Late
last month, the U.S. Department of Health and Human Services (HHS) announced
the first major update to HIPAA, the 1996 law that governs how companies
operating in the health care field are required to protect the privacy and
security of patient information.
The update, known as the HIPAA omnibus final
rule, includes provisions that give Americans greater control over the personal
health data and that strengthen the requirements of providers to report data
breaches as well as the enforcement options available to HHS in the event of a
breach.
In announcing the rule, Secretary of Health
and Human Services Kathleen Sebelius pointed to the massive changes in health
care technologies since HIPAA was became law in 1996. In a statement, she said,
"Much has changed in healthcare since HIPAA was enacted over 15 years ago.
The new rule will help protect patient privacy and safeguard patients' health
information in an ever expanding digital age."
HIPAA was passed long before mobile
technology like today's smartphones and tablets came on the market and in an
era where issues like BYOD programs or modern cloud computing were virtually
unimaginable in medicine (or any other industry). In updating HIPAA rules to
directly or indirectly address these issues, HHS may actually make it harder
for health care entities -- hospitals, medical groups, private practices,
insurers, individual providers, health insurance exchanges -- to take full
advantage of these technologies.
What's
changed?
When it comes to technology, the most
significant change is an expansion of liability when it comes to data breaches.
To date, providers have only been required to
inform HHS of data breaches that result in "a significant risk of
financial, reputational, or other harm to an individual." In other words,
if you discover a breach but conclude that it doesn't present a risk of harm to
an individual, you're not required to identify and report it.
The new requirements are much more stringent:
any incident that results in unauthorized access, use, or disclosure of
personal health information is automatically presumed to be a breach and
potentially harmful to the individuals whose data is compromised. As a result,
all such incidents need to be reported and will be considered data breaches
(with potential penalty implications) until a risk assessment can be performed
and reported that shows the chances that personal health information was
actually exposed or compromised can be considered to be low.
That puts a much greater burden on the
provider or organization.
One of the biggest areas of concern is mobile
devices and removable media like USB flash drives or memory cards. If these
devices contain patient data or credentials to access patient data, then a lost
or stolen device may qualify a breach and would need to be reported -- even if
the breach was unlikely to cause harm because a procedure like a remote wipe or
device access and encryption policies. As a result, the new rule may make
health care IT leaders, practice or hospital administrators, and risk
management officials more hesitant to move forward with BYOD programs or
broadening the range of devices provided to doctors, nurses, and other staff
members.
How
health care providers can cope
It's worth noting that privacy and security
requirements concerning mobile technology haven't really changed. That means
that many of the approaches already being used in the health care field to
secure data on mobile devices will still meet the HIPAA requirements. Those
approaches include mobile management, securing data on a device in an encrypted
container, ensuring secure remote access to data, and using systems that let
patient data be viewed on a mobile device without storing it on that device.
All of those approaches require IT oversight of configuration of a smartphone
or tablet regardless of whether it is employee-owned or not. They may also
require limiting device features to ensure security.
Some organizations may also limit the
selection of devices, platforms, or mobile OS versions that can be used by
health care professionals. There are two key reasons for this. One is that the
older versions of mobile OSes don't always include the security and management
features that may be required. iOS devices running anything prior to iOS 4 or
devices running a version of Android prior to Honeycomb on tablets or Ice Cream
Sandwich on smartphones are key examples. The second reason is that SD cards,
common on many Android devices, are removable media and therefore can present
their own data loss or leakage concerns.
Eliminating BYOD from the equation makes it
easier to ensure mobile devices used to access patient information are properly
secured. That could mean locked-down devices provided specifically for work
use, which is essentially the old BlackBerry model.
It could also mean using the COPE (corporate
owned, personally enabled) model that lets users treat a device as their own
while also ensuring security requirements are met. And it can mean supporting a
scaled down version of BYOD in which employee devices are permitted but their
access to an office or hospital network is limited to systems that don't
provide patient information -- an approach that lets doctors and nurses access
medical references and tools, which some studies suggest is a much more common
use than accessing patient records, as well as their personal data and apps.
Outside
providers also impacted
The expansion of liability could also affect
outside organizations.
Before the update, companies that provide
services to health care organizations, like consulting firms, software vendors,
and cloud service providers, could only be liable for breaches if they operated
under a business associate agreement with an organization that was required to
comply with HIPAA like a hospital, doctor's office, or insurance company.
The new rule expands the type of companies
that can be considered business associates or subcontractors and holds them
liable for breaches along with their customers.
Cloud service providers are probably the most
significant example because many individual health care providers and small
practices rely on cloud-based EMR systems like Dr. Chrono which are designed primarily to support
mobile devices like the iPad. They could also cover firms that setup and manage
in-office systems, including mobile management solutions and overall practice
management and administrative services.
As a result, companies or consultants whose
primary business is not health related -- independent software developers or
storage providers who work with clients from across a range of different fields
-- may find that the prospect of taking on HIPAA liability is more than they're
willing to consider. This could lead to a type of market isolation in which
health care providers have fewer choices.
Other changes in the updated law --
paticularly granting patients or their designees access to their health
information and blocking providers from reporting specific events to insurers
-- also have some impact on health IT and health care administrators. Transferring
patient data electronically may create some challenges in ensuring that the
data is formatted in a way to pass from one system to another. Blocking data
from being reported to an insurer may pose issues with EMR, practice
management, and medical billing systems.
Both of these issues, however, will almost
certainly be handled by the developers of the software and systems involved.
Ryan Faas
No comments:
Post a Comment