compliances

HIPAA and Security Patient Privacy and Security

July 3, 2011

HIPAA, the Health Insurance Portability and Accountability Act, impacts how healthcare providers and payers conduct traditional and electronic business. The healthcare industry focused on HIPAA after Congress signed the legislation in 1996 and as compliance deadlines came due for HIPAA’s component sections.

When the Department of Health and Human Services inherited HIPAA three years after its signing, it crafted a comprehensive national policy designed to:

o   Standardize the way all healthcare organizations electronically process certain transactions, including many that contain patient data
o   Protect patients from unauthorized disclosure of their medical records

This legislative impetus reaches far and wide because it requires all health plans, payment clearinghouses, healthcare providers that process electronic transactions, and certain business partners to comply with its provisions for protecting the electronic handling of patient data. All institutions impacted by HIPAA are paying careful attention to the risks of noncompliance. These risks include substantial civil penalties and, potentially, criminal prosecution. As a result, the industry and its representative organizations have evaluated a wide range of IT security technologies that enable appropriate and cost-efficient compliance.

This paper takes an updated look at the impact of HIPAA privacy and the security regulations associated with privacy for both healthcare providers and those vendors that supply applications to them. It examines best practices and effective IT security strategies for integrating technologies into overall solutions that help organizations of all sizes ensure cost-effective HIPAA compliance as their businesses grow and change over time.

Approach
The primary research in this paper was conducted at two different points in time. In 2001, IDC captured insights from hospitals and insurers preparing for the 2003 HIPAA privacy compliance deadlines. At that time, IDC conducted six in-depth interviews with senior executives responsible for HIPAA compliance at a range of covered entities. We selected very large institutions whose size and complexity dictated early focus on implementing HIPAA-compliant solutions.

Representatives included large hospital and research institutions, HMO health networks, and application providers. In these discussions we explored the challenges the new legislation imposed as well as the institutions’ plans for dealing with the legislation and their goals in relation to long-term compliance.

To capture the impact of changes since the 2003 deadline, IDC conducted a series of in-depth interviews with four senior compliance executives at providers and a provider association in 2004. This paper reflects how actual implementation challenges and experiences have impacted the policies and practices major providers and insurers have established to enable HIPAA compliance.

Impact of HIPAA Legislation
Many security and privacy industry observers would say that the HIPAA legislation simply elevates and legislates normal and safe security practice. As a healthcare provider’s CIO stated, “HIPAA said you have to standardize the industry because you are screwed up and you can’t talk to each other efficiently at all. So we are going to legislate that you have to be able to do it. In the end it is going to be better for you and it is going to save you money. It is going to hurt in the beginning, but it is going to be the right direction. HIPAA reinforced a direction we were already well into and is now a part of our culture.”

Most of the privacy regulations touch on points of data protection and security practice already practiced to varying degrees across multiple institutions and applications. The privacy regulations cover an immense range of detail.

Similarly, the HIPAA security regulations are lengthy and recommend “best practices” appropriate to the provider or payer rather than dictate specific technical solutions. Under the rule, each covered entity must have a policy for investigating incidents. This process would evaluate whether the threat or the impermissible use or disclosure was “reasonably anticipated”; what specific security measures were implemented by the entity, and if the entity’s workforce complied with the measures. More important, they illustrate how the HIPAA security regulations work with the HIPAA privacy regulations to tighten overall privacy and security for data assets.

Benefits Institutions Experience from HIPAA Compliance
In general, IT directors at these institutions have welcomed the effort to control and standardize privacy and security. In the words of the CIO at a major provider network, “The regs are actually good. Things would have gotten out of hand without them.” This sentiment reflects the way rapidly evolving information technology is affecting patient care today. Most institutions paint a consistent picture about how the changing nature of today’s healthcare system has sharpened the challenge of maintaining physician/patient privacy. They relate that traditionally patients trusted that this special relationship with one or two doctors guarded against the misuse of confidential clinical data. Today, they may interact with scores of providers. Healthcare institutions and their affiliates provide an extraordinary range of specialty care and services. These extended services involve multiple providers that require up-to-date and complete patient information.

While respondents acknowledged that these changes open up new opportunities to provide exceptional patient care, they quickly highlighted the associated patient record management and control challenges of “multiprovider” care. They agreed that HIPAA standards directly address the flow of sensitive patient information to multiple providers across an open environment.

