U.S. regulatory compliance forces increased attention on information protection. Regulations such as SOX 404 (Sarbanes-Oxley), FISMA (Federal Information System Management Act), GLB (Gramm-Leach Bliley), HIPAA (Health Insurance Portability and Accountability Act), and others are establishing floors of due diligence regarding information protection in specific public and private sectors. They are requiring attention to information protection policy and procedures development, business process changes, technology enhancement, and other factors related to establishing and to maintaining information protection.

From a healthcare provider's perspective, there is tradition regarding the privacy and security of a patient's medical information. Indeed, the central concept of HIPAA privacy and security requirements arises from Hippocrates and his oath. Abusers of this oath, personnel outside the purview of this ethical oath, hackers, and criminals represent the people problems that HIPAA privacy and security regulations address.

This chapter identifies and examines the issues pertaining to privacy and security of personal medical records. The term “medical record” is used here to mean all types of healthcare information, be it dental records, therapist records, physician notes and records, medical claims, and so on. Medical records contain personally identifiable, confidential information, the protection of which is the subject of HIPAA and other privacy and security regulations.

Medical records are critical for a variety of healthcare delivery and healthcare business purposes, including diagnosis, preventive and curative treatments, research, administration, and numerous other activities. Medical records are crucial to the operations and survival of healthcare entities; they require stringent security measures.

The roles of information and technology in healthcare are considered in Section 71.2. Technical drivers for healthcare information privacy and security are examined in Section 71.3. Other drivers for healthcare information protection are summarized in 71.4. Applicable United States laws and regulations are identified in Section 71.5. Section 71.6 considers in some detail the most significant U.S. law regulating medical information: HIPAA.

71.2 INFORMATION AND INFORMATION TECHNOLOGY IN HEALTHCARE

71.2.1 Medical Record Information Is Key to Healthcare.

Medical records are the lifeblood of healthcare entities, whether they are individual healthcare providers, small physician office practices, large medical hospital complexes, healthcare insurance companies, or insurance claims clearinghouse intermediaries.¹ Without patient data, research data, financial data, billing data, human resources, administrative data, and so on, healthcare entities can be crippled.

Care suffers if medical records are unavailable. Healthcare delivery after natural disasters has been devastated because of the unavailability of medical records. Other potential widespread events (disease outbreaks, cyberterror, etc.) may similarly impact connectivity to medical records and thus the delivery of healthcare services.

Healthcare information is essential to several organizations² for various purposes, some of which are identified here. Healthcare entities need information to meet obligations to customers, personnel, payers, (e.g., insurance companies or employers), and others. Historical personal medical record information is essential to all care providers who treat a specific patient. Information associated with current diagnoses and treatment plans supports payment of healthcare provider fees by government (e.g., Medicare/Medicaid) and/or private health insurance carriers. Personal records of hospital discharges, outpatient encounters, treatments, births, deaths, immunizations, and so on, are of interest to state and federal disease control agencies. Some healthcare information may also be needed by social service or law enforcement agencies.

Personal healthcare information also exists on commercial databases. Some are obvious: those maintained by pharmacies, rehabilitation facilities, and medical supply stores. Others are less obvious: databases derived from catalog orders, warranty registrations, and consumer questionnaires.

Other organizations need data aggregated across several personal medical records. Aggregated information provides actuarial data needed by healthcare administrators for cost trend analyses and insurance companies for insurance policy price setting. Other aggregated healthcare information facilitates epidemiological research, analyses of treatment efficacies, identification of long-term public health trends, or tuning of healthcare resource allocation plans.

71.2.2 Role of IT in Healthcare.

To cope with expansions of health care information, many healthcare entities must use information technology (IT) for acquiring, processing, storing, and conveying medical records and for measuring and improving the quality of care. Healthcare has been quick to adopt IT-enhanced medical technology to improve diagnoses, treatments, and patient care. However, it has been slower to embrace IT-assisted e-business principles for automating and improving business operations and efficiency. This has been surprising given the information-intensive nature of the business. It was not until the early 2000s that healthcare IT growth reached levels comparable to other IT-centric industries. Evidence shows IT is lowering healthcare cost escalation.³

Desire for IT-enabled, real-time, medical records access and handling is growing.⁴ For treatment purposes, patients benefit when healthcare providers have rapid access to accurate information to assist in personalized decision making. For healthcare researchers, cures may lurk in evidence-based analysis of population-wide volumes of medical records. For healthcare business purposes, healthcare costs can be lowered when service claims and associated payments are exchanged in real time. Healthcare system improvements may arise when oversight bodies can analyze population-wide diagnoses and treatment regimens. Needs for rapid access to healthcare information drives the push for electronic medical records that can be exchanged readily among multiple parties, healthcare systems, healthcare entities, jurisdictions, and states.

Benefits accompany increased reliance on electronic medical records and associated IT to provide services, to conduct day-to-day business, and to share medical records. Estimates indicate over $80 billion will be saved annually with wide-scale IT adoption by care providers.⁵

But unwanted consequences accompany IT proliferation. Their likelihood is increasing. IT vulnerabilities and risks can lead to healthcare information exposure, misuse, abuse, or alteration and to delivery of potentially inappropriate healthcare services and treatments. As sensitive healthcare information is accumulated, aggregated, and made accessible to more parties, there is a greater chance of massive disclosures of personal information, breakdowns of medical services, and catastrophic personal and economic losses.

71.3 INFORMATION PRIVACY AND SECURITY ARE IMPORTANT IN HEALTHCARE.

Privacy and security of medical records started drawing attention in the 1990s. HIPAA and PDD-63 (Presidential Decision Directive 63) focused national attention on healthcare information protection. Section 71.3.1 identifies technological risks and vulnerabilities associated with medical records. Needs and challenges of healthcare information protection are considered in Section 71.3.2. Section 71.3.3 summarizes a core model for healthcare information protection.

71.3.1 Increasing Healthcare Information Technology Risks and Vulnerabilities.

As new networking and IT capabilities, devices, applications, and systems are introduced to the healthcare field, risks and vulnerabilities accompanying electronic medical records increase.

Incidences of medical record breaches are increasing. An emergency room patient attempted suicide after being called by a prankster who stole patient contact information and wrongfully informed the patient of pregnancy and HIV infection. Over 100 hospital employees pried into the medical records of a renowned athlete receiving treatment. A governor's health record and numerous voters' medical records were retrieved from a database of state employee health insurance claims, using birth date and ZIP code data obtained from a voters' database.

Over a six-month period in 2006,⁶ privacy breaches rose at 45 percent of healthcare payers to nearly two-thirds of payers. Most payers experienced up to five privacy breaches. Over a third of providers and payers experienced at least one, and up to 11, data security incidents. Military employee personal health information was not immune to breaches.⁷ At the Department of Veterans Affairs, disclosure of up to 29 million personal records containing healthcare information is among the largest privacy breaches.⁸ Even the agency that promulgated HIPAA was not immune; a General Accounting Office review of the Department of Health & Human Services (HHS) concludes HHS is behind in incorporating security into everyday operations. Significant security weaknesses could lead to breaches of personal health information from millions receiving Medicare and Medicaid coverage.⁹

Medical identity theft is a looming crisis.¹⁰ Stolen care provider identities can be used to post false prescriptions and to submit fraudulent billing claims. Stolen patient identities can be used to steal healthcare services and prescription drugs. Stolen services lead to potentially harmful, bogus additions to legitimate patients' medical records. Fraudulent claims can lead to false patient copays, false provider back-billing of patients, and inappropriate exhaustion of patient lifetime benefits. Nearly 500,000 yearly victims may exist.¹¹

Use of emerging technologies for acquiring, processing, storing, and communicating healthcare information escalates security breech opportunities and susceptibility to ever-newer attack vectors. Increasing numbers of unsavory individuals plying the Internet escalate potentials for breaching medical records: more cads exploiting vulnerabilities in more healthcare networking gear and in integrated healthcare IT systems and applications.

For example, Web technology allows healthcare entities to set up personal electronic medical records that can be accessed, managed, amended, and corrected online, both through portals for healthcare providers and portals for healthcare consumers. Attackers thus have more potential entry points to attempt healthcare information breaches. Furthermore, undetected spyware and keystroke loggers can transmit recorded keystrokes of sensitive personal patient information to the unintended.

New data warehousing and mining tools supporting healthcare information fusion, convergence, and analysis bring new information protection problems. Information cross-referencing and merger across private and public databases can create highly confidential, cradle-to-grave personal medical information profiles by aggregating distributed snippets of less sensitive data. Potential merger of medical records with other personal information databases housing shopping and credit card information can create data warehouses with disturbing amounts of aggregated personal and medical information. As sensitive healthcare information is merged, the greater is its value as a potential target for cyber malcontents.

As new technologies are fielded in healthcare environments, more vendor implementations of new technologies need to be trusted both for their ability to be implemented correctly and for assurance that they can minimize new risks and exposures. Trust must be established (see, e.g., Chapter 51 in this Handbook) that there are no vendor implementation flaws that allow unauthorized information to be entered into or extracted from medical records.

71.3.2 Healthcare Information Privacy and Security Needs and Challenges.

Medical records protection is essential not only for protection of personally confidential information but also for success, stability, and survival of healthcare entities' care delivery, operations, and businesses.

Privacy and security policies, procedures, and mechanisms are needed for various reasons. They are needed to facilitate safe access to, and distribution of, patient history data to support both local treatment planning and remote treatment planning (e.g., by off-site specialists or telemedicine service providers). They are crucial to real-time payment for rendered healthcare treatments and prevention of falsified billing claims. They enable the business side of healthcare to leverage electronic commerce paradigms. Healthcare entities can benefit from real-time healthcare service provisioning and business operations models while controlling attack costs.

From the patient perspective, healthcare information privacy is paramount, along with ensuring reliability of data used in medical decisions. Healthcare consumers do not want cyberterrorists making deadly changes to electronic medical records and treatment orders. Both personal safety and population safety demand protection of healthcare information.

Some of the challenges associated with medical records protection may be unique to healthcare; for example:

Wireless communication of orders and patient information to and from the hospital bedside, or among healthcare provider's offices, can be prone to disclosure, modification, and eavesdropping by medical services and information thieves, busybodies, and paparazzi.
Errors or deliberate alterations associated with billing charges may be criminal; but they can be deadly in the case of healthcare histories, treatment orders, or prescriptions. Survivability of both patients and healthcare entities is at stake.
Many healthcare providers are attaching to the Internet to submit billing claims or to access patient medical records.
Electronic commerce with supply-chain partners provides other potential points of entry to healthcare IT systems. Healthcare entities must establish trust in the security provided by parties that may never be seen or met.
Many factors increase the likelihood that medical information will be accessed by the unauthorized and used improperly. They include proliferation of government, institutional, and commercial databases housing medical information, large numbers of people involved in settling health insurance claims, and the number of people, authorized and unauthorized, who can access a person's medical records.
Multiple replications of healthcare data and multiple data users elevate risks of data exploitation.
Multiparty needs for medical records lead to pressure on legislatures for legal restraints on access to personal information by different parties.
Because the healthcare industry is so fragmented with different players and stake-holders, it literally takes an act of Congress to coordinate the industry in matters such as IT, privacy, and security.
As the healthcare industry is a latecomer to embracing IT, it tends to lack experience in IT privacy and security strategies, mechanisms, and procedures.
With immaturity of information assurance (IA) experiences and knowledge of IA issues in the healthcare sector, the it-won't-happen-to-us mentality is prevalent and medical records protection issues are downplayed.

