Protecting Americans' Health Care Information

In late 2000, Carlos Wales*, a 42-year-old man in good health, became quite concerned when he received an offer in the mail to be part of a clinical trial for men living with cancer. The sender was a local, legitimate and respected medical research facility. The letter assured Wales that his insurance group would not discontinue his coverage as a result of the trial. The insurance information and his address were correct. Trouble was, he had never asked to be contacted by this facility for clinical trials. Nor did he have cancer.

After several unsuccessful hours on the phone with about a dozen doctors' and dentists' offices he had visited in the last 10 years, Wales remembered a routine procedure he had undergone in college to remove a benign growth. He spoke to the specialist's daughter, who had taken over the practice. After a delay of several weeks, Wales was told that someone had made an incorrect notation in his file indicating that the growth was malignant. The doctor was apologetic and had no idea how the incorrect notation was made or how the research facility got Wale's information. 

On further discussion, the doctor admitted that her office and the research facility routinely shared information, but that every effort was made to contact patients and seek their permission. She did not know how Wales' information was released without his permission, and suggested that he call the research facility and have his record deleted. He began the phone calls anew, determined to clear his name.

This illustrative scenario points to a common difficulty with health care information management in America today. Most people have little idea how their health information is used, shared, and maintained. Patients assume that health care providers will keep their information in confidence. Unfortunately, this assumption is not accurate in all cases. Though health care and insurance providers mean well, the current lack of standards for protecting patient information results in a high level of risk—and surprising lapses of control. The following true stories illustrate the dangers that HIPAA is meant to solve:

• At a hospital in Florida, a nurse who worked in the blood lab brought her teenage daughter to work. Bored, the daughter sat down at a computer terminal and called up the names and phone numbers of patients who had recently had their blood drawn. Later, as a practical joke, she called a number of them. Posing as a nurse at the hospital, she told the patients that they had tested positive for the HIV virus. One attempted suicide.
  
• A newspaper editor found a list of patient names and diagnoses that had been thrown away in a trash barrel at a gas station near a hospital. It was revealed that a resident at the hospital had brought some records home in his car, and had disposed of them there. 

Consider these statistics: 77 percent of those polled in a November 2000 Gallup survey said that privacy of their personal information is very important. Sixty-one percent said they were very concerned that their personal health information might be made available to others without their consent.

The health care industry is about to undergo a dramatic shift in the way it must handle patient records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) strongly regulates how patient information may be used, and when and how patient information may be shared with partners. The impacts are far-reaching and the goals are varied. 

On one hand, the HIPAA Transaction rule ("Standards for Information Transactions and Data Elements") improves efficiency and efficacy of information sharing. It cuts down the number of formats used to transmit electronic information from over 400 to just a handful of universal standards. On the other hand, the Privacy rule ("Standards for Privacy of Individually Identifiable Health Information") subjects health care providers' policies on patient information to much more stringent scrutiny. The proposed Security rule ("Security and Electronic Signature Standards") applies standards of due care to the information security infrastructure of every organization covered by the legislation ("covered entities").

Where does your organization stand on HIPAA compliance? Do you know what you need to do, and when? Do you know how much you need to budget, both to achieve compliance and to maintain it?

This white paper walks you through the practical implications of HIPAA and helps you get your organization moving in the right direction for achieving compliance. It focuses on two important aspects of the legislation affecting security: the Privacy rule and the Security rule.

Full name of legislation: The Health Insurance Portability and Accountability Act of 1996

Affects: Health care industry

Governing Authority: The U.S. Department of Health and Human Services

Finalized Rules: Transactions and code sets (Transaction rule), Privacy rule

Rules in Revision: Security rule, National Provider Identifier, National Employer Identifier

Rules in Development: National Health Plan Identifier, Claims Attachment, Enforcement, National Individual Identifier (on hold)

Estimated National Cost of Compliance with the Privacy Rule: $17.6 billion over 10 years

HIPAA affects nearly every organization whose business collects, stores, or transacts patient information. This includes:

• Health Plans—any individual or group plan that provides or pays for medical care, including benefits administrators
• Health Care Providers—any person or organization that provides, bills, or is paid for health care, including pharmacies
• Health Care Clearinghouses—entities that process health information received from other institutions

To determine whether your organization is affected, ask yourself: does my organization maintain, receive, use, or transfer health information that is covered by the legislation? This information is referred to by HIPAA as "protected health information" or "individually identifiable health information," and is described in the following section.