Compliance doesn’t stop with meeting just HIPAA regulations. HIPAA standards do not stand alone. They join a wider range of privacy protection legislation that includes, for example, stricter state legislation covering mental health and HIV infection records and the privacy regulations inherent in the Gramm-Leach-Bliley Act. While most respondents highlighted the complexity of the full range of compliance regulations, they also pointed hopefully to the expected efficiencies that HIPAA standardization will deliver.

Organizations are now required to meet a patchwork of other regulations, including a number of cross-industry laws such as the Sarbanes-Oxley Act of 2002, Title 21 Federal Regulations (21 CFR Part 11), the Patriot Act, and Gramm-Leach-Bliley. Complying with HIPAA regulations gives organizations a head start on compliance with a variety of other regulations.

Healthcare leaders view HIPAA compliance in light of both the regulatory impact and the impact on their broader business policies. These leaders recognize that HIPAA extends well beyond patient data handling and storage. The legislation affects how they set up business and legal partnerships, how they interoperate with other institutions, and how they educate and train healthcare professionals and their patients to understand and work with the new rules.

Additionally, most expect HIPAA’s impact to continue to evolve as the technical and business environments continue to change. As healthcare providers grapple with compliance to the current HIPAA directives, they understand that the medical, cultural, and technical environments are not standing still in order to facilitate regulatory compliance. Their internal policies are reviewed regularly to address advances in medical research and new modes of patient care. Policies will also continue to evolve as more hospitals and clinics integrate emerging IT security options, such as biometrics and wireless devices, into their networks.

Challenges: Setting Best Practices
HIPAA legislation does not lay out a specific, standardized course of action or “best practice.” Rather, the language often suggests “reasonable and appropriate” action to protect and secure business assets and protect private data. This openness puts the burden on providers and payers to chart new territory and implement changes across a broad range of electronic, paper, and physical practices that includes:

o   Policy (at organizational and department levels)
o   Applications upgrade and redeployment
o   Physical security
o   Accountability and audit measures
o   IT infrastructure improvements (especially for authentication and access control)
o   Training and deployment

Most institutions dealt with this complex environment by starting with a HIPAA compliance architecture and road map. They tackled each of these areas with careful planning, coordination, and, finally, effective execution. As stated, the tasks and challenges permeate every aspect of healthcare organizations’ operations. The words of the director of information security at a provider network summarized the situation: “[HIPAA] needs to be part of your daily environment.”

 A Business and Policy Challenge First
Given these perspectives, most healthcare organizations recognize the complexity of the problem. They understand that no one technology or single process solution provides a quick answer. In fact, most executives dismiss sales pitches that claim to provide a simple fix. The words of two compliance officers at provider organizations captured the view that was common during the planning stage. One noted, “There’s not a product out there that’ll systemize privacy right now. And I don’t think we could afford it if it was there.” Said the other, “There are little pieces of the puzzle that everybody needs, but there’s not one full solution. The hard part is piecing together your puzzle.”

After implementation began, healthcare institutions saw that a rigid, standardized approach that dictates one set of answers isn’t correct either. As the privacy officer of a large healthcare provider commented, “All the policies took so long, and I think they do take long because we came up with nirvana. And then what we find is you can’t write a policy that someone is going to break immediately. We have to continue to lighten up the policy and in addition even determine that perhaps we can’t have a systemwide policy. Perhaps something might have to be site-specific.”

Roadblocks
Significant parts of this full system puzzle require companies to overcome very substantial business hurdles. Issues such as funding support, authority, and control limits – as a company deals with multiple partners in a healthcare solution – or the tactical issues of “changing the way people behave” loom large as highlighted in the list of business challenges. Some examples of the type of high-level business questions healthcare executives have had to address include:

o   Funding
o   Business/research relationship assurance
o   Authority limits
o   People management/implementation
o   Tactical issues

Balancing Challenges with Opportunities
In general, HIPAA regulations appear to strike a sharp balance point: tightening controls on the industry while at the same time opening up opportunities for efficiency and cost savings. The healthcare industry is facing a delicate balance to achieve and maintain HIPAA compliance at a time when new business opportunities and cost efficiencies hinge on utilizing modern Internet technologies. However, the interviewees recognize the value that improved privacy and security provide when utilizing online systems and integrated mobile and wireless access to their environments. The extra diligence and added protections regulations have imposed have resulted in better decisions and better solutions.