71.3.3 Core Privacy and Security Model in Healthcare.

The model of medical records privacy shifted with the advent of HIPAA. Patients now own their own private healthcare information. All other healthcare entities and individuals must protect that information from intentional or unintentional disclosure. Security procedures, measures, and mechanisms are used to protect and to maintain privacy of patient information.

The classic model of information security, built on healthcare entities striking accept-able balances among availability, confidentiality, integrity, and accountability, applies. These attributes are essential for establishing trust in healthcare information during its capture, processing, storage, transmission, and sharing.

Availability. Information has to be available to those who are entitled to see it or to process it, at the time when they need it. Those who do not need specific information in the performance of their duties must be denied access. Threats to availability arise from denial of service attacks and from deliberate or accidental infrastructural damage to networks, hardware, and software.
Integrity. Information needs to be defended against accidental or deliberate corruption and modification. Threats include viruses, malware, worms, emerging Internet-borne threats, unauthorized or accidental modification, errors in structural integrity, logical corruption, and fraudulent misuse.
Confidentiality. Information should not be available to those who are not entitled to see or to process it. Threats include unauthorized access and disclosure by hackers or by careless disregard for the rights of privacy.
Accountability. Healthcare entities must establish and control who is responsible for what. Nonrepudiation mechanisms must safeguard against denials of specific actions. Also, security incidents may be nobody's fault but may be big problems if prevention is nobody's job. Individual responsibility must be a matter of record so that appropriate remedial action may be taken, including assignment of blame and additional training.

Trade-offs exists among these attributes. Emphasizing one may adversely impact others. For example, emphasis on confidentiality may impact availability (physical and electronic access controls tend to complicate legitimate access). In combination with other factors (e.g., human error, or hardware or software failure) preserving confidentiality may result in less accessible data.

Medical records protection measures need to be tailored to the precise privacy and security requirements of each specific healthcare entity. Therefore, government regulations should not prescribe specific protection mechanisms universally applicable to all healthcare entities.¹²

71.4 NONMEDICAL DRIVERS FOR HEALTHCARE INFORMATION PROTECTION.

Medical records protection is not just a technical issue. It is also subject to nontechnical, social, administrative, and regulatory pressures both outside and inside healthcare entities.

71.4.1 Political Pressure.

Many healthcare services are the responsibility of state or federal governments. Being under governmental auspices assures tensions created by political pressures. Many politicians focus on requiring healthcare administrative simplification (and presumed cost-cutting) and extending publicly funded coverage to different population groups. Issues surrounding the privacy and security of medical information may not appear as rallying points for elections. They can unite political factions, as was the case for passing HIPAA legislation. But the cost burdens of complying with HIPAA may act to increase political tensions and factions.

71.4.2 Public Pressure and Media Pressure.

Public sensitivity about medical records seems related to possible embarrassment if sufferers' maladies were known. Some medical conditions carry emotional baggage or taboos. If disclosed, they can significantly impact a patient's everyday life. They can impact job or promotion prospects. They can impact appraisal of fitness as parents. They can upset eligibility for insurance or quality of life rights. Creditworthiness or financial status can be affected.

There is concern of intrusive sales efforts targeted on the basis of healthcare information. Such tactics are seen as an invasion of privacy.

Public opinion seems indeterminate as to how significant a priority is medical record privacy during the heat of a medical emergency.¹³

Media have their own political or socioeconomic agendas, but all are interested in “good” stories. Bureaucratic incompetence is newsworthy, as are medical or computer malefactors. Maladies of celebrities, misdiagnoses, or surgical mistakes receive wide coverage.¹⁴

71.4.3 Patient Expectations.

Patients often perceive their personal information as confidential and expect that anyone who works with their data has a “duty of confidence.” Americans overwhelmingly favor strong protection of their healthcare information.¹⁵

Computerization is seen as the greatest threat to privacy; over 50 percent believe the shift from paper to computer-based systems makes protection of their medical information more difficult.
Patients are reluctant to divulge their medical records to anyone other than their care providers; 60 percent prefer not to grant access to prospective employers. Seventy percent do not want drug companies to use personal data in pharmaceutical sales and marketing databases.
Most patients do not trust private and government health insurers to maintain confidentiality; only a third trust such entities to maintain confidentiality.
Many patients worry that the privacy of their medical information will be violated. About 15 percent even withhold information when asked for medical history. They also may provide false information, pay medical fees personally even if insured, change doctors, ask doctors not to keep a record of their condition, or avoid medical care altogether.¹⁶

Interestingly, despite concerns about medical record protection, many patients feel such protection is under control by technology vendors or healthcare entities even in light of the rash of large personal information breeches at many institutions.

Patient expectations in other countries, such as the United Kingdom, are similar. For example, the National Health Service of the United Kingdom includes this reassuring language in its “Core Principles”:

The NHS will respect the confidentiality of individual patients and provide open access to information about services, treatment and performance.

Patient confidentiality will be respected throughout the process of care. The NHS will be open with information about health and healthcare services. It will continue to use information to improve the quality of services for all and to generate new knowledge about future medical benefits.¹⁷

71.5 UNITED STATES LAWS AND GOVERNMENT POLICIES.

Healthcare entities are impacted by numerous statutes, some specific to the healthcare industry, some more general. Some U.S. laws that pertain to the privacy and security of healthcare information are identified in the sections that follow.

71.5.1 Federal Laws

Privacy Act. One of the earliest laws covering medical databases is the Privacy Act of 1974. Without written individual consent, this law forbids disclosure of personally identifiable health information, such as Medicare treatment records, collected by the U.S. government. In addition to Privacy Act provisions, the HHS Centers for Medicare & Medicaid Services are required to follow specific additional Privacy Act Regulations.¹⁸
False Claims Act. Healthcare providers submitting fraudulent claims can be punished with triple damages, penalties of $5,000 to $10,000 per wrongful billing, and exclusion from government insurance programs. Many of the accused settle out of court because it is often more expensive to win such legal cases and much more costly if they lose. Without adequate security, electronic billing can open doors to malicious attacks on healthcare claims so that they appear to be wrongful, prosecutable billing claims.
HIPAA. HIPAA is a massive and comprehensive law pertaining to several areas of healthcare. HIPAA includes a section on Administrative Simplification, which includes provisions for privacy and security for healthcare information. HIPAA's Administrative Simplification section amended the Social Security Act title XI and has been added—in total—as Part C of Title XI. HIPAA is discussed in detail in Section 71.6.
Electronic Signature Act of 2000. The Electronic Signatures in Global and National Commerce (E-Sign) Act provides for an e-signature to have the same legally binding weight as a written signature. There appears to be movement on the part of healthcare providers toward use of electronic signatures on treatment and prescription orders.
FISMA. Certain government agencies that deal with healthcare information need to comply with both HIPAA and the Federal Information Security Management Act of 2002 (FISMA).¹⁹ FISMA requires all federal agencies to adopt and to demonstrate use of NIST-specified IT security processes and procedures that include categorizing risks associated with IT systems, developing and maintaining minimum controls to protect information systems, verifying and monitoring the effectiveness of their security controls via a specified certification and accreditation framework, and taking corrective actions when necessary. The private sector might benefit by using the NIST framework together with HIPAA (and also ISO 17799) requirements to “assess, measure, track, and deliver a more secure and user-friendly [information handling environment] and in the process achieve [HIPAA] compliance.”²⁰

71.5.2 State Privacy and Security Laws.

Several states have applicable laws. For example, California's Security Breach Information Act (Senate Bill 1386) requires any company—including those that are entities covered under HIPAA—to disclose potential security breaches. This is the seminal law that establishes a new paradigm for combating personal information disclosure breaches. The law targets disclosure offenders rather than imposing burdensome regulations on all. It leverages data custodians' desires to sustain their images as reliably safe repositories of personal information. As such, having sufficient information protection safeguards is essential. As of 2006, 23 states had similar laws.²¹ The corresponding New York law extends provisions to apply to state government agencies.

Although these laws maybe intended to be used when “consumer” personal data are compromised, it is not hard to imagine patients as consumers (of healthcare).

Observers have noted that the existing state laws are overlapping, inconsistent, and incomplete.²² Accordingly, federal legislation may establish a uniform, national solution that supersedes the mosaic of state laws.

71.5.3 Government Policies.

Various government policies relate to medical record protection. Policies try to enhance or to fill gaps in existing laws, or to establish rules in lieu of applicable laws. Some policies may be overtaken by events or are of uncertain precedence priority with respect to laws. As such, the examples that follow may no longer be applicable at the time of the reading of this chapter. Readers should investigate what policies may be in effect when reading this material.

Presidential administrations issued policies,²³ plans,²⁴ and positions²⁵ wherein the healthcare sector is deemed a critical national infrastructure. It needs to be protected. It needs to continue operating because the nation and economy depend on it.
The Health Care Finance Agency (HCFA) established policy²⁶ for incorporating security functionality and for appropriately using the Internet to convey healthcare information protected by the Privacy Act as well as other sensitive HCFA information.
The Office of Management and Budget promulgated policy recommending all federal agencies, including those operating as healthcare entities for which HIPAA is also applicable, to implement protection mechanisms including encrypting all data stored in mobile devices and establishing database access logging.²⁷
The National Security Telecommunications and Information Systems Security Committee representing the aggregate of major federal agencies issued a policy directive²⁸ pertaining to the purchase and use of IT products. The policy looks to the purchase and use of products evaluated according to the Common Criteria. It is felt that such evaluations increase trust in the security features implemented in IT products. This policy applies to federal agencies that act as entities covered under HIPAA.
The Federal Acquisitions Regulation Council issued a rule specifying that procurement officers at all federal agencies are required to incorporate IT security requirements in their IT acquisition planning. This policy applies to federal agencies that act as entities covered under HIPAA.
The Executive Branch issued the Homeland Security Presidential Directive/HSPD-12²⁹ requiring government employees and contractors working at government agencies—including those operating as entities covered under HIPAA regulations—to use specific government IDs issued by trusted authorities only to identity-proved individuals.

71.5.4 Emerging Legislation.

Pertinent legislative activities constantly emerge. HIPAA started a chain reaction of new legislation related to IT-oriented privacy and security. New laws and regulations are likely, especially given that many feel extant laws are insufficient.³⁰ Advocacy and lobbying groups, such as the Consumer Privacy Legislative Forum,³¹ form to help drive legislation that may impact healthcare in unpredictable ways.

Although it is impossible to identify legislation emerging when this chapter is published, readers should be vigilant about what looming legislation may be adopted and may impact their medical records privacy and security situations.³² In the mid-2000s legislative activities were high, examples of which follow. Some proposed legislation is specific to healthcare. Others are generic but have definite potential to impact healthcare. Certainly even more legislation will follow.

At the time of going to press (July 2008), the THOMAS database³³ reported 120 bills before the 110th Congress with floor action (i.e., that had been reported from committee for action by the House or Senate)³⁴ that included the term “health information.” Some of the key legislation under consideration at that time included:

Dignified Treatment of Wounded Warriors Act
Free Flow of Information Act of 2007
Genetic Information Nondiscrimination Act of 2007
Health IT Promotion Act
Healthcare Information Technology Enterprise Integration Act
Medicare Improvements for Patients and Providers Act of 2008
Wired for Health Care Quality Act

Some look to affirm HIPAA. Others look to fix gaps and inconsistencies in HIPAA or to address privacy issues from the perspective of nationwide sharing of all healthcare information.