The Privacy rule protects "individually identifiable health information" that is maintained or transmitted in any medium, including electronic, paper, and verbal.

Individually identifiable means the information can be used to identify an individual. This may include names; geographic or demographic information; biometric identifiers; photographs, X-rays, or other images; and any other information that could be used to attach the information to a particular person.

Health Information is defined as any information relating to an individual's health, health care, or health care payment information. Such information may not be used or disclosed unless the patient (or the patient's legal representative) authorizes the disclosure. A general consent is required for use or disclosure of information for:

• Treatment—any use of information to provide health care to the patient.
• Payment—any use of information to bill the patient or the patient's health plan.
• Operations—use of information within the organization to train doctors, track performance, and the like.

For any other purpose, more specific authorizations are required for use or disclosure of information. Individuals who refuse to give general consent may be denied treatment (except in the case of a life-threatening emergency), but in most cases, individuals who refuse authorization for the broader use of their information may not be denied treatment.

Some patient information is not protected under the HIPAA Privacy rule for various uses. These exceptions include:

HIPAA allows for an "organized health care arrangement," where multiple providers or organizations provide care within a clinically integrated setting. Such arrangements may use and disclose information with one another as they do within the individual organizations.

"De-identified information" may be used or disclosed freely if all of the following are removed:

•  Names
•  Addresses, dates, telephone, fax, URLs, and any other numeric identifiers
•  Identifiable Images
•  Biometric identifiers
•  All other unique identifiers

Information may be used if a qualified statistician determines that the risk of re-identification is very small.

Information may be used in circumstances where there is an overriding public interest, such as law enforcement or public health purposes.

Limited patient information may be used in connection with fundraising activities

PATIENT RIGHTS

The Privacy rule allows for certain patient rights, including rights to:

Adequate notice of privacy practices—This notice describes the covered entity's privacy practices and informs patients of how to file complaints and receive additional information. Patients must be informed of the notice's availability every three years.

Access to health information—Any information that is used to make decisions about a patient, with the exception of psychotherapy notes, must be made available to the patient. In some specified cases, such as when the information is being used in a court proceeding, patients may be denied access.

Request amendment of health information—A covered entity must amend information unless that information is complete, accurate, or not created by the covered entity.

An accounting of disclosures—Covered entities must provide an accounting of all disclosures for purposes other than treatment, payment, and health care operations for the prior six years. Like the right to access health information, this right may be limited in certain circumstances.

Request restriction of uses and disclosures—Covered entities are not required to agree to requests, but if they do agree, they must abide by them.

Request restrictions communicating health information—Providers must accommodate any reasonable requests to communicate health information by alternate means or at alternate locations.

HIPAA legislation calls for strict penalties for non-compliance. Each violation can result in a fine of $100, to a maximum of $25,000 per person, per year, per requirement violated.

Criminal penalties also are established for intentional violations of patient privacy.

Penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and five years in prison for obtaining protected health information under false pretenses; and up to $250,000 and 10 years in prison for obtaining or disclosing protected health information with the intent to use it for commercial advantage, personal gain, or malicious harm.

Beyond the penalties imposed by the government, the HIPAA Privacy rules are becoming the expected standard for all organizations in the health care industry. Any organization failing to comply could find itself losing customers or patients and receiving bad publicity. Conversely, any organization that takes initiative to comply with HIPAA and meets or exceeds all standards in advance of the deadline will have a strong area of competitive advantage. Organizations that fully comply will be able to ensure the privacy of their partners and patients, which may open the door to more business.

