There’s been no shortage of announcements on data security out of the Obama administration since he took office. It’s good to see data security’s a priority, but there’s a slew of new initiatives we could probably write a book on at this point.
One particularly interesting initiative that was part of the Reinvestment Act is the HITECH Act, otherwise known as the Health Information Technology for Economic and Clinical Health (HITECH) Act. Essentially, incentives have been put in place for healthcare providers and hospitals to digitize their health records. And never before has HIPAA compliance come to the forefront of importance as it is now.
Under HITECH, the economic stimulus program provides nearly $20 billion in funding for HIT, including:
– Up to $44,000 per physician for organizations that implement certified EHR systems
– Potentially more than $10 million for hospitals that implement certified EHR systems
Incentive payments are highest for physicians or hospitals that implement (and demonstrate meaningful use of) systems by 2010 and decline each year until 2014, after which time penalties begin to accrue for non-implementation.
AppSec presented a webinar with KPMG on this topic last month to resounding reviews. We haven’t seen many vendors focus on this topic, but its possibly one of the most critical data protection and privacy issues organizations have had to contend with in some time, relative of course to electronic health records.
What no one is discussing is the migration to EHI on a such a potentially massive scale. Are some IT organizations going to skip steps along the way? Will the incentives blind them so that they don’t take the necessary steps to protect that data and comply with HIPAA? And will it make patients more vulnerable if their data isn’t secured?
To demonstrate the increasing importance of HIPAA compliance to protect health information, our own research study showed that a third of respondents failed a security audit of some type, but that almost 40% specifically failed a HIPAA audit.
This points to just how critical HIPAA compliance has become for organizations, and it also speaks to how stringent the standards within HIPAA are. If you look at the fact that over the past 2-3 years over 40% of respondents have failed a compliance audit, it demonstrates that organizations aren’t prioritizing their security and compliance needs, and most aren’t implementing the required levels of protection.
With only a quarter of providers and hospitals currently classifying records electronically, what if only a fraction of providers nationwide skipped steps on their way to going digital?
It’s worth mentioning that organizations found in violation of HIPAA-mandated security measures will incur penalties and collateral damages 10-20 times higher than the cost of HIPAA security compliance. This is important as those entities migrating to electronic records will also be held accountable to HIPAA mandates under the HITECH Act.
Application Security, Inc. also took a poll of customers and prospects on their feelings on the HITECH Act:
Could the HITECH Act be the catalyst, given the incentives, to make data security a much bigger priority on a global scale?
- 65% - Yes – protecting data will become a global priority as a result
- 10% - No – it won’t make a difference
- 26% - the catalyst will be a large-scale data breach
Will steeper fines set forth by the HITECH Act in accordance with HIPAA get more organizations to comply?
Yes – 87%
No – 13%
Would you say the HITECH Act will:
- Benefit rather than be a hindrance to IT organizations at hospitals - 46% yes
- Become an obstacle and cost hospitals/physicians more in terms of infrastructure build-out - 49% yes
- Actually make sensitive health information more secure when providers are in full compliance -49% yes
Application Security, Inc. and KPMG have posted some additional resources that will help guide your organization through some of the finer points on the HITECH Act, as well as what you should be looking at relative to the database layer.
Is moving toward EHI a good thing? Absolutely. But there’s going to be a lot of data to secure, and to ensure compliance with much stricter HIPAA requirements. We plan to stay on top of this issue and will post more resources soon. Data HAS to be more secure electronically than it is on a piece of paper in a manila folder!!
Comments