As for generic privacy legislation, the rash of privacy breaches sparked interest in passing consumer-oriented, personal data protection legislation.³⁵ If adopted, enterprising attorneys will likely look to establish precedent that patients are also covered “consumers” (of healthcare services). There is interest in updating the Privacy Act. Other efforts that readers can track³⁶ included:

Consumer Notification and Financial Data Protection Act
Data Accountability and Trust Act
Electronic Health Information Privacy Act
FISA Amendments Act of 2008
Identity Theft Enforcement and Restitution Act of 2007
Personal Data Privacy and Security Act
Personal Data Privacy and Security Act of 2007
Safeguarding America's Families by Enhancing and Reorganizing New and Efficient Technologies Act of 2007
Social Security Number Privacy and Identity Theft Prevention Act of 2007

Other federal legislation pertains to privacy on wireless transmissions. Such legislation may impact use of personal digital assistants (PDAs), other bedside devices, and portable ambulatory care devices used for medical record information capture and retrieval, and treatment order entry. Other legislation is looking to establish a government commission to investigate privacy issues in the United States. Other legislation includes a potential amendment to financial security laws to restrict the use of healthcare information when making credit and financial decisions.

Federal legislation is accompanying the government's desire to design and to implement a National Health Information Infrastructure with associated Electronic Health Records. Legislation may be needed to reconcile differences in state-specific healthcare information standards and pertinent state-specific information protection regulations. As input to this legislation, a multistate National Health Information Privacy and Security Collaboration has been formed to identify and to propose resolutions to state-by-state differences in privacy and security practices and laws.³⁷

At the state level, California is looking to enhance SB1386 to notify individuals if their personal information is stolen from paper records or backups of computer-stored data. There has also been discussion of adding safe harbor provisions to such laws to protect organizations from liability and to absolve them of notification responsibilities if they encrypt personal data.

While governments are looking to expand information protection regulations, the private sector wishes to address IT security through incentives such as government-funded R&D and tax breaks, not through regulatory obligations.³⁸

Despite industry's desires, it appears that development of regulations will only intensify. Emerging legislation is also spreading into other IT-powered national infrastructure industries, such as telecommunications, energy, and power that support the healthcare industry. It appears legislative interest in IT privacy and security that may impact the healthcare sector will be present for years.

71.6 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT.

HIPAA³⁹ establishes federal regulations for several areas of healthcare and its administration. It is the most sweeping change to the healthcare industry since the introduction of Medicare. It is moving the industry toward widespread use of technology, electronic information, and a single, common electronic transaction environment for electronic billing.

An overview of regulations relevant to electronic medical records and their protection appears in Section 71.6.1. The HIPAA strategy for addressing protection is given in Section 71.6.2. Summaries of the specific HIPAA regulations that pertain to medical records protection appear in Sections 71.6.3 and 71.6.4. Section 71.6.5 provides overviews of penalties for HIPAA violations. Observations pertaining to fielding HIPAA regulations appear in Section 71.6.6.

71.6.1 HIPAA Administrative Simplification Overview.

HIPAA does not just focus on patient data privacy and security matters. HIPAA goals include (a) improving portability and continuity of healthcare insurance when a patient changes jobs, (b) minimizing waste, fraud, and abuse in healthcare insurance and healthcare delivery, and (c) simplifying healthcare insurance administration.

Administrative Simplification (Title II, Subtitle F of HIPAA) looks to improve the efficacy and reliability of the healthcare system and to reduce its costs. It looks to minimize so-called protected health information (PHI), consisting of deliberate or inadvertent access, alteration, loss or deletion, transmission, disclosure, or misuse of personally identifiable patient healthcare information. These may occur during the acquisition, processing, storage, and transmission of such information within, or between, specific healthcare entities called “covered entities.”

To effect these intents, Administrative Simplification mandates development and use of several so-called standards, which are the regulations containing requirements that pertain to conveying and to protecting personal healthcare information. Several regulations have been developed; others are yet to be developed.

71.6.1.1 Electronic Transaction Regulations.

Specific EDI (Electronic Data Interchange) transactions with standardized content are specified for use among covered entities such as healthcare payers, healthcare providers, and others. The transaction types pertain, for example, to health claims submissions, claims status checks, care encounters reports, health plan eligibility/enrollment/de-enrollment, care payments, plan premium payments, treatment authorization, and so on.

Specific standard content is stipulated for these transactions. Unique identifiers must be used to represent covered entities and employers⁴⁰ so that any entity that touches or adds/modifies healthcare information can be uniquely identified. Unique code sets must be used as transaction data elements to represent, for example, encounter descriptions, diagnoses, billing, and so on.

Healthcare providers can choose whether to use the stipulated electronic transactions or to continue using paper-based transactions. Healthcare payers are required to accept transactions both in standard electronic form and in paper-based form.⁴¹ The largest U.S. healthcare payer, Medicare, mainly deals with electronic transactions and accepts paper-based billing transactions only under limited circumstances.

Additional HIPAA transaction standards are constantly under development. For ex-ample, one established in 2006⁴² pertains to HIPAA standard transactions for electronic attachments to electronic healthcare claims.⁴³ Attachments may convey clinical and administrative data useful to adjudicating payment for an electronic billing claim.⁴⁴ The popular and trade press continue to monitor HIPAA developments.⁴⁵

71.6.1.2 Information Protection Regulations.

Administrative Simplification specifies regulations⁴⁶ for privacy and security⁴⁷ applicable to PHI while it is in the custody of covered entities, in transit between covered entities, and in transit from covered entities to others. Regulations include developing, documenting and implementing privacy and security policies and procedures (P&P), implementing security technology addressing specified security requirements, training staff about HIPAA requirements, guaranteeing patient rights regarding their PHI, and appointing privacy and security directors to monitor and to enforce privacy and security matters. The privacy and security provisions are amplified in Sections 71.6.3 and 71.6.4.

71.6.1.3 Compliance Regulations.

HIPAA includes a strategy to enforce compliance to its rules by officers and employees of covered entities. It stipulates penalties (Section 71.6.5) for violations including intentional and unintentional disclosure of PHI.

71.6.2 Privacy and Security Strategy.

The HIPAA approach for healthcare information protection focuses on stipulating privacy and security requirements—not on specifying privacy and security solutions.

The privacy and security requirements are applicable under two basic conditions. The requirements apply to (a) “covered entities” and (b) to all personally identifiable, patient healthcare information—precisely and legally defined as PHI—associated with such covered entities.

Covered entities of all types and sizes must meet these requirements. Covered entities are stipulated and include:

Health insurance carriers (sometimes referred to as “health plans,” including government agencies such as the Centers for Medicare and Medicaid Service that act as insurance carriers)
Healthcare billing clearinghouses (entities between providers and payers that can, if necessary, translate covered entities' transactions between HIPAA standard formats and nonstandard/proprietary, payer-specific or provider-specific formats)
Healthcare providers (institutions like medical centers, private physicians, and government agencies that provide healthcare services such as the Federal Employee Health Benefits Program, and DoD's TriCare Program), if they conduct certain specified transactions
Business associates of covered entities (including government contractors such as those contracted for processing Medicare claims).

Contrary to some perceptions,⁴⁸ not every organization that generates, processes, or holds personally identifiable health information is a “covered entity” that must abide by HIPAA information protection regulations.⁴⁹ Tools to determine whether any specific entity is a “covered entity” are available.⁵⁰

The privacy requirements stipulate how PHI is controlled. Legally authorized uses and disclosures are defined. Privacy requirements pertain to PHI created, stored, or conveyed in any form. For PHI in electronic form, privacy protection largely depends on HIPAA-stipulated security requirements.

The security requirements apply only to PHI in electronic, “computerized” form.⁵¹ By securing electronic transactions that convey PHI between healthcare IT systems and by securing storage and processing of electronic PHI, abuse and fraud can be minimized and privacy of such information can be increased. The security requirements can be met by common, generally accepted, widely used security principles and practices.

HIPAA does not specify a one-size-fits-all privacy and security solution, applicable to all situations. Although every covered entity that electronically receives, maintains, processes or transmits PHI must comply with applicable HIPAA privacy and security requirements, HIPAA does not specify how to meet these requirements. Privacy and security requirements may be met by covered entities by appropriate combinations of P&P, measures, security technology, and other ways deemed appropriate by each covered entity.

By focusing on privacy and security requirements rather than solutions, HIPAA offers flexibility, scalability, and technology neutrality; different covered entities can meet HIPAA information protection requirements by whatever strategy is reasonable and appropriate to each covered entity at any given point in time. Particular solutions may vary from situation to situation, but each solution must meet the HIPAA requirements. Some healthcare enterprises may need to implement more sophisticated information protection solutions than others. Small, less complex healthcare provider offices may have more limited privacy and security P&P and training requirements than those of large, more complex medical centers. Healthcare enterprises may need to change aspects of their information protection strategy as they change in size.

HIPAA's information protection requirements are:

Scalable, so that they work for both small practices and large healthcare enterprises, at reasonable cost
Technology-neutral, so that as technology changes, covered entities are not bound to outdated solutions, and efficacies of new technologies can be leveraged without having to change HIPAA's information protection regulations⁵²
Flexible, so that different covered entities and their business partners can use policies, procedures, methods, and technologies appropriate to their situations—as long as they meet HIPAA's information protection requirements

HIPAA provides a national floor for the protection of PHI; state and other federal laws may provide even stronger protections. In some cases, HIPAA may enhance the protections afforded by other laws. In other cases, other laws may deal with privacy and security more stringently than HIPAA. In circumstances where HIPAA and other jurisdictionally applicable laws are in conflict, HIPAA specifies that stronger information protection laws prevail.⁵³ If HIPAA is the most stringent applicable law, covered entities are free either to use HIPAA privacy and security requirements or to adopt even more protective requirements.

Covered entities must each assess their own potential risks to the PHI they handle. They must develop, document, implement, and maintain appropriate information protection P&P and measures to address their unique risks and situations. They can use risk management techniques to help decide what strategy of potentially overlapping safeguards is reasonable and appropriate to their situations. All analyses, decisions, and rationale for decisions must be documented. HIPAA allows covered entities to select industry-acceptable, best-practice information protection strategies for the situation at hand.⁵⁴ Covered entities need periodic assessments to ensure continuing appropriateness and adequacy of their solutions to meet HIPAA requirements.

HIPAA does not specify how compliance to HIPAA information protection requirements is achieved. Each covered entity decides how it will achieve compliance with HIPAA requirements. Guidance from the HHS Centers for Medicare & Medicaid Services (CMS)⁵⁵ and the HHS Office of Civil Rights (OCR),⁵⁶ or neutral, third-party guidance such as that provided by the National Institute of Standards and Technology (NIST),⁵⁷ the Industry Advisory Council,⁵⁸ and others⁵⁹ may be useful to help covered entities architect appropriate protection strategies compliant with HIPAA requirements. Further, when implementing an architected strategy, it may be useful to consult some of the solution-specific and/or HIPAA-compliant product lists⁶⁰ published by the trade press to identify potential procurement options. Other implementation assistance may become available via the efforts of the Certification Commission for Health IT (CCHIT) chartered to develop criteria⁶¹ and processes for certifying security measures of IT products associated with the emerging U.S. Electronic Health Records initiative.⁶²

71.6.3 Privacy Regulations.

Privacy regulations⁶³ establish requirements pertaining to safeguarding privacy of PHI in any form⁶⁴ from inappropriate or unauthorized disclosure or use. Regulations apply to PHI created, stored, processed, used, transmitted, or received by covered entities (and certain of their associated contractors and service providers). They limit sharing of PHI by covered entities. They also establish requirements pertaining to rights of patients with regard to their healthcare information.

