The heat has been turned up for those charged with bringing their institutions into HIPAA compliance, reports Greg Masters.
In the good old days, the IT staffs at a lot of hospitals did what they could to protect their patient’s privacy, but there was little in the way of requirements or enforcement. But, with increasing instances of data breaches and the introduction of HIPAA and other state and federal mandates, closer attention is being paid to these privacy concerns.
The challenges are daunting. Access to health care records can come from any number of places – from hospital staff tapping into the database, or from malicious outsiders hacking their way into the database mining for the valuable personal information.
Larry WhitesideLarry Whiteside Jr. (left), chief information security officer, Visiting Nurse Service of New York (VNSNY), which provides home health care and community-based health services in the five boroughs of New York City and Nassau County on Long Island, argues that HIPAA has little bite.
“The infractions that companies have been fined for have been due to publicly identified breaches that affect public confidence in the company and health care systems,” he says. “HIPAA has to step into those situations with a big hand. For those of us that have not had a breach, but take security seriously, we focus on things that deal with reducing risk. That’s the underlying factor for everything, RISK.”
All HIPAA does, he adds, is provide some general security guidelines that are specific to the health care vertical. “I don’t know one entity that has had a government agency come through and hit them with fines and sanctions due to not meeting HIPAA regulations. The reality is that everyone wants to be secure, everyone wants to reduce risk, everyone wants to be compliant (eventually).”
It’s just that the road companies take to get there are all different, says Whiteside. Some entities actually hit potholes while on that road (the breaches we have seen). For those that don’t hit that pothole, they hit speed bumps (budget, executive buy-in, etc.), he says.
“Regardless of the obstacle that is hit or the direction we started in, we are all on a road with a big secure sign at the end,” he says.
Despite the caveats, all the regulations, including HIPAA, have benefits and those are the guidance that they provide, he says, adding that the Visiting Nurse Service of New York takes HIPAA seriously.
But, the organization, the largest not-for-profit home health care agency in the nation, is not completely focused on just being HIPAA compliant.
“My more overall goal is to be secure,” says Whiteside. “Thus, I will inherently be compliant through being secure.”
There is no one-stop shop to security, however.
“Having regulations allows specific industries a way to focus in on the things that should matter to them and allow them to prioritize what should be done first based on their industry and regulations,” says Whiteside. “Am I saying that in health care one should meet all their HIPAA requirements before addressing anything else? No, I am saying that when you look at becoming a secure organization and you begin trying to determine what to address first, things like HIPAA help you make that decision.”
Across the border
Our neighbors to the north in Canada have similar compliance laws in place, many based on U.S. legislation, says Bobby Singh, director of information security at Smart Business Systems for Health Agency eHealth Ontario, an agency of the Ontario Ministry of Health and Long-Term Care.
Singh, who has the advantage of having worked in the states before moving to Canada several years ago, says Canadians are much more cognizant than their U.S. neighbors of privacy issues and how personal information is handled.
“More proactive steps are taken in Canada,” he says. While HIPAA allows some flexibility and provides suggested guidelines more than prescriptive steps, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), a federal law, mandates how entities collect, use and disseminate sensitive personal information.
In addition, there are some provincial acts in the health care space that replace the federal regulations – for example, the Personal Health Information Protection Act (PHIPA), in Ontario where Singh works.
But, even though matters are somewhat simplified in Canada by having only one state-run HMO, whether in the U.S. or Canada, hospitals and health care facilities face similar issues in protecting patient data, says Singh.
However, while the system may be a bit simpler in Canada, on the other hand, there is a political component, being that the state is running the health care system.
“There’s somewhat of a big brother approach,” says Singh. “The government defines what doctors and patients should be doing as far as managing personal data.”
The prescription, he adds, just may be a higher level of priorities. “Hospitals need to talk to each other so data can be electronically transferred.”
He’s optimistic that as the process evolves, those in charge of the health care system will gain a better understanding of how to use IT for efficiencies.