The following sections describe the organizational needs for achieving compliance, first in overview and then in more detail.

After a long period of revisions and review of solicited comments, the final Privacy rule is in effect. Most organizations have until April 14, 2003 to achieve compliance.

On an administrative level, covered entities must designate a privacy officer and provide privacy training for employees. Organizations must have safeguards in place to prevent misuse of protected health information, and sanctions for employee violations.

Business associate contracts are an important part of the Privacy rule. Covered entities are allowed to share individually identifiable health information with business associates (partners), provided a contract is in place that puts the associate under the same use and disclosure restrictions. In some cases where the information is being used for treatment, a contract is not required, but it is prudent to evaluate or create contracts for all regular business relationships. The business associate is responsible for upholding the privacy of that information; active monitoring by the covered entity is not required. However, if the covered entity becomes aware that an associate is not following the requirements of the Privacy rule, it must act or it can be held responsible for any of the business associate's violations.

HIPAA, then, requires that organizations meet a high standard of due care whenever they make contact with patient information. Many of the requirements fly in the face of existing practice. New processes and procedures will be necessary to ensure that patient information is not accidentally disclosed without authorization.

Although the final Security rule has not been issued, it is important to begin planning for its requirements now. It is reasonable to assume that the final Security rule's general security requirements will be similar to those described in the proposed rule. The proposed rule requires that all health plans, clearinghouses, and health care providers that transmit or maintain electronic health information must:

• Conduct a risk assessment and develop a security plan to protect covered health information
• Train employees on appropriate security procedures
• Update the security plan regularly
• Document all security measures taken meet defined standards for physical safeguards, administrative procedures, technical data security services, and technical security mechanisms

Although the DHHS is still reviewing comments on the proposed rule, the Security rule will likely include the following components:

• Authentication, access controls, and access monitoring—to ensure that only appropriate individuals will have access to protected information
• Physical security and disaster recovery—to ensure that your organization is protected from on-site threats and events that may interrupt your operations (such as natural disasters or terrorist attack)
• Protection of remote access points and external electronic communication—to ensure that your patient information is safe from electronic attack
• Software, system, and data integrity
• Policies and procedures—for both information and physical security and privacy protection

There are three steps every organization should take now with regard to HIPAA:

• Get organized.
  
• Get educated.
  
• Get going.

Get organized: The first step in achieving compliance should be to establish an infrastructure for developing policy and security strategy. HIPAA mandates a privacy officer. Depending on your organization, it may make sense to give this designation to someone who is currently active in your health information management or security function. In the case of a larger organization or one with complex privacy requirements, a full-time privacy officer in charge of HIPAA implementation and transition may be necessary. The privacy officer should have ample authority in your organization to minimize cultural transition issues.

Get educated: The privacy officer should begin by getting educated and staying apprised about the current state of the regulation. The Department of Health and Human Services (DHHS) Web site on Administrative Simplification (http://aspe.hhs.gov/admnsimp/) is an excellent source. The privacy officer and others involved in the compliance process should sign up for e-mail notification to be informed of any HIPAA developments and new rules.

Get going: A risk assessment helps to identify where information may be unintentionally disclosed or compromised. Some organizations have the capacity to do a full information security risk assessment in-house. Others find value in outsourcing this function. Make sure your choice fits your capabilities and budget, but be sure that whoever is conducting the risk assessment is informed and up-to-date about the ins and outs of HIPAA.

In the context of the risk assessment, take an inventory of all patient information within your organization. Determine what data is individually identifiable health information. For all covered data, examine the risks of disclosure. These may be traditional information security risks (e.g., data sniffing), or they may be risks that are specific to HIPAA disclosure requirements (e.g., a nurse's station bulletin board in view of visitors may reveal the reason a patient was admitted).

In addition, begin reviewing contracts with business associates. Many such contracts will have to be amended or replaced.

Employee training is critical. Online courses on privacy for HIPAA, onsite instruction, or other educational methods may be appropriate for your workforce.

