HIPAA stakes are high: Penalties for non-compliance include personal civil and/or criminal penalties to $250K and up to 10 yrs. in prison per incident.
By Peter Gerr
Last year, two of the three provisions of Title II of the Health Insurance Portability and Accountability Act (HIPAA) went into effect. Next April, the third provision—the Security Rule—becomes law. While healthcare organizations (HCOs) of all sizes must comply with the first two provisions of the act, the Enterprise Strategy Group (formerly the Enterprise Storage Group) believes the Security Rule will have the greatest effect on healthcare organizations and on the way data is ultimately retained and managed within the industry.
This article offers a concise review of the Security Rule—specifically the sections related to data protection and contingency planning. Furthermore, it sorts through the various data-protection and storage management activities and identifies those that will be affected by the Security Rule, showing IT professionals where they should focus their efforts to quickly identify risks and potential areas of efficiencies.
Fully complying with HIPAA requires the coordination of people, processes, and technological solutions.
Indeed, perhaps no other regulation is as explicit as the Security Rule in its mandate to improve information management, security, and protection. To comply with this act, medium-sized and large companies must transition from paper-based systems to electronic ones.
Clearly, modernizing our healthcare IT systems is a priority for the Bush administration. Just last April, President Bush announced the Health Information Technology Plan, which has the lofty goal of ensuring that the records of most Americans are stored electronically within 10 years. However, policy alone won't transform this industry; technology improvements are necessary as well.
The impact on data protection
Contained within the pages of the Administrative Safeguards of the Security Rule is the following subsection [§164.308(a)(7)(i)] related to contingency plans. According to this subsection, HCOs and covered entities (CEs) must:
"...Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence that damages systems that contain protected health information (PHI)."
But what are the actual "required" elements and what are the "addressable" sections of this rule? Before we review the five major data-protection activities (or implementation specifications) that are outlined in the body of the Security Rule, this simple question must be answered.
"Addressable" activities differ from "required" activities in one simple way: They are not mandatory if CEs and HCOs can prove that the particular specification is unreasonable or inappropriate in light of its business. CEs that choose not to implement one of the addressable specifications, as defined within the HIPAA rules, must submit documented proof that they are already in compliance with that section of the rule. They must also describe how their alternate solution meets the standard.
As it stands today, two of the five implementation specifications are "addressable," though all five were required in the act's original format. While ESG believes that CEs investing in all five activities is worthwhile to an organization's overall effort to protect electronic Protected Health Information (ePHI), we realize that many CEs have limited IT and financial resources, which may make it difficult for them to "address" all five.
The table outlines the five key implementation specifications of the HIPAA Security Rule. The middle column details storage management, contingency planning, and data-protection operations that will be affected by the rule. The last column is designed to provide IT professionals with a basic set of questions they should consider when assessing their organizations' preparation to meet the requirements.
The bottom line
The great irony of this country's healthcare system is that the combined efforts of doctors and medical facilities to constantly improve the quality of care are being undermined by 19th-century paper-based data management systems.
By harnessing just a fraction of available compute and storage resources, we can drastically reduce the time required to diagnose a patient and administer treatment. This, in turn, can reduce the average hospital stay of a patient and help stabilize the skyrocketing costs of healthcare.
Though ESG does not believe the HIPAA Security Rule is a panacea for the healthcare industry, we do believe that the rule will shine a spotlight on the state of the country's health IT systems. Though costly, compliance with the new HIPAA will help organizations improve the tools and processes with which we protect valuable and important information.
Peter Gerr is an analyst at the Enterprise Strategy Group (www.enterprisestrategy group.com) in Milford, MA.
A little background
The HIPAA Act went effect in 1996. It has two main sections: Title I, with which most people are familiar, provides continuation of healthcare insurance coverage for workers who are in the process of changing jobs; and Title II, the Administrative Simplification portion.
Title II has three subsections or provisions: the first two—Transactions and Code Sets and Privacy Rules, respectively—went into effect during 2003-2004 and apply to all HCOs (large and small) as well as other covered entities (CEs) that must comply with HIPAA. All but the smallest HCOs must address the third provision—the Security Rule—by April 2005 (see figure).
The HIPAA Security Rule defines a complete spectrum of administrative, physical, and technical safeguards that must be in place to protect the availability, integrity, and most of all, the confidentiality of patient information.
The personal penalties for non-compliance
Protecting and securing electronic Protected Health Information (ePHI), including patient medical records, is analogous to financial services companies protecting personal investment and financial information for their customers.
Like it or not, companies like Enron, Andersen Consulting, and Credit Suisse have become the poster children for compliance in the financial services market, and healthcare experts believe the same fate awaits a number of non-complying HCOs. The HIPAA stakes are high: Penalties for non-compliance include personal civil and/or criminal penalties of up to $250,000 and up to 10 years in prison per incident.
Healthcare CIOs are now faced with the challenge of complying with HIPAA, and protecting and securing ePHI, while balancing shrinking budgets and competing priorities. Meanwhile, the federal government has been slow to put resources in place to help organizations with compliance preparation.
This article is meant to serve as a catalyst for discussion among the many IT managers, business continuity and contingency planners, and healthcare business leaders who are involved with managing HIPAA compliance.
Who needs to comply with HIPAA?
Obviously, healthcare providers such as hospitals, health plans, and healthcare insurance clearinghouses must comply with HIPAA, but the regulation's definition of "covered entity" is much broader and essentially includes any organization that provides healthcare insurance to their employees. According to the definition, a CE is any organization that
- Administers enrollment and dis-enrollment in a healthcare plan;
- Administers health plan payments;
- Administers referral certification/authorization;
- Administers the first report of an injury or health claim;
- Determines and administers eligibility for a health plan;
- Is involved in the coordination of healthcare benefits;
- Transmits healthcare claims; and
- Transmits healthcare payment and remittance advice.
It is safe to assume that the government will focus much of its energy and resources on the areas of greatest risk: ensuring HIPAA compliance within the largest HCOs—that is, organizations with 1,000 beds or more. Depending on how they apply themselves, the largest HCOs and other CEs will be positive or negative HIPAA compliance role models for the rest of the industry. The ultimate goal is to consistently improve the quality of care while minimizing risks and maximizing ROI—in this case "ROI" means both "return on investment" and "return on information."