HIPAA and HITECH Compliance: A Proactive Opportunity to Address Risk
By Brian Cleary
Hospitals and physicians are adopting EHRs and other IT faster than ever. Many are in a race to prove meaningful use to qualify for cash incentives under the HITECH Act in 2011.
For others, it’s the fear of a looming data breach, financial penalties, and negative publicity that’s driving them to trade in manual processes for safe and more secure ways of storing and accessing patient data.
Just this summer, five California hospitals were slapped with hefty fines totaling $675,000 for failing to prevent unauthorized access to patient medical records. Although the fines were imposed under two 2008 California laws, they’re a sobering reminder of similar costly penalties for violations under the HITECH Act.
Regardless of what’s lighting the fire, the good news is that organizations are viewing the HITECH Act as an opportunity to proactively improve existing frameworks and implement new processes to better protect sensitive patient data.
To ensure a smooth transition that will meet compliance requirements, it’s important that organizations first fully understand the act’s stipulations, what’s at risk, and how compliance minimizes risk.
The HITECH Act: Who It Hits Hardest
The HITECH Act imposes new, more stringent regulatory and security requirements to HIPAA privacy rules and increases penalties for violations. It increases demands on healthcare organizations in the areas of audit and notification.
Organizations are also impacted by requirements for on-demand patient audit requests. These audits must show who had access to health records, notify patients whose information may have been compromised, and provide reports detailing the origin and nature of any given incident.
Compliance is particularly difficult for organizations without strong access governance processes and policies in place. These providers have no way to provide a historical audit trail of who accessed health records.
What’s at Risk
As public privacy concerns continue to grow more widespread, HITECH Act violations will take center stage in the later part of 2010 into 2011.
Fines can be substantial—up to $250,000—and criminal penalties can be imposed. Besides the financial hit, violations can also damage reputation and brand image. For example, several staff members at UCLA Medical Center tarnished the university’s reputation when they took advantage of inappropriate access to leak information on celebrities to the press, causing serious HIPAA violations.
One area that will continue to lead to a significant number of audit findings is access change management, and stringent HITECH Act guidelines will make it even more challenging from a control perspective. Organizations must shore up processes for governing requests for initial access and changes to existing access due to transfers and terminations.
Healthcare organizations often struggle to maintain a consistent approach for governing user access and, as a result, may have an incomplete or fragmented picture of compliance. This is partly due to the sheer volume of change to the user constituent population. User relationships and roles are constantly changing as employees, contractors, consultants, and partners move in and out of different job functions and operational groups.
Today’s healthcare system is often fragmented and widely diverse, with patient data being stored in multiple systems and locations. The trend for outsourcing patient data is usually storing it outside an organization with outsourced providers. This fragmentation and distribution further complicates an IT team’s ability to gain a clear picture of the access reality and ensure that entitlements are governed accordingly.
Change will become so overwhelming for these organizations that processes for governing access won’t keep up with reality. Organizations typically do an adequate job controlling initial access requests but when users transfer or terminate their relationship, it’s more problematic because most providers lack a standardized process for dealing with access change. The result can be orphaned accounts, segregation of duties violations, and other compliance-related problems.
Certification and review are the standard safeguards against access violations from poor change management. However, many healthcare organizations rely on manual processes laden with errors.
Minimizing Risk With Compliance
To become HIPAA compliant and ensure compliance with the requirements brought on by the HITECH Act, many of these manual processes need to be replaced. It’s an excellent opportunity to proactively implement an access governance framework that leverages the overlap with other regulatory obligations such as Sarbanes Oxley.
Such a framework provides a comprehensive view of enterprise access reality—understanding who has what access to what information resources and what can they do at a fine-grained entitlement level. It will also pay dividends both in terms of operational and compliance risk reduction as well as in a reduction of the operational overhead required with ongoing compliance processes.
— Brian Cleary is vice president of products and marketing at Aveksa, a provider of enterprise access governance solutions.