I recently had the pleasure of listening to Sue McAndrew, the Deputy Director for Health Information Privacy of the HHS Office for Civil Rights, at the annual 2012 NCHICA conference. Lately I’ve been spending hours reviewing documentation with sales, customers, and partners at McAfee, and it was refreshing to hear from an industry leader on the current state of HITECH and HIPPA. McAndrew laid out the goals and current state of the industry, but not without some criticisms.
McAndrew noted the reality of HIPAA is not about absolutes. You cannot guarantee sensitive data will remain secure, but it is more about building trust with customers and hoping the data stored will improve patient care. In order for patients to confidently participate, McAndrew reinforced that appropriate measures must be taken to ensure privacy.
The problem HITECH tries to solve is that a culture of voluntary compliance is not enough – and the latest industry data supports this notion. According to the Information Security Media Group’s 2011 Survey Executive Summary, “Safeguarding Patient Information – Unfinished Business”, 26% of organizations have failed to conduct a risk assessment required by HIPAA.
HITECH ups the ante, and brings to the table breach notification, auditing, and the ability for State Attorney Generals to litigate. Breach notifications (also referred to as the “wall-of-shame”) are meant to bring transparency and give customers tangible evidence of the process at work. During McAndrew’s presentation, one attendee asked if “you can ever get off the wall-of-shame”? McAndrew noted a yearly archive is currently in development, and will allow only current offenses to be prominently displayed. Another attendee replied, “even prisoners get pardons”.
One of HITECH’s objectives was to create incentives and therefore encourage adoption of digitized systems through the “Meaningful Use of Electronic Health Records Systems”. However, reality is the incentive payout doesn’t come close to overall cost of the systems, implementation and additional security controls required. Estimates from attendees speculate cost coverage would only be about 30% from these incentives (at best).