Kroll Cyber Security Blog – A Dialogue on Data Security

Flu season may be over, but for the health care industry, a more troublesome and persistent threat is just warming up. Regulatory fever, a common side effect of an ailing economy, is now nearly in full swing. Beginning with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, ensuring privacy and security of patient information in the health care industry has been a primary concern for legislators over the past decade and a half. The HIPAA Privacy Rule extends federal protection to personal health information held by covered entities, and is fulfilled by the Security Rule, which prescribes the use of security safeguards to ensure confidentiality is maintained.[1] While HIPAA was a significant step forward in the security of personal health information management, two new regulations are raising the bar even higher in an effort to integrate and benefit from advancements in information technology.

The Office of the National Coordinator for Health Information Technology (ONC) is seeking public comment regarding personal health records, now through December 10. Comments can be submitted through the website, on the following topics:

• Privacy and security and emerging technologies
• Consumer expectations about collection and use of health information
• Privacy and security requirements for non-covered entities
• Any other comments on personal health records (PHRs) and non-covered entities

The ONC is also hosting a day-long public roundtable discussion, Personal Health Records – Understanding the Evolving Landscape. According to the website, the purpose is to “inform ONC’s congressionally mandated report on privacy and security requirements for non-covered entities (non-CEs), with a focus on personal health records (PHRs) and related service providers.”

In the late 1960’s, Dr. Lawrence L. Weed developed the Problem Oriented Medical Record (POMR).  His vision was to have electronic medical records with standardized progress charts for all patients.

Fast forward 30 years, and you would be hard pressed to find a medical group or health care system that used Electronic Health Records (EHRs) to exchange patient data with one another. Most medical records were still in the form of physical documents, stored in a file folder and shared between a few key members in the medical facility.

In June, the Office of the National Coordinator for Health Information Technology (ONC) issued its final rule to establish a temporary certification program for Electronic Health Record (EHR) Technology. This marks an important step towards allowing healthcare facilities to meet and achieve meaningful use, a requirement to qualify for incentive payments under Medicare and Medicaid. Yet, even with this new development, lingering security questions still plague the process, making the transition to an interoperable EHR system seem even further away and harder to achieve.

If your healthcare facility were to have a data breach tomorrow, how would you go about notifying affected individuals? More importantly, how would you do it in a way that satisfies the HITECH requirements?

The answer isn’t easy. Even without HITECH, notification and subsequent response can take an alarming toll on the finances and resources of an organization.