 |
Safe and Sound
Privacy and Security Gaps Hamper HIPAA Compliance
Two key elements of the massive federal mandate focus on patient privacy and security. For all covered entities except small health plans, the privacy rule went into effect April 2003, and the deadline to meet security standards was April 2005. Small health plans had an extra year to become compliant on both privacy and security. However, for several years now, everyone involved should have been up to speed in these crucial areas. So how are we doing? “Compliance is all over the place,” said Betty Steele, a certified information systems security professional and attorney with Baker Donelson. “Many of the largest — particularly for-profit healthcare providers — are pretty compliant. I think it’s much more difficult for rural hospitals and not-for-profits to be compliant because they have so many other needs for their resources.” She noted that after an initial rush to get privacy notices to patients, many doctors’ offices have fallen back to “business as usual.” “I’ve been asked to sign acknowledgement of receipt of notice of privacy practices when it’s not even in the package,” she said, adding with a laugh that most patients wouldn’t even notice it was missing but that because of her field she actually collects the documents. Steele said she believes that some of the industry’s indifference is probably tied to the public’s laissez faire attitude about other people’s medical information. Unless it’s a public figure or a close relative, most people aren’t interested in the details of another’s medical history. On the opposite end of the spectrum is the overzealous staff member who guards a patient’s privacy with such ferocity that it becomes difficult for those who should be allowed access to information to actually get it. “The interpretation does really run the gamut, and I think that’s where HIPAA gets a bad rap,” she said. Steele, who is also the principal provider of content to the HIPAA Web site www.privacycentral.net, said part of the issue is that HIPAA was written by consensus rather than by a small group so the law has become unwieldy. “In the U.S., we’ve got kind of a hodgepodge of different laws and regulations — both federal and state — that protects different types of information,” she said. While HIPAA was the federal answer for medical information, similar mandates exist for financial information, data pertaining to minors, online privacy and more. In the European Union, however, the countries have adopted the EU Data Protection Directive that broadly protects sensitive individual information. In California, a state that often sets legal precedents, has expanded the definition of personal information to include medical information and health insurance information as part of its security breach notification law. The law requires notification by a business to California residents if there has been a breach of the security of its system resulting in the acquisition (or reasonable belief of such acquisition) of personal information by an unauthorized person. In some form, most states have such laws and regulations, although most only apply to financial information. “Enforcement is going to be a driver of compliance,” Steele said. “If there’s going to be teeth on the medical side, I think it may well come at the state level rather than the federal (level).” She noted, “By and large, HIPAA has only been modestly enforced on the privacy side and minimally on the security side.” Currently, the onus of enforcement lies with the Office of Civil Rights for privacy and with the Centers for Medicare & Medicaid Services for security. Both federal offices are under the umbrella of the U.S. Department of Health and Human Services. However, as Steele pointed out, federal agencies are limited in the number of people and budgets available to oversee compliance. Many breaches, she said, whether financial or medical in nature come from employees not following set policies and procedures or from someone “doing something stupid.” “Training greatly mitigates violations,” she said, “but training has to be supported.” Healthcare companies should employ a layered defense strategy, Steele counseled, using complementary administrative, technical and physical controls. How to protect patient information contained on a laptop server is one example of how all three types of control should come into play. Administratively, the decision needs to be made by management as to which staff members will have access to what information, and a written policy should support this decision. Technically, passwords, firewalls and encryption are types of controls meant to help ensure that only those who have been granted access actually get it. Physically, there should be a policy that the server room must be locked at all times and access to that room limited to those with keys. Steele said it is very beneficial for most healthcare professionals to have someone from outside review their HIPAA compliance plans, perform a gap analysis and offer advice on ways to improve policies and procedures. “They really, really need someone … whether it is an attorney or another HIPAA professional … to come in and see how they are setting up their systems,” she said. After all, it is the law. March 2008 Tags:NoneBookmark:
|
Digg
Facebook
Technorati
Newsvine
Google| Google Ad Blocks |
  |
| Add our RSS Feed |
  |
| Copyright © and Trademark ™ 2010 All Rights Reserved Copyright Statement | Privacy Statement | Terms of Service | Monster |