The strategic concept associated with these requirements is simple: to ensure patients' personal information is adequately protected and kept private without unduly disrupting the flow of healthcare information needed to provide, to oversee and to pay for care, to assist healthcare research, and to improve the quality of the healthcare system. These requirements strike a balance between providing patients with greater peace of mind versus the public responsibility to support national medical priorities. Such priorities include protecting public health, identifying public health trends, conducting medical research, improving the quality of care available for the nation, and fighting healthcare fraud and abuse.

Given the massive extent, diversity, and complexity of the healthcare sector, the privacy requirements are comparably comprehensive—and appropriately flexible—to cover the plethora of uses of healthcare information by various covered entities and others outside the healthcare sector. Only a brief introduction and summary of the privacy requirements is given here.

The privacy regulations provide patients with rights to inspect and to correct their personal healthcare information, and otherwise to control how their health information is used and shared. The regulations require written patient consent for each covered entity to use a patient's PHI. Disclosure of PHI without patient consent is allowed for only a few, specified reasons. The regulations require business partners of each covered entity—via contracts or other similar mechanisms—to maintain the privacy of any patient information that is provided to them by the covered entity.

The regulations define the generally accepted set of information to be protected and kept private. It includes patient demographic information, common identifiers, insurance billing and payment information, symptoms, examination and test results, diagnoses, treatment, and future care plans that can be associated with or used to identify a patient, and so on. This information may be oral or recorded in any form or medium, such as paper, magnetic tape, computer drive, and so on. There are no privacy requirements that apply to healthcare information that is de-identified via specified ways.

A sampling of the privacy requirements follows.⁶⁵ As readers' needs dictate, more detailed synopses⁶⁶ or the full HIPAA Privacy Regulations should be consulted for increasingly more detailed descriptions of privacy requirements.

General use and disclosure requirements. Other than information that is specifically permitted or under the written consent of the applicable patient, a covered entity cannot use or disclose PHI.
Specific permitted use and disclosure requirements. Covered entities may share certain PHI without a patient's formal signed consent only under certain specified situations, including, for example, among healthcare providers involved in a patient's treatment, with third-party payers (e.g., insurance carriers), with the patient, with parties involved with medical reviews assessing the quality of patient care, with parties involved with assessing the performance of care providers and healthcare operations, and with regulatory and public health agencies, ethical researchers, and auditors. For certain specified reasons, a covered entity may share certain PHI with only informal patient permission not involving a signed, formal consent authorization.
Required use and disclosure requirements. Covered entities are permitted—but not required—to share PHI without a patient's consent or permission for 12 national priority purposes outside a patient's healthcare context. Examples of these purposes include public health activities, law enforcement, legal proceedings, protecting victims of abuse, workers' compensation, and so on.
Authorization requirements. A patient-signed, written consent authorization with certain specified conditions and constraints is required by covered entities for any use or disclosure of PHI that is not for treatment, payment or healthcare operations or otherwise permitted or required.
Minimum necessary data requirements. Covered entities are required to develop and to use P&P to ensure that no more PHI is used or disclosed than the minimum amount needed for each purpose for which information is used or disclosed.
Privacy practices notice requirements. Covered entities are required to develop privacy practice notices, to post these notices, and to collect individual patient acknowledgments of their receipt. These entities must abide by clearly stated procedures that (a) protect the privacy of patients' information, (b) describe how PHI is used and disclosed, and (c) describe how patients can access their PHI.
Patient access and control rights requirements. Covered entities are required to give individual patients the rights to receive a copy of the entity's privacy practices notice and to specify how the entity should communicate with the patient. Patients have the right to inspect, and to obtain copies of, any disclosures and distributions of healthcare information about themselves. Patients have the right to get an accounting of the disclosures and to amend, correct, and restrict the uses, disclosure, and distribution of healthcare information about themselves.
Administrative requirements. Covered entities are required to develop and to implement appropriate privacy P&P consistent with the HIPAA privacy regulations and tailored to fit their size and complexity, to train and to discipline employees regarding privacy P&P, and to designate a privacy official responsible for the entity's privacy practices and activities.
PHI safeguards requirements. Covered entities are required to have reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI in violation of the HIPAA privacy regulations and to otherwise abide by all the allowed and disallowed uses and disclosures of PHI. The HIPAA security regulations (see Section 71.6.4) stipulate such safeguards for electronic PHI.

71.6.4 Security Regulations.

These regulations⁶⁷ establish requirements for safeguarding confidentiality, integrity, and availability of electronic PHI created, received, processed, and/or stored by covered entities. PHI must be protected against reasonably expected threats, vulnerabilities, and hazards as well as against disclosures and inappropriate use not permitted by HIPAA's privacy regulations. The requirements also establish an organizational culture that facilitates the provisioning and maintenance of security safeguards.

There are linkages between HIPAA privacy requirements and HIPAA security requirements.⁶⁸ Some requirements overlap or complement each other. For example, privacy and security regulations both contain awareness-training requirements. They can be combined so that employees of covered entities stay aware of both the importance of protecting PHI and the means by which PHI is protected. In other cases, a specific security requirement may need to be implemented to address a specific privacy requirement.

As outlined below, the security regulations stipulate various categories of administrative, technical, and physical security requirements as well as organizational, P&P, and documentation requirements. They require covered entities to assess risk and to provide for the safeguarding of electronic PHI at risk. For each covered entity, there must be fully auditable procedures for controlling access to PHI and for protecting PHI against compromise and misuse.

71.6.4.1 Administrative Safeguards Requirements.

These requirements pertain to administrative P&P and actions targeted to manage (a) selection, deployment, and maintenance of security safeguards to protect electronic PHI and (b) roles of employees in protecting PHI. The requirements categories include:

Security management process. Implement P&P for preventing, detecting, containing, and correcting security violations.
Assigned security responsibility. Identify an individual responsible for developing and implementing security-oriented P&P.
Workforce security. Implement P&P for ensuring appropriate employee access to, or denial of access to, PHI.
Information access management. Implement P&P for authorizing access to PHI consistent with privacy access requirements.
Security awareness and training. Implement a security awareness and training program for all employees.
Security incident procedures. Implement P&P for handling incidents that impact systems associated with PHI.
Contingency plan. Establish and implement P&P for responding to emergencies that damage systems containing PHI.
Evaluation. Periodic assessments that the security P&P address the security requirements.
Business associate contracts and other arrangements. Establish legally binding, chain-of-trust agreements with business partners for protecting PHI conveyed to such partners.

71.6.4.2 Physical Safeguards Requirements.

These requirements pertain to physical measures and associated P&P to protect IT systems, facilities, and applicable equipment from physical hazards, unauthorized physical access, and unauthorized intrusions. The requirements categories include:

Facility access controls. Establish and implement P&P to control physical access to IT systems, related equipment, and the facilities that house them.
Workstation use. Implement P&P regarding physical location and use of computers to access electronic PHI.
Workstation security. Implement physical safeguards to control physical access to computers used to access electronic PHI.
Device and media controls. Implement P&P regarding receipt, reuse, and disposal of hardware, software, and electronic media that handle electronic PHI.

71.6.4.3 Technical Safeguards Requirements.

These requirements pertain to technological measures and associated P&P to protect and to control access to electronic PHI created, maintained, and communicated to and from electronic healthcare systems. The requirements categories include:

Access control. Implement technical P&P for controlling access by people and software to IT systems that handle electronic PHI.
Audit controls. Implement technical and procedural mechanisms that examine and record activities and accesses to IT systems that handle electronic PHI.
Integrity. Implement P&P to ensure the validity of electronic PHI.
Person or entity authentication. Implement procedures to verify legitimacy of people and software attempting to access electronic PHI.
Transmission security. Implement technical security measures to control unauthorized access to electronic PHI in transit over computer networks.

71.6.4.4 Organizational Requirements.

These requirements pertain to using business associate contracts or other official arrangements to establish trust that third parties associated with, or providing services to, covered entities will maintain HIPAA provisions.

71.6.4.5 Policies and Procedures and Documentation Requirements.

These requirements pertain to developing all the requisite P&P (as outlined earlier), to developing and using all required documentation and documentation configuration control measures, and to implementing the P&P to comply with HIPAA security regulations.

71.6.4.6 Implementation Specifications.

Each stipulated security requirement summarized above must be met by a defined implementation specification stipulated in the HIPAA security regulations, or, if no implementation specifications exist, by measures documented and implemented by each covered entity. NIST Special Publication 800-66 identifies (in Table 2) implementation specifications accompanying each security requirement.

For security requirements met by HIPAA-stipulated implementation specifications, such implementation specifications are individually identified as either being “required” or “addressable.”⁶⁹ Covered entities must comply with all 13 required implementation specifications. Covered entities must document how they assessed and decided whether each specific addressable implementation specification is appropriate, or not, and whether it applies, or does not, to their specific environment, and whether the covered entity implemented, or not, each addressable implementation (or some equivalent alternative measures). NIST SP 800-66 Table 2 also summarizes which implementation specifications are required and which are addressable.

For example, to meet HIPAA's contingency plan requirement, a covered entity is required to establish and to implement data backup, disaster recovery, and emergency mode operations plans; and it must also address procedures for testing and revising such plans.

71.6.5 Enforcement, Penalties, and Liabilities.

Unlike other government regulations, such as SOX, HIPAA depends on weaker, non-proactive enforcement strategies. It does not include yearly comprehensive audits and compliance standards that must be met. There are no “HIPAA police” to seek out HIPAA violators. There is no government willingness to fine violating organizations millions. It does not have the teeth or effectiveness of proactive regulations like SOX.

Instead, the focus is strictly on complaint-driven enforcement. PHI disclosure victims must initiate triggering complaints and take on liability of uncertain legal outcome.

Specific HHS offices receive and investigate complaints. They decide about the interpretation, implementation, and enforcement of certain HIPAA regulations.⁷⁰ Security regulations enforcement rests with HHS CMS. Enforcement of privacy regulations rests with HHS OCR.⁷¹ Procedures for filing PHI complaints are available.⁷² Evidence⁷³ suggests HIPAA complaint handling is nontrivial for the involved HHS offices.

In response to a complaint, these HHS offices can impose civil (monetary) and criminal (prison) penalties for certain HIPAA violations. Initial track records suggest these offices have not been inclined to impose penalties and would rather work with implicated covered entities to fix situations that may have led to complaints. When HIPAA complaints are not resolved, covered entities can be penalized $100 per violation, up to $25,000 per year per HIPAA requirement not met. HIPAA specifies relatively small penalties on the officers and/or employees of healthcare-relevant organizations that fail to address HIPAA requirements.

However, there are large criminal penalties—fines and imprisonment—for those who wrongfully handle confidential PHI. Any person who knowingly obtains, uses, causes to use, intends malicious harm, tries to sell or to transfer or to gain from, or discloses, patient information inappropriately faces penalties.⁷⁴ Penalties range from $50,000 to $250,000 and up to 10 years imprisonment, depending on seriousness of the offense.

Although penalties can be stiff, some argue the real dangers of HIPAA enforcement may instead arise from loss of confidence in the implicated entity and possible litigation under contract law. When disclosure of personal information causes damage and the legal system is engaged, HIPAA penalties—especially the criminal penalties—can mean the difference between business failure and business survival for implicated entities. PHI disclosures, whether wrongful or unintentional, have potentials to be devastating. Some argue potential consequences of HIPAA litigation should be considered when developing disaster plans.