One healthcare CIO emphasized the increased attention all new initiatives receive as a result of what has been learned with HIPAA: “Every major initiative has to answer the question, and they should have always had to answer these questions. But I think we did a much better job, maybe it was under the covers, but we bring it out now. Who needs access to you, and how should we define the roles so that it is role-based security? And how will this change workflow? And how are we going to keep patient data secure in the process? And what is your redundancy and disaster recovery process for this, and what is the backup in place? All of those things were always there, but maybe they weren’t publicly talked about because they were somebody else’s job.”

Solutions in Place
Because of the tight deadlines for compliance, the firms interviewed began selecting solutions and making changes several years ago. They began by hiring compliance officers and setting up compliance boards to implement HIPAA standards. Most also placed responsibility for the privacy and security aspects of patient information on their CIOs and health information services officers – a more explicit assignment and responsibility set.

Given the priority of policy, people, and process issues, most of the provider and payer organizations we spoke with address HIPAA privacy compliance in those areas. That is, before organizations assess, select, and invest in IT infrastructure improvements, they are establishing the “people, policy, and process” plans that will ultimately drive those IT improvements.
Critical First Steps

Though progress along this compliance journey varied from organization to organization, we found most provider organizations staged four “first steps” toward HIPAA privacy compliance:

Educating themselves about the privacy regulations; analyzing their require­ments and their impact on the way the enterprise operates

Defining and promulgating clear policies around the particular compliance issues, such as the requirement for patient consent to share medical data

Education/marketing/awareness building (i.e., the many and multipronged steps required to turn the attention of employees, contractors, and partners to the policies they must follow and the procedures that link to those policies)

Mapping the policy and procedure requirements for privacy compliance into the healthcare enterprise’s multipart infrastructure

Analysis and Policy Clarification
One very advanced provider network’s early experience with these steps illustrates the road map we expect most healthcare institutions to follow. Three years ago the provider network began to establish confidentiality and security committees to simply study the regulations and assess how they would impact the organization. The study efforts linked to work already in motion to improve patient privacy. Early on in the process, however, it recognized the need for and established strong patient data policies that set the rules for how each of the network’s hospitals, clinics, and providers would handle patient data.

On one hand, the policies did not break new ground. They ensured, for example, that each patient reviewed and signed consent forms for in-network cases and that employees used specific authorization forms and procedures for requesting patient’s consent to access patient record information after release. In addition, they varied authorization request forms, policies, and signature procedures for specific and more sensitive data related to psychotherapy, HIV, or drugs. On the other hand, the clear, consistent, and ubiquitous presence of the policies broke new ground at the institution.

Awareness Building
During both the planning and implementation stages, healthcare professionals place a high value on education and awareness. Ubiquity and consistency require cost and effort. The director of health information systems at this provider network served as chair of the security committee as the company attempted a multipronged employee and physician patient privacy training initiative. Using employee packets, shuttle bus advertising, email alerts, paycheck envelope stuffers, calendars, and a variety of other means, the provider network tried to acquaint all employees with the importance of patient data privacy, the policies in place to protect that privacy, and the particular procedures they must comply with to support these efforts. The campaign continues as the need for education in this area seems unending. At the same time, as employees learned about specific dos and don’ts for desktop use, paper handling, and appropriate faxing procedures, their managers received toolkits highlighting key worry points around higher-level concerns – such as how and when to shred which paper data records. Understating the challenge, this interviewee said, “It’s hard to get their attention.”

Interviewees who had implemented HIPAA compliance felt that the education all staff members – across roles within the enterprise – received was one of the top benefits of the legislation. As the assistant vice president of technology for a major healthcare association pointed out, education proves critical because “the most important impacts have been cultural.”

