITECH compliance. “Our research consistently finds that a lack of budgetary and moral support from the executive suite is a common barrier to proper data security and management programs, even with the specter of regulatory enforcement looming,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a prepared release.
Elsewhere, a lot of shops admitted to the likelihood of “significant gaps” in their privacy and security efforts: nearly two-thirds (60 percent) acknowledged that they’ve only partially implemented risk-based programs to safeguard the privacy of protected health information. Similarly, half of organizations conceded that they probably aren’t providing adequate training for privacy or security, while nearly half (45 percent) believe they haven’t developed clear or effective policies governing the use or dissemination of protected health information.
Surprisingly, the Crowe Horwath/Ponemon survey found, almost all health-care shops have experienced data breaches of some kind. Fully 90 percent of organizations said they have experienced a data breach that involved the loss, theft, or misappropriation of at least one health record.