It may not be only directly implicated, covered entities that are at risk for PHI disclosure penalties. The “linked liability” concept may extend HIPAA-relevant liabilities and penalties to others. Covered entities forced into litigation for PHI privacy or security breaches may try to share blame or to pass it to others, such as the communications provider used to connect covered entity offices. Such other parties may also try to spread blame to yet others, such as negligent vendors of IT products with implementation errors, vulnerabilities, and less than adequate security. The ultimate assignment of liability may be legally tortious.⁷⁵ To minimize liability exposure, firms linked in even obtuse ways to covered entities are wise to be able to show (a) they exercised due diligence in establishing normal and customary privacy and security measures within their enterprises, services, or products; (b) their measures are in line with industry best practices and HIPAA requirements, and (as required by HIPAA) anticipate and address new threats; and (c) they made correct decisions regarding their privacy and security measures.

Some argue employers offering health insurance also have implicit liabilities linked to HIPAA. They argue, first, that employers have a duty to ensure healthcare plans and associated care providers offered to employees are compliant with HIPAA. Second, when insurance carriers send enrollment and benefits data to employers, employers are acting as business associates subject to provisions that business associates of covered entities must also be HIPAA compliant.

71.6.6 Realities in Fielding HIPAA Information Protection Regulations.

Many believe HIPAA makes good business sense. They feel HIPAA's information protection regulations are generally what any protection-conscious organization would do on its own. They feel healthcare-accrediting organizations should include HIPAA regulations in their accrediting criteria. As such, it would seem reasonable to expect large voluntary compliance rates. However, although many who are knowledgeable in information protection say HIPAA protection regulations are a necessity given the risks of growing and evolving threats, the real-world impact of HIPAA currently appears mixed.

Surveys indicate HIPAA has prompted increased procurement of IT and security technology, especially by large care provider entities and especially those with supportive executives.⁷⁶ However, HIPAA is not just technology and cash poor; nonprofit providers struggle to find staff and resources to undertake HIPAA compliance efforts. Many feel that the burdens of demonstrating compliance to many applicable regulatory laws—not just HIPAA—are excessive.

At the time of this writing, HIPAA has not reached the level of panacea that was hoped for by the law's authors (Senators Kennedy and Katzenbach). Both cost savings and ubiquity seem difficult to realize, although some analysts claim to find measurable return on investment.⁷⁷

The next sections examine HIPAA's acceptance, benefits, shortcomings, and future impacts.

71.6.6.1 Benefits Are Appearing.

Like the sister law GLB applicable to the financial sector, HIPAA fosters in the healthcare sector a fundamental new paradigm in the way electronic information of a personal type is handled and protected both of these laws extend to personal electronic information the rigorous legal control traditionally applied only to paper documents.

Anecdotally, many “soft” benefits are accruing as a result of HIPAA. Entities in the healthcare industry are being tied together better. With shifts away from paper-based healthcare information and transactions, productivity and efficiency seem to be increasing.⁷⁸ Administrative and back-office costs appear lower because of diminished error rates in creating insurance claims, less opportunity to commit fraud, and reductions in sizes of accounts receivable queues. Staff easily adjust to stronger authentication procedures when accessing PHI.

Of significant benefit is that patient privacy sensitivity is elevated, and there has been improvement in privacy and security awareness, practices, and measures.

71.6.6.2 Compliance Trends Are Mixed.

Attempts to comply with HIPAA have seemed inconsistent and in some cases slow.⁷⁹ Even though many regulation compliance dates have passed, the rate of compliance of covered entities is not total.

In 2006 (three years after the mandatory standard transaction compliance date), about three-fourths of healthcare providers and payers indicated they could exchange HIPAA transactions; but only about two-thirds said they are exchanging some HIPAA standard transactions.⁸⁰ There are reasons that HIPAA standard transactions use has been emerging slowly. There appears to be much finger pointing.⁸¹ Providers say they are ready but their payers are not. Payers report they are ready but their providers are not.

As for privacy requirements compliance, in 2006 (three years after the mandatory privacy compliance date) about 80 percent of providers and carriers claimed they were “mostly” compliant to HIPAA privacy requirements. The apparent inverse observation that perhaps up to one-fifth of covered entities are unable or unwilling to comply with privacy requirements is eye opening. Furthermore, evidence exists that the number of (even partly) compliant covered entities may be dropping somewhat year-to-year.

As for security requirements compliance, in 2006 (one year after the mandatory security compliance date), only 55 percent of large healthcare providers and about 70 percent of insurance companies were in complete compliance with security regulations. Although the initial rate⁸² of achieving compliance for security requirements appears greater than the initial rate⁸³ of achieving privacy compliance, the compliance numbers reported for insurance carriers may be misleading and may be lower.

The compliance evidence for small providers anecdotally suggests HIPAA compliance can be a tremendous, uncertain burden. (See Section 71.6.6.3 for examples.)

It is not clear whether continuation of the above, less-than-stellar compliance rates will trigger disciplinary actions by HHS OCR and CMS HIPAA enforcement bodies.

71.6.6.3 Compliance Status by Covered Entities.

Large care providers (e.g., hospitals and medical centers) generally are complying in large numbers. The compliance story for other entities is dubious. Small care providers (single doctors and small offices of care providers) tend to be overwhelmed. Insurance carriers are often not changing their systems and procedures to adapt to HIPAA. Clearinghouses are trying to provide interfaces between providers and carriers, but these intermediaries are having troubles too.

Large Providers Status.

Large healthcare providers are often well equipped with staff and resources to adopt, and to maintain compliance with, HIPAA provisions. Many are already set up with appropriate staff to handle compliance to other laws (e.g., SOX in the case of publicly traded provider entities) and other regulations including periodic accreditation reviews (e.g., potential security and privacy audits conducted by the healthcare sector's Joint Commission on Accreditation of Healthcare Organizations, JCAHO). Some feel HIPAA regulations are too burdensome, require unreasonable funding rates, and in some cases are too difficult or too much of an impact on legacy healthcare procedures. Many others, on their own and before HIPAA was conceptualized, instituted many⁸⁴ of the good practices now required by HIPAA. Some did not understand they were already doing the right things for privacy and security until they audited their information protection procedures, process, and technology relative to HIPAA requirements. These were well positioned to comply fully and quickly. For them, it is clear HIPAA-promulgated standards, processes, and regulations are reasonable precautions, make organizations more credible, and make good business sense. Perhaps the greatest problem facing large providers was to identify all the data element instances with HIPAA-defined PHI associated with a specific patient.

Insurance Carriers Status.

Insurance entities appear to have difficulties adapting to HIPAA.⁸⁵ Surveys indicating high compliance rates may be misleading. Some carriers retain old, noncompliant business, computing, and communication strategies and rely on clearinghouses to provide HIPAA-compliant interfaces to providers. Interactions between clearinghouses and carriers may still be the same as before HIPAA was instituted. Why? Because such carriers may be unwilling to change their operational claims and payments systems. Much as for the Y2K situation, carrier systems may be old, minimally documented, legacy systems written in old computer languages by code designers who are long since gone. Carrier executives fear changing or replacing their systems that “work.” Furthermore, defining need-to-know rules to accompany claims processing, coverage provisioning, and communications with providers has been problematic.

Depending on the extent of their businesses, some insurance carriers must conform to several other major government regulations, such as SOX and GLB, for which enforcement of regulations is certain. With perceived lack of HIPAA enforcement, and lack of desire to change working systems critical to their business, the HIPAA compliance story may be clouded.

Clearinghouse Status.

For intransigent carriers, clearinghouses translate between HIPAA-compliant transactions, with accompanying protection measures, and carrier-specific methods of interacting. Sometimes carriers incorrectly claim they “outsource” their HIPAA compliance needs to clearinghouses.

Interactions between clearinghouses and large providers seem to have become HIPAA compliant with more regularity. Why? Perhaps because large providers that are already set up for electronic claim submissions with electronic PHI are led to believe they will not get payments if they are not HIPAA compliant, and they do not want to jeopardize their primary flow of income, namely carrier payments for their services rendered. Perhaps, in an attempt to lower their own HIPAA-compliance liabilities, clearinghouses may put pressure on providers to comply with HIPAA regulations.

In short, it appears most claims interactions between clearinghouses and large providers are HIPAA compliant while some are not, and claims interactions between clearinghouses and carriers are often not HIPAA compliant because carrier systems have not been modified to receive or send HIPAA transactions and to address HIPAA protection requirements.

Small Providers' Status.

For small providers, the situation is much different. Many still bill via paper claims and some (especially in the dental community) do not have computers in their practices. For them, HIPAA transaction and security regulations do not apply, and their flow of income is not dependent on changing to electronic PHI and electronic claims transactions. However, many—but not all—of the HIPAA privacy and security requirements still apply, along with a multitude of other government-imposed regulations. Small providers may feel less pressure because they perceive large hospitals are more tempting HIPAA enforcement targets.

Some insurance carriers are providing Web interfaces for direct billing interaction with care providers. But for small care providers, there are substantial logistical and pragmatic problems. Batch submission of claims via browsers is not supported, and the practice management software used in small care provider offices is generally written to interface to a specific clearinghouse and not via a browser. It is also not clear that carriers' Web interfaces support HIPAA-stipulated EDI transactions.

Confusion as to what is or is not required for small providers to comply is the norm. Most do not have people on their staffs dedicated to compliance issues; and they are working “flat out” trying to delivery patient care. Many are already running with substantial non–revenue-generating overhead without even considering adding staff for HIPAA matters.

They receive constant barrages of HIPAA guidance and newsletters from vendors, provider professional societies, and others. They receive solicitations from consultants whose credibility is unknown and who purport to be able to tell them what to do for HIPAA compliance. Equipment vendors tell them their products are “HIPAA compliant.” Vendors do not necessarily tell them to what parts of HIPAA their products comply, nor what procedures buyers need to follow to meet other associated HIPAA requirements. They do not know exactly what they must do regarding HIPAA compliance. Professional societies send books on how to comply, but small providers cannot take the time and financial loss of ceasing to deliver services in order to read the books to determine how to deal with HIPAA information protection regulations and how to prove whether they comply with HIPAA.

Many suspect that handing out generic HIPAA privacy forms is sufficient. But they do not necessarily know what all the sentences mean or what to do if a patient does not sign the form. The more proactive ones make staff more aware of privacy and security, alter some procedures, and appoint individuals (typically, IP-naive) as responsible privacy and security officials (who typically do not have the clout of management).

In short, dealing with HIPAA is often a mess for the smallest care providers. Confusion and uncertainty abound.

71.6.6.4 Other Potential Reasons for Noncompliance.

Additional anecdotal reasons have been cited for why privacy compliance rates may be stagnant or dropping. Such reasons also abound for why other HIPAA compliance rates are not higher.