Mapping Requirements to Infrastructure
Finally, the enterprise began to map HIPAA’s privacy requirements to its infrastructure. Again, early and immediate actions involved setting clear policy and ensuring its compliance. For example, one area that had suffered from uneven policy compliance involved user account management – a simple, common, but critical security component. To avoid the issue of user access accounts “hanging around” after employee transfer or termination, the provider network set up zero-tolerance policies for immediate account termination and explicit account startup procedures. That policy included steps toward building a “role-based” account management structure. The network, in its early implementation, would like to establish simple role-based access rights for business, research, and clinical roles within the hospital. That same recognition of data classification (business, clinical, or research) opens a set of efforts to both classify and control access to that data once roles are in place.

This provider saw a combination of technology and best practices essential to protect sensitive patient data. It took extensive measures to ensure that employees understand the practices and policies for data handling within and beyond their enterprise boundaries. In this CIO’s words, “Policy is the big thing. We will use some technology to fill holes, but the majority of risk management builds on policy.”

Notwithstanding the policy and people priorities, though, the steps outlined above have revealed to this organization the imperative to improve aspects of its underlying IT security infrastructure.

Healthcare IT and the HIPAA Challenge
The healthcare industry is uniquely diverse. As one provider network CIO pointed out, “Healthcare … is far more niche-oriented and far more cottage-oriented [than most other industries]. What other industry has so many different institutions?”

Because institutions had made investments in updating IT infrastructures for Y2K compliance, in some ways HIPAA simply accelerated an IT infrastructure improvement process already in motion. On the other hand, it reinforces the requirement to carry forth stringent data protection to a more accessible “internetworked” and distributed healthcare environment. HIPAA has also raised awareness of the importance of protecting different types of patient data, such as financial patient data. HIPAA treats financial record data with the same level of concern healthcare has traditionally applied to clinical data. In the words of one provider CIO, “HIPAA has told the industry guys, ‘Look. Clinical, financial, same thing.’ So we have turned the security focus up in a number of areas.”

Fleshing Out the IT Infrastructure
At the same time, the IT infrastructure at healthcare providers, payers, and partners must still evolve quickly to support widespread but secure data sharing. Significant advancements in bandwidth and processing speed have motivated more healthcare customers, suppliers, partners, and employees to communicate via low-cost, public networks. This increased reliance on online, open communication has resulted in a dynamic and open business climate that has transformed the technical security challenge. Healthcare systems have evolved into a highly internetworked and distributed environment – with potential gaps in privacy protection and security. HIPAA highlights those gaps and provides the incentive to fill them, but the gap filling will require a combination of improved secure practice and new technology.

Finding Technology That Maps to Practice
Compliance officers have told us that they are searching for technologies to complement the basic procedures they have in place. These technologies must also integrate smoothly with existing applications.

Protecting Critical “Protected Health Information” (PHI)
HIPAA regulations require keeping protected health information (PHI) private and protected. This process demands multiple steps to manage, protect, optimize, and recover PHI.

Healthcare institutions must monitor all access to data, maintain meticulous backup and protection of stored data, and design backup and recovery systems that ensure patient care can continue without disruption. The requirement to control this data weighs heavily on healthcare providers. The CIO of a provider noted, “Anytime I replicate information, it is just one more hassle. I am a big believer in centralizing everything and having great backup and redundancy on that centralization.”

IT Infrastructure: Meeting HIPAA Requirements

Access Control
Healthcare providers must address the issue of controlling access to patient data if they want their policies to work. However, healthcare executives responsible for enforcing HIPAA compliance face logistical complications in monitoring the flow of confidential information on both technological and human levels. The executives we spoke to seemed to agree that access to critical data should be role-based. They mentioned that doctors, nurses, and other healthcare employees will receive varying levels of network clearance. However, they realize that setting these levels is one of the most difficult obstacles they face in achieving compliance under the new rules. Said a hospital network compliance officer: “I think the authorization requirements are going to be really difficult to first of all define when they’re needed and then to monitor when they need to be updated or changed or reauthorized.”

Traditional passwords are not enough because a variety of techniques and simple lapses of good judgment, such as writing them down or failing to change them periodically, make them simple to exploit. Multifactor authentication technologies are an important part of increasing the rigor of user authentication and access control. Executives have a wide range of options, including smart cards, biometrics, single-use passwords, and hardware tokens.

Biometric technologies are an option that some healthcare executives are finding highly attractive, while others are shying away from them because of their perceived cost or usability issues. With a wide range of identification and authentication technologies on the market, healthcare sites are currently evaluating biometrics for environments with special user demands. Meanwhile, vendors have promised that the cost of biometric authentication technology will continue to decline and become more affordable.