In some cases, HIPAA is in direct conflict with state law. For example, HIPAA requires providers to provide patients—free of charge, upon request, once each calendar year—an accounting of all disclosures of the past six years. Some states allow a handling or copying fee to be charged, and others require more than six years to be accounted. Which rule applies?

HIPAA provides a good rule of thumb for settling differences between state and federal law: the rule that affords greater protection to patient information, or greater rights to patients, is the governing rule. HIPAA sets a minimum standard for information protection and patient rights, which states are free to exceed but not compromise. In the example above, providers would no longer be able to charge fees for disclosure accounting, and would have to provide accounting for six years or the period defined by state law, whichever is longer.

Therefore, while working to achieve HIPAA compliance, it is critically important to investigate the relevant laws that govern in your state. Many states are revising or drafting laws in reaction to HIPAA, so be sure to stay up-to-date.

HIPAA is Good Medicine For The Long Run

Tough regulations can elicit complaints from the industries they are designed to regulate, and HIPAA is no exception. Why? Compliance is not simple, and for some covered entities, may be quite expensive. The industry will eventually comply, however—largely because noncompliance is not an option. 

Industry players concerned with the pure cost of compliance should be aware of its potential value as well. Privacy is becoming more and more important to the patient population, especially as the exchange of confidential patient information becomes increasingly streamlined and electronically transacted, and as the value of the information exchanged grows. Attention to privacy and security will address that common concern and help health care organizations more effectively serve their patients.

Moreover, improved processes regarding privacy empower health care organizations to share information with more confidence, knowing that patients and customers are protected. The result is more accurate information in the right hands, which in turn, improves health care for patients and streamlines the provision of that care. In addition, the HIPAA rule on transactions and code sets—which is contingent on the guarantees that the Privacy rule provides—is estimated to save the health care industry $29.9 billion over the next 10 years.

HIPAA, with its popular "patient's bill of rights" and privacy guarantees, is here to stay. In fact, it's probable that as time goes on, we'll see additional, similar regulations emerge. The race is on among health care plans, providers, and clearing houses to define how their organizations will stay competitive and thrive in the new regulatory environment.

Forewarned is forearmed when it comes to HIPAA compliance. RedSiren offers a comprehensive suite of consulting services developed specifically to help health care organizations prepare for HIPAA compliance. For example:

• We have experience with every area of security required by HIPAA, including strategy development, business continuity planning, information security benchmarking, policies and procedures, and penetration testing.
  
• We stay current with HIPAA, and can help you determine what the most important aspects of the legislation are for your organization. By executing your compliance in a series of well-planned stages, we can help you minimize disruptions to your organizational process and culture.

As a leading provider of security consulting, outsourced computer network security, and monitoring services, RedSiren can help your organization define and execute an affordable HIPAA compliance plan. Our approach begins by helping to identify where your organization may be vulnerable. We then provide practical recommendations for remediation. Our assessment methodology draws on our experience with hundreds of engagements across many industries, and is customized to the requirements of HIPAA.

Workforce training is an important part of HIPAA compliance and a necessary ingredient for successful implementation of any policy change. Our leading online education offering, Information Security University (InfoSecU)  can help you fulfill HIPAA's education requirement while providing your employees with a proven, cost-effective learning tool.

RedSiren, formed in 1994, has a worldwide base of clients, ranging from Global 100 firms to mid-tier enterprises. We maintain strategic relationships with a wide range of hardware, software, and service vendors, as well as Carnegie Mellon University, the CERT Coordination Center (CERT®/CC), the International Information Integrity Institute ® (I-4®), the FBI's InfraGard initiative, and SRI International.  Our expanded services are offered through a global presence in the United States, Europe, and the Pacific Rim.

For more information about RedSiren's HIPAA compliance services, please visit the health care area of our Web site, www.redsiren.com/healthcare.html, or send an e-mail to info@redsiren.com. You can also reach us toll-free at 1-877-360-7602.