Some surveys cite difficulty in accounting for all PHI disclosures, increased costs, and diminished management support—despite threat of personal penalties.⁸⁶

Others argue there is innate difficulty to make holistic IA approaches as espoused in HIPAA work, because of organizational and corporate cultural difficulties. These may arise when trying to converge IT security, physical security, and the various other aspects of IA.⁸⁷ Still others argue⁸⁸ that HIPAA regulations are too voluminous, and insufficient staff is available to manage regulatory information protection requirements.⁸⁹

Some feel a more effective way to make sure privacy and security of personal information is enhanced is to move away from a regulatory environment toward an “image-oriented” environment (akin to that associated with California law SB1386). They feel PHI custodians will be motivated if they must notify affected individuals when a PHI breach is believed to have occurred. The image-oriented strategy may have merit given the importance that many organizations, including healthcare organizations, place on brand image, perceived community status, the perceived criticality of data privacy to brand image or status,⁹⁰ and the plausible assumption that fear of unflattering publicity will force enterprises to strengthen their information protection measures.

Some covered entities may not yet realize that HIPAA compliance is an ongoing business process—not a one-time event—that must continue forever after the initial push to verify initial compliance with HIPAA. It must be a continuous commitment and process that needs to be sustained as new threats, new IT, and new security technology strategies emerge.⁹¹ Some feel technology is changing so quickly it is hard to discern whether products based on newer technology are covered by and, if so, comply with HIPAA regulations.

With issued HIPAA noncompliance penalties being few and far between, and with lack of HIPAA policing bodies, some say the “stick” associated with enforcing HIPAA violations does not seem a significant deterrent to noncompliance. They have no fear of legal or publicity retribution.

To date, experience has borne out the reality of this lack of concern.⁹² As of 2006, there have been about 20,000 privacy violation complaints. Of these, only 300 were refered to the Justice Department for criminal consideration. There has been only one conviction where the defendant, not the covered entity, was fined $9,000 and sentenced to 16 months in prison.⁹³

Many feel government enforcement is matched to the context within which a PHI complaint is reported. Legal recourse would be used only to prosecute deliberate and flagrant violations. For covered entities showing a good-faith effort to resolve situations that led to PHI breach complaints, the government will not adopt an adversary prosecutorial stance.

However, other factors may counterbalance a laissez-faire attitude toward HIPAA violation prosecution. HIPAA enforcement is not the only recourse for personal in-formation disclosure associated with medical records. Monetary penalties have been significant when other avenues were pursued. For example, while not necessarily related to HIPAA infractions per se, in 2005 the California Department of Managed Health Care fined a division of a health insurance carrier (Kaiser Permanente) $200,000 for exposing the PHI of over 100 individuals.⁹⁴ In one of the larger privacy breaches in the United States, in 2006 the unauthorized discloser of personal information—albeit not PHI—from 6 million people was ordered to pay New York State over $1 million.⁹⁵

71.6.6.5 Cost Examination.

The government hopes strategic cost savings and competitive pressures are strong motivators for HIPAA to be promulgated throughout the healthcare sector.

However, the cost picture regarding HIPAA compliance is complex and has not yet been well researched. It includes factors such as costs to upgrade extant policies and procedures, technology, processes, and staff training so as to attain initial HIPAA compliance. It includes HIPAA-compliance maintenance costs. It must reflect the savings (or cost growth retardation) generated by using HIPAA's electronic business model. It must reflect the savings generated by minimizing the cost to recover from numerous information breaches. Only anecdotes related to costs are currently available, and opinions about cost factors are mixed.

Aggregate costs to attain initial HIPAA privacy compliance are estimated at $17.5 billion over 10 years.⁹⁶

Costs to attain initial HIPAA security compliance vary dramatically among covered entities. Many have in-place information protection measures, and the gaps between what they have fielded and what HIPAA requires, tempered by the risk-assessment–determined value of closing each gap, will vary substantially from entity to entity. It will also depend on factors such as entity size. For large carriers with old legacy business, computing, and communication strategies, questions arise as to whether the costs of undertaking an uncertain conversion for the sake of achieving HIPAA compliance may far exceed the benefits of such compliance.

Although the government understands many of the factors that drive the cost to achieve initial security compliance,⁹⁷ it is difficult for the government to predict with certainty what the aggregate of these costs may be across all covered entities. Certainly, because HIPAA applies to over 2 million covered entities, the overall impact of HIPAA information protection compliance will easily exceed the $100 million threshold the government uses to label a major economic impact. Privately, senior HHS officials have indicated the aggregate financial impact just from achieving initial HIPAA compliance will rival the $8 billion cost of fixing the Year 2000 problem.

The actual recurring annual costs associated with HIPAA have been large. At about $4 billion⁹⁸ annually, they are similar to the costs to achieve and maintain compliance with SOX 404. Although aggregate costs appear high, start-up and annual costs devoted to HIPAA compliance for any given covered entity do not seem unreasonable.⁹⁹

The government estimates the combined impact of all HIPAA regulations will save¹⁰⁰ the healthcare sector $29.9 billion over 10 years.¹⁰¹

For now, the jury is still out regarding the cost picture associated with HIPAA. Some believe that HIPAA privacy and security regulations do not simplify healthcare administration and instead impose significant new administrative burdens on the healthcare sector. Others believe it is inappropriate to put a price on personal privacy. Is the cost of implementing HIPAA nationwide exceeding the predicted costs? Probably. Is HIPAA lowering the costs (or slowing the rate of cost increases) of healthcare by lowering the funds spent on billing paperwork and by increasing efficiencies on the business side of healthcare? Perhaps. Is HIPAA requiring healthcare entities to spend more money on HIPAA-compliant IT and compliance maintenance processes? Absolutely. Does this lead to spending less on patient care? Unlikely. Will the savings incurred by complying with HIPAA offset the costs of converting to and maintaining compliance with HIPAA? Perhaps not. Are the costs of maintaining compliance with HIPAA less than the savings that could be incurred if healthcare sector automation greater than that specified within HIPAA is adopted? No one knows.

But HIPAA compliance activities have certainly raised awareness of privacy and security issues; staff and management are more conscious and conscientious about patient privacy. What price is reasonable for maintaining protection of one's private PHI? Evidence shows it can be high.¹⁰² Some argue it is priceless. Perhaps the hindsight of time will shed light on the various potential cost/savings factors.

71.6.6.6 Potential Future Impacts.

There are many impacts of HIPAA that are yet to be considered fully. Examples follow.

The precedence between privacy and security requirements of state laws and the federal HIPAA law can have problematic consequences. Interoperability issues can arise between parties that have stronger protection methods and those that have the common, minimal level of protection stipulated by HIPAA. Some argue that HIPAA is not particularly appropriate for emerging healthcare IT models based on nationally networked, electronic healthcare records.¹⁰³ Development and exchange of electronic healthcare records is hampered by inconsistencies and variations in privacy and security policies and regulations between jurisdictions. Furthermore, there may be legal questions regarding how patient data can be shared across state lines. Some argue that HIPAA needs to be modified to provide more comprehensive national information protection standards that form a consistent, mandatory uniform ceiling above the growing hodge-podge of similar but inconsistent state laws. Studies of these potential problems just began at the time of writing this chapter.

Along another vein, government information protection regulations may be having some adverse effects. Information protection compliance matters are now visible to senior executives and boards. Organizations focus efforts on updating P&P and mechanisms to comply with regulations. But there is evidence that organizations may be so fixated on initial compliance efforts as to pay little attention to emerging security threats and emerging IT technologies.¹⁰⁴

Other complaints are arising from healthcare research efforts that rely on evidence-based medicine and longitudinal studies of patients. Such research may require some sort of patient identifying mechanism to correlate several different disclosed medical records associated with the same individual. HIPAA creators are aware of this concern.¹⁰⁵ The HIPAA privacy regulations allow for covered entities to use institutional review boards or privacy boards to waive individual authorization to disclose and to use PHI for research purposes.¹⁰⁶ Such provisions can add costs to research studies. Other solutions have been proposed.¹⁰⁷, ¹⁰⁸

Of some concern are increased efforts by a growing number of countries to develop national electronic health record infrastructures that rely on patient-perceived confidence in PHI protection assurance.¹⁰⁹ Growing patient concern about privacy seems to be occurring in parallel with a corresponding decreased rate of compliance with information privacy and security regulations.¹¹⁰ These dichotomies portend potentially troubling, clashing trends.

Signals from other economic sectors relying on Internet-supported capabilities currently seem mixed. The rash of breaches of personal data nationwide has been massive,¹¹¹ smacks of complete ineptitude, and still appears to be increasing.¹¹² Consumer resistance has started slowing the growth of online banking. Complaints associated with other mandates such as SOX have increased. Such factors have the potential to impact negatively on HIPAA endorsement within the healthcare sector.

On the brighter side, increased awareness of healthcare privacy and security issues brought about by HIPAA has led to positive efforts in the healthcare sector.

Covered entities banded together in 2006 to form the eHealth Vulnerability Reporting Program.¹¹³ This was an alliance focused on collaboratively finding, publicizing, and fixing vulnerabilities in healthcare application software, especially those software packages that are large and for which software development errors would be more numerous, on average. This group evolved into HITRUST, the Health Information Trust Alliance, which has established a Common Security Framework (CSF) for health information security.¹¹⁴

Traditional healthcare accreditation organizations, such as the Electronic Healthcare Network Accreditation Commission (EHNAC) and the Utilization Review Accreditation Commission (URAC), which conduct, independent, third-party accreditations of covered entities, are expanding foci to examine healthcare information protection. For example, EHNAC Healthcare Network Accreditation Program examines privacy/security/PHI matters.¹¹⁵ URAC is looking to HIPAA privacy accreditations¹¹⁶ and HIPAA security accreditations.¹¹⁷

71.7 SUMMARY.

Medical records are at the heart of proper healthcare, but there are innumerable threats to their security and privacy. Although many government and industry initiatives are aimed at protecting these data, their success has been somewhat limited. Expansion of existing efforts and potential new directions may be necessary before the problems can be resolved, and the opportunities and benefits realized.

71.8 FURTHER READING

Amatayakul, M., ed. Handbook for HIPAA Security Implementation. American Medical Association, 2003.

Beaver, K., and R. Herold. The Practical Guide to HIPAA Privacy and Security Compliance. Auerbach, 2003.

Hoyt, R., M. Sutton, and A. Yoshihashi. Medical Informatics: Practical Guide for the Healthcare Professional. Lulu.com, 2007.

Krager, C., and D. Krager. HIPAA for Health Care Professionals. Delmar Cengage Learning, 2008.

Wu, S. S. A Guide to HIPAA Security and the Law. American Bar Association, 2007.

71.9 NOTES

1. HIPAA calls such entities “covered entities.”

2. Some organizations considered here are not HIPAA-specified “covered entities.” They may not be impacted by HIPAA.

3. N. Ferris, “Insurers Tout Efforts to Promote Health IT,” Government Health IT Newsletter, December 13, 2005; www.govhealthit.com/online/news/91712-1.html.

4. M. K. McGee, “A Pill, a Scalpel, a Database,” InformationWeek, February 13, 2006; www.informationweek.com/news/management/showArticlejhtml?articleID=179103437 or http://tinyurl.com/5laupl.

5. M. K. McGee, “No Quick Cure for Healthcare System,” InformationWeek, October 24, 2005; www.informationweek.com/news/management/showArticle.jhtml?articleID=172303129 or http://tinyurl.com/5v5hqs. See also M. K. McGee, “Putting the Pressure on Providers” InformationWeek, October 24, 2005; www.informationweek.com/news/management/showArticle.jhtml?articleID=172303130 or http://tinyurl.com/5a96pp.

6. HIMSS/Phoenix Health Systems, “US Healthcare Industry HIPAA Compliance Survey Results: Winter 2006,” www.hipaadvisory.com/action/surveynew/results/winter2006.htm.