Data Classification
One project manager at an applications provider described the emerging data access control problem this way: “The next set of challenges that we’re going to see is the discussion and implementation of the minimum necessary information. [For] example, a hospital sends a claim to an insurance company. The insurance company says, ‘Thank you. I need more information.’ What tends to happen today is that rather than [going] back and forth, you tend to give as much information as you possibly can so they don’t keep coming back and asking for more.”

Audit
Compliance officers are requiring their IT professionals to structure effective mechanisms for auditing and reporting their employees’ online activity. Liability concerns compel executives to review the online activities of their employees and affiliates. The words of an applications development executive reflect those legal concerns: “You give them [the information they need] recognizing there are policies that are going to be put into place that say if you misuse that information, there are penalties involved. If you go into Brad Pitt’s records and view his information erroneously, then we’re going to be tracking that. Just beware.”

An HMO compliance executive echoed the liability concern: “It isn’t just that the company can be out of compliance. An individual can be found out of compliance.” Officers must also register accountability whenever network failures or vulnerabilities occur. The oversight and audit must also broaden. As a provider CIO stated, “All network failures are going to have to be reported immediately. Any usage of an existing backup is going to have to be logged. And I’m going to put some policies into place that are going to say you’ve got to do a better job of reporting these things and being on top of these things, and then I’m going to use this enterprisewide manager to actually help me monitor.”

Solutions That Work for Healthcare Professionals
Providing an environment that attracts and retains the best healthcare professionals is a primary goal of successful institutions. The best professionals work to ensure high-quality care and patient satisfaction. Across all these challenges for protecting sensitive data, executives must sort through the wide variety of security options now available in order to find applications that work effectively while avoiding a sense of “Big Brother.” Healthcare providers must implement these new security protocols in a manner that will neither intimidate nor alienate doctors or other clinical staff. No amount of IT security technology can guarantee patient privacy unless healthcare employees as a whole feel comfortable with the new guidelines and remain loyal to their institutions.

A provider’s CIO talked about the challenges of deploying solutions that work for a variety of employees: “If you can create a system where they don’t have to think about it too much, you can make it where you teach them what they need to know on a basic level but only require them to do the bare minimum stuff. You have functions in place that can take the place of what they might be doing because they have so many other things to think about. The last thing they want to think about is, ‘Did I log in my access to this patient’s medical order?’
“I think the physicians want you to help them. I’m the big name corporate CIO. I’m the one with all the money. I’ve got all the resources. So the physician looks at me and says, ‘Why don’t you just tell me this stuff? Don’t make me read this. Just give me the information and tell me what I ought to do.'”

The ultimate goal of physicians and their support staffs is to offer the best patient care possible. While the workload carried by healthcare professionals often seems endless, funding is definitely limited. Doctors, nurses, aides, and other healthcare professionals often share resources, such as terminals that access patient information. That PHI can include vast amounts of current and historical data as diverse as diagnoses, treatment plans, laboratory tests, drug interactions, radiological scans, and/or physical therapy.

In the normal course of scheduling and treatment, this data must be accessed efficiently and securely. However, in times of emergency, immediate access and rapid system response time can be a matter of life or death. In the complex regulatory environment surrounding the use of PHI, technical solutions must enable fast access only for appropriate healthcare workers and record all such access for later auditing.

Solutions That Work for the Patient
Finally, healthcare providers need to consider how they can implement new solutions for compliance that map to the needs of their patient community. Does the consent form really work for both the provider and the patients? A provider’s compliance director talked of the challenges: “I tried to map the rules to my existing consent forms, and my consent forms today went from one page to ten pages to capture all of the fine points and to make sure that my [patients] can feel comfortable with this consent form as it maps the privacy rules.”

The challenge is also great for those developing healthcare applications. As this compliance director put it, “Is it realistic that my mother who’s 85 years old is going to go in the hospital and, before she gets admitted, read this document, fully understanding what it means? Can you summarize that? Can we boil some things down so that you don’t have ten pages of legal jargon to really confuse people?”

Healthcare providers cannot afford to alienate patients or set up security measures that impact the ability of physicians and other medical staff to help those patients. If they do, they will invalidate the precepts of HIPAA.