7. D. Onley, “Intrusion Detected in DoD Server,” Government Computer News, May 1, 2006; http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=40626 or http://tinyurl.com/6hgqql.

8. Health Privacy Project, “Data Security Breach Discloses Veterans' Medical Information,” May 24, 2006; www.healthprivacy.org/info-url_nocat2303/info-url_nocat_show.htm?doc_id=374199 or www.healthprivacy.org/info-url_nocat2303/info-url_nocat_show.htm?doc_id=374199 or http://tinyurl.com/5tvds6.

9. J. Appleby, “Security of Medicare Info Questioned,” USA Today, March 23, 2006; www.usatoday.com/tech/news/computersecurity/2006-03-23-medical-data_x.htm or http://tinyurl.com/5euctm.

10. C. Heun, “E-health Initiatives Could Lead to New Forms of ID Theft,” InformationWeek, June 16, 2006; www.informationweek.com/news/showArticle.jhtml?articleID=189500020 or http://tinyurl.com/5qs9pj.

11. P. Dixon, “Medical Identity Theft: The Information Crime that Can Kill You,” World Privacy Forum, May 3, 2006; www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf.

12. The HIPAA law uses this strategy of not precisely and universally specifying what security mechanisms are required throughout all covered entities.

13. Electronic Frontier Foundation, “Medical Privacy,” 2008, http://epic.org/privacy/medical/.

14. See, for example, K. C. Jones, “Prying in Britney Spears' Medical Records May Cost Employees' Jobs,” InformationWeek, March 17, 2008; www.informationweek.com/news/management/compliance/showArticle.jhtml?articleID=206904141 or www.informationweek.com/news/management/compliance/showArticle.jhtml?articleID=206904141 or http://tinyurl.com/6go99g.

15. J. Lemieux, D. Nicholson, D. Lansky, and C. Shirky, “Connecting Americans to Their Health Care: A Common Framework for Networked Personal Health Information,” Connecting for Health Personal Health Technology Council (December 2006); www.connectingforhealth.org/commonframework/docs/P9_NetworkedPHRs.pdf.

16. Princeton Survey Associates for the California HealthCare Foundation, “Confidentiality of Medical Records: National Survey,” http://admin.chcf.org/.

17. UK National Health Service, “About the NHS: NHS Core Principles,” (2008), www.nhs.uk/aboutnhs/coreprinciples/Pages/NHSCorePrinciples.aspx.

18. Department of Health and Human Services, Title 45, Public Welfare, Subtitle A, Part 5b, Privacy Act Regulations, www.access.gpo.gov/nara/cfr/waisidx_02/45cfr5b_02.html.

19. Federal Information Security Management Act of 2002, H.R. 2458, Public Law 107-347, 44 USC 35 Subchapter III §3541 etseq.; www4.law.cornell.edu/uscode/html/uscode44/usc_sup_01_44_10_35_20_III.html or http://tinyurl.com/5pfn93.

20. G. McKee, J. Faraone, and M. E. Kabay, “The Problem with Compliance, Part 2,” Network World Security Strategies Newsletter, March 23, 2006; www.networkworld.com/newsletters/sec/2006/0320sec2.html.

21. E.g., Washington State's Breach Disclosure law (SB 6043), wwwleg.wa.gov/pub/billinfo/2005-06/Htm/Bills/Session%20Law%202005/6043-S.SL.htm or http://tinyurl.com/dwqbf.

22. W. Eazel, “Microsoft Urges U.S. Government to Revamp Data Privacy Laws,” SC Magazine, November 4, 2005; www.scmagazine.com/us/news/article/526269/.

23. W. J. Clinton, “Presidential Decision Directive/NSC-63: Critical Infrastructure Protection,” May 22, 1998, The White House, Washington, D.C.; www.fas.org/irp/offdocs/pdd/pdd-63.htm.

24. W. J. Clinton, “Defending America's Cyberspace: National Plan for Information Systems Protection, Version 1.0,” January 11, 2001, The White House, Washington, D.C.; www.fas.org/irp/offdocs/pdd/CIP-plan.pdf.

25. G. W. Bush, “The National Strategy to Secure Cyberspace,” The White House, February 2003; www.whitehouse.gov/pcipb/.

26. United States Department of Health and Human Services, “HFCA Internet Security Policy” (1998), http://csrc.nist.gov/groups/SMA/fasp/documents/policy_procedure/internet_policy.pdf or http://tinyurl.com/6bouzn.

27. “OMB Lays Down Federal Security Law,” Dark Reading newsletter, TechWeb, June 29, 2006; www.darkreading.com/document.asp?doc_id=98316,

28. National Security Telecommunications and Information Systems Security Committee Secretariat, National Security Agency, “National Security Telecommunications and Information Systems Security Policy (NSTISSC) No. 11, Revised Fact Sheet. National Information Assurance Acquisition Policy,” July 2003. Ft. Meade, MD; http://www.niap-ccevs.org/cc-scheme/nstissp_11_revised_factsheet.pdf

29. G. W. Bush, “Policy for a Common Identification Standard for Federal Employees and Contractors,” Homeland Security Presidential Directive/HSPD-12, The White House, August 27, 2004; www.whitehouse.gov/news/releases/2004/08/20040827-8.html. See also: W. Jackson, “Ready or Not, Here's HSPD-12,” Government Computer News, October 26, 2005; www.gcn.com/online/vol1_no1/37426-1.html.

30. Cyber Security Industry Alliance, “Digital Confidence Index” (May 2006), www.csialliance.org/publications/surveys_and_polls/index.html.

31. D. Kaplan, “IT Leaders Team Up to Lobby Congress for Privacy Law,” SC Magazine, June 20, 2006; www.scmagazine.com/us/newsletter/dailyupdate/article/20060621/565405/. See also “Tech Heavyweights Join Effort for Federal Privacy Law,” TechWeb, June 21, 2006; www.darkreading.com/document.asp?doc_id=97668.

32. Interested readers may track emerging legislation via several Web sites: “Legal & Regulatory Topics: Legislation” portal of Dark Reading Security Insider, TechWeb Business Technology Network, www.darkreading.com/topics.asp?node_id=1678

33. A powerful tool for tracking U.S. legislation is the Library of Congress THOMAS database (http://thomas.loc.gov/), which provides various search tools including keyword entry and bill number selection.

34. Library of Congress THOMAS: About Floor Actions, http://thomas.loc.gov/home/floor.html.

35. Information about emerging privacy-oriented legislation can be gleaned from tracking services such as the Electronic Privacy Information Center (EPIC) Bill Track, www.epic.org/privacy/bilLtrack.html.

36. To locate the current status of a bill, use the “Search Bill Summary & Status” for the current Congress available from the “Bills, Resolutions” page of THOMAS at http://thomas.loc.gov/home/bills_res.html.

37. M. Mosquera, “States to Assess Privacy Laws for HHS Health IT Effort,” Government Computer News, May 23, 2006; www.gcn.com/online/vol1_no1/40850-1.html. See also: “22 States Join National Health Information Privacy and Security Collaboration,” HIPAAdvisory, May 25, 2006; www.hipaadvisory.com/news/newsarchives/2006/0525rti.htm.

38. C. Carlson, “Industry Lobbies against Cyber-Security Mandates.” Enterprise News & Reviews, September 27, 2005; www.eweek.com/article2/0,1895,1864330,00.asp.

39. 104th Congress of the USA, “Health Insurance Portability and Accountability Act of 1996,” Public Law 104-191, Code of Federal Regulations (CFR) Title 45 Part 164, August 21, 1996; http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=104_cong_public_laws&docid=f:publ191.104.pdf or http://tinyurl.com/5z4csd.

40. A patient ID requirement is also part of the HIPAA law; however, because of expected widespread controversy, a solution has not yet been specified.

41. In practice, as a continuing stimulus to migrate toward cheaper, e-business models, many healthcare insurance carriers are charging providers a per-transaction premium for submitting paper-based transactions.

42. United States Department of Health & Human Services, “HIPAA Administrative Simplification: Standards for Electronic Health Care Claims Attachments,” September 23, 2005. Proposed Rule, 45 CFR Part 162, Federal Register 70, No. 184 (2005): 55989-56025; http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/05-18927.htm or http://tinyurl.com/5fng7e.

43. J. Spencer and M. L. Bushman, “The Next HIPAA Frontier—Claims Attachments,” HIPAAdvisory (March 2006); www.hipaadvisory.com/action/tcs/nextfrontier.htm.

44. Many more transaction types will be standardized under additional HIPAA rules.

45. For example, see D. Heffley, “Under the Microscope: Health Insurance Applications,” HealthNews, July 9, 1008; www.healthnews.com/blogs/dan-heffley/health-related-products/under-microscope-health-insurance-applications-1333.html.

46. Any questions concerning interpretations of the HIPAA regulations issued by the Department of Health and Human Services can be submitted via e-mail to: [email protected].

47. The initial HIPAA draft security regulations included an electronic signature standard, which according to the final HIPAA security rule will be finalized later. The intent of the electronic signature standard was to require a reliable method for ensuring message integrity, nonrepudiation, and user authentication for HIPAA-specified transactions by verifying the identity of the person signing a transaction and the authenticity of the PHI included in the transaction.

48. The Health Privacy Project maintains a list of several other myths (and truths) about the HIPAA privacy regulations. See: www.healthprivacy.org/info-url_nocat2303/info-url_nocat_show.htm?doc_id=173435 or http://tinyurl.com/q6hx.

49. This does not mean to imply that such an organization that is not a covered entity, but nonetheless has such healthcare information, should not abide by the types of requirements—that is, typical, industry, best practice requirements—articulated in HIPAA regulations. It just does not need to do so legally under the purview of HIPAA law.

50. United States Department of Health and Human Services Centers for Medicare & Medicaid Services, “Are You a Covered Entity?” December 14, 2005; www.cms.hhs.gov/HIPAAGenInfo/06_AreYouaCoveredEntity.asp.

51. Analog forms of information such as paper-to-paper fax, voice telephony, mail, and so on are not within HIPAA's scope.

52. In effect, technology neutrality acts to increase the longevity of the HIPAA law by allowing healthcare entities to use the latest and most promising, emerging information protection solutions and tools.

53. There may be situations wherein precedence priorities between jurisdictional laws can cause problems (see Section 71.6.6).

54. In some situations, for example, covered entities may need to replace older IT systems that may not be able to meet HIPAA requirements (such as, e.g., maintaining transaction logs with detailed information about each data exchange involving personally identifiable patient information).

55. United States Department of Health and Human Services Centers for Medicare & Medicaid Services, “Security Information Series” (7-part series), December 12, 2007; www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp.

56. United States Department of Health and Human Services Centers, “Standards for Privacy of Individually Identifiable Health Information,” April 3, 2003; www.hhs.gov/ocr/hipaa/guidelines/guidanceallsections.pdf.

57. The NIST reference helps provide an introductory level understanding of HIPAA security concepts and activities useful to implementing an information security program. Examples of acceptable ways to meet HIPAA requirements are given. It also provides cross-mapping of HIPAA requirements to other government standards, such as other NIST publications and FISMA. It is especially useful to government agencies that must comply with both HIPAA and FISMA. See also NIST Special Publication 800-100, “Information Security Handbook: A Guide for Managers” (March 2007), http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf.

58. American Council for Technology and Industry Advisory Council: Security & Privacy Shared Interest Group (SIG) Compliance Committee, “Federal Regulatory Compliance Guide and Matrix,” November 3, 2005; www.actgov.org/actiac/documents/051018FedRegComplianceMatrix.pdf.

59. WPC, HIPAA EDI Implementation Guides (2008); www.wpc-edi.com/hipaa. (Complete set of PDF downloads $2000.)

60. See, e.g., “HIPAA Academy Certified Solutions,” www.hipaaacademy.net/consulting/certified_solutions.html; “Healthcare Intelligence Network,” www.hin.com/hipaacomply.html; and E. Chickowski, “Roundup 2006: A Health Approach,” SC Magazine, December 14, 2006; www.scmagazineus.com/Roundup-2006-A-healthy-approach/article/34262/ or http://tinyurl.com/4fqemv.

61. Certification Commission for Healthcare Information Technology, “Final Criteria: Security & Reliability for 2006 Certification of Ambulatory Electronic Health Records,” May 1, 2006; www.cchit.org/files/Ambulatory%20Domain/Final%20Criteria%20-%20SECURITY-RELIABIL-ITY%20-%20Ambulatory%20EHRs%20-%202006.pdf or http://tinyurl.com/4ystb7.

62. The long-term viability of this publicly funded, private organization and its initiatives is uncertain. Other similar efforts have not survived.

63. United States Department of Health and Human Services, Office of the Secretary, “45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule,” Federal Register 68, No. 34 (2003): 8334–8381; www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf or http://tinyurl.com/eyl7k.

64. The HIPAA privacy requirements apply to protected health information in any form, including, for example, paper form, whereas the HIPAA security requirements apply only to protected health information in electronic form.

65. For many of the privacy requirements, the HIPAA privacy regulations law may specify certain exceptions that apply to a specific requirement as summarized in general terms herein.

66. U.S. Department of Health and Human Services, Office of the Secretary, “45 CFR Parts 160, 162, and 164 Health Insurance Reform.”

67. U.S. Department of Health and Human Services, Office of the Secretary, “45 CFR Parts 160, 162, and 164 Health Insurance Reform.”

68. S. Weil, “The HIPAA Security and Privacy Rules—Intersections and Dependencies,” HIPAAdvisory, ND; www.hipaadvisory.com/action/security/intersectdepend.htm.

69. United States Department of Health & Human Services, Centers for Medicare & Medicaid Services, “Security Standard Overview” (2007); www.cms.hhs.gov/SecurityStandard/.

70. United States Department of Health & Human Services, Centers for Medicare & Medicaid Services, “Enforcement Overview” (2005); www.cms.hhs.gov/Enforcement/.

71. United States Department of Health & Human Services, Office for Civil Rights, “Medical Privacy—National Standards to Protect the Privacy of Personal Health Information” (2008); www.hhs.gov/ocr/hipaa/.

72. States Department of Health & Human Services, Office for Civil Rights, “How to File a Health Information Privacy Complaint with the Office for Civil Rights” (2008); www.hhs.gov/ocr/privacyhowtofile.htm.

73. M. McGee, “Computers with Patient Data Stolen on Eve of HIPAA Security Rules,” Information Week, April 13, 2005; www.informationweek.com/story/showArticle.jhtml?articleID=160702270.

74. Whistleblowers have safe harbors.

75. N. R. Mead, “Who Is Liable for Insecure Systems?” Computer (IEEE Computer Society) 37, No. 7 (July 2004): 27–34. (Membership or purchase required.) http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/mags/co/&toc=comp/mags/co/2004/07/r7toc.xml&DOI=10.1109/MC.2004.69 or http://tinyurl.com/4wzf92.

76. B. Brenner, “Are Hospitals Gaining on HIPAA?” SearchSecurity, May 16, 2005; http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1088594,00.html or http://tinyurl.com/4xvbao.

77. America's Health Insurance Plans, “Electronic Processing of Health Claims Speeds Payments, Cuts Costs,” May 25, 2006; www.ahip.org/content/pressrelease.aspx?docid=16454.

78. There are potential pitfalls in ready, electronic availability of patient information. For example, while insurance carriers are able to run their businesses more effectively (and presumably cheaper) with electronic claims conveying electronic PHI, might some carriers use PHI to profile patients against actuarial data and to tailor insurance premiums to each patient?

79. J. Vijayan, “Progress Is Slow on HIPAA Security Rules: Data Mandates Aren't Driving Health Care Companies to Comply,” Computerworld, September 12, 2005; www.computerworld.com/securitytopics/security/story/0,10801,104543,00.html or http://tinyurl.com/4c3nmg.

80. HIMSS/Phoenix Health Systems, “US Healthcare Industry HIPAA Compliance Survey Results: Winter 2006,” HIPAAction; www.hipaadvisory.com/action/surveynew/results/winter2006.htm. A conflicting survey indicates that, in 2006, hospital and insurance executives were reporting serious problems in processing electronic claims and had to revert to paper in many cases: G. Fest, “Medical Banking: Paper Processing Is No Rx For Payments,” Bank Technology News (May 2006); www.americanbanker.com/$nocookies$/btn_article.html?id=20060501SPFRIPK6 or http://tinyurl.com/4fgl7h.

81. D. Guerin Gue and R. Upham, “The HIPAA Prescription for Healthcare—Why Isn't It Working?” Health Management Technology (September 2004); www.healthmgttech.com/archives/0904/0904the_hipaa.htm.

82. F. Fogarty, “Stitching Up Health Records: Privacy Compliance Lags,” eWeek, April 16, 2006; www.eweek.com/c/a/Health-Care/Stitching-Up-Health-Records-Privacy-Compliance-Lags/ or http://tinyurl.com/4u6o3d.

83. M. L. Baker, “Study: Providers Come Up Short on HIPAA Privacy Compliance,” Enterprise News & Reviews, Ziff Davis Internet, April 14, 2005; www.eweek.com/article2/0,1895,1787237,00.asp.

84. At about the time that HIPAA's Security Regulations went into effect, it was estimated that large organizations were already typically 70 to 90 percent compliant: Shari Weiss, “It's a Slow Cure, But Healthcare Gets a Grip on HIPAA,” Information Week, June 6, 2005; www.informationweek.com/news/showArticle.jhtml?articleID=164300712.

85. Bill Brenner, “March to HIPAA: The Best Insurance Policy,” SearchSecurity.com news service, March 15, 2005; http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1067093,00.html.

86. N. Ferris, “Privacy Rule Compliance Said to Be Diminishing,” Government HealthIT, April 19, 2006; www.govhealthit.com/online/news/94120-1.html.

87. Cath Everett, “Red Tape Binds Virtual, Physical Security,” Infosecurity Today (May/June 2005); www.infosecurity-magazine.com/features/mayjune05/redtape_mayjun.html.

88. Rob Preston, “Opinion: Overregulation Isn't the Answer to Security Breaches,” InformationWeek, July 15, 2005; www.informationweek.com/story/showArticle.jhtml?articleID=165702843.

89. Marcia Savage, “Companies Lack Resources to Meet Privacy Requirements,” SC Magazine, August 31, 2005; www.scmagazine.com/uk/news/article/493030/companies+lack+resources+meet+privacy+requirements/.

90. Everett, “Red Tape Binds Virtual, Physical Security.”

91. Compliance assessment automation tools may help reduce costs and inefficiencies associated with ongoing compliance monitoring and with managing the associated ongoing documentation and processes.

92. www.eweek.com/article2/0,1759,1949646,00.asp.

93. On the other hand, handling PHI misuse charges involving business associate covered entities can become a legal quagmire involving court suits based on contract law violations.

94. “Governance,” Security Watch Email Newsletter, July 11, 2005.

95. D. Kaplan, “Settlement Reached on Huge N.Y. Privacy Breach,” SC Magazine, March 13, 2006; www.scmagazine.com/uk/news/article/546177/settlement+reached+huge+ny+privacy+breach/.

96. S. C. Withrow, “HIPAA Compliance: Where Are the Savings?” January 15, 2002, Withrow, McQuade & Olsen, LLP, Atlanta, GA; www.wmolaw.com/hipaasavings.htm#N_4_.

97. See, e.g., page 8373 of the HIPAA security regulations, www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf.

98. Predicted to be $3.7 billion, nationwide, for 2005. See S. Marlin, “Add It Up: Compliance Doesn't Come Cheap,” InformationWeek, March 21, 2005; http://www.informationweek.com/news/management/showArticle.jhtml?articleID=159902182.

99. See current HIPAA compliance surveys, such as follow-on surveys to www.hipaadvisory.com/action/surveynew/results/winter2006.htm.

100. This estimate only takes into effect one-time costs such as system conversion/upgrade costs, start-up costs of automation, and training costs. It does not take into account recurring costs to monitor and to maintain HIPAA compliance.

101. HHS, Health Care Financing Administration, “Health Insurance Reform: Standards for Electronic Transactions, 45 CFR Parts 160 and 162, Federal Register 65, No. 160 (August 17, 2000): 50351; www.njha.com/hipaa_section/pdf/hipaa-fr-standards.pdf.

102. With regard to the 2006 data breach of 29 million personal records at the Veterans' Affairs administration, recovery cost just “to pay for credit reports, monitoring and potential damage” was estimated at $250 million.

103. H. Hayes, “HIPAA: Best if Used by…,” Government HealthIT, June 12, 2006; www.govhealthit.com/print/3_12/news/94795-1.html.

104. K. Young, “IT Security Weakened by Compliance Issues: Red Tape Driving the Security Agenda, Says Report,” vnunet.com, November 2, 2005; www.vnunet.com/vnunet/news/2145330/regulatory-red-tape-ties.

105. http://privacyruleandresearch.nih.gov/.

106. See HIPAA privacy regulations, Section IV, Final Regulatory Impact Analysis, subsection 5. Research, p. 53258. www.hhs.gov/ocr/hipaa/privrulepd.pdf.

107. M. E. Kabay, “Unexpected Consequences of HIPAA,” Security Strategies Newsletter, Network World, June 6, 2006; www.networkworld.com/newsletters/sec/2006/0605sec1.html.

108. Methods for de-identifying medical records are being investigated. See. e.g., Ferris, N. (2006). “Hidden Keys to Health,” GovernmentHealthIT, February 13, 2006; www.govhealthit.com/print/3_1/features/92279-1.html.

109. B. Brewin, “Privacy, Security Keys to HER Adoption Globally,” GovernmentHealthIT June 29, 2005.

110. Ferris, “Privacy Rule Compliance Said To Be Diminishing.”

111. Tony Kontzer and Larry Greenemeier, “Sad State of Data Security,” InformationWeek, January 2, 2006; http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=175800226.

112. Paul McDougall, “High Cost of Data Loss,” InformationWeek, March 20, 2006; http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=183700367&pgno=2.

113. PR Newswire, “Health Care Industry Leaders Convene to Address Security Vulnerabilities in Health Information Systems,” June 6, 2006; www.prwebdirect.com/releases/2006/6/prweb395154.php.

114. www.hitrustalliance.org/.

115. EHNAC Products, HNAP, www.ehnac.org/content/view/145/203/.

116. HIPAA Privacy Accreditation Program, www.urac.org/programs/prog_accred_HIPAAP_po.aspx.

117. HIPAA Security Accreditation Program, http://www.urac.org/programs/prog_accred_HIPAAS_po.aspx?navid=accreditation&pagename=prog_accred_HIPAAS.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for CHAPTER 71: MEDICAL RECORDS PROTECTION

Create new playlist

Sign In

Sign Up

CHAPTER 71

MEDICAL RECORDS PROTECTION

71.1 INTRODUCTION.