4 Things Healthcare IT Security Managers Need to Know (Beyond HIPAA)April 20, 2015
HITECH: The online side of HIPPA
We all know HIPAA is the BIG BOY of U.S. federal patient privacy regulations. In our last article on HIPAA compliance, we addressed security, data privacy and accessible healthcare, and getting up-to-speed with HIPAA compliance for IT professionals. But, there’s more for us Healthcare IT guys to deal with.
The HITECH Act follows HIPAA. In one sense, it’s the electronic side of it.
Let’s look at 4 more info security regulations, including HITECH.
Prevent rather than cure. In the words of Charles Munger—the other half of Berkshire Hathaway—“Invert, always invert.” When it comes to illness, you always want to prevent. If you’ve gotten to the “cure” phase, you’ve escalated the problem.
That’s true in Healthcare IT Security, too. By knowing in advance the risks we tech guys face, you’ll be able to remediate as you go.
And, risk in Healthcare IT Security isn’t limited to medical data. Patients pay bills. IT ‘s responsibilities include protecting bill payer information. The accounting side of your organization transacts with hundreds of credit card companies, banks, and insurance providers everyday.
Here are some things that will help you make better-informed decisions about the security of your network.
4 IT Security Regulations that impact Healthcare Providers
- S.-EU Safe Harbor
- PCI DSS
Designed to manage Electronic Health Records
- The Health Information Technology for Clinical Health Act (HITECH) of 2009 promotes the adoption and “Meaningful Use” of health information technology.
President Obama enacted HITECH in 2009, to stimulate the adoption of electronic health records (EHR). The Office of the National Coordinator for Health Information Technology (ONC), part of Health and Human Services (HHS), manages it.
Meaningful Use is basically the rollout. Physicians and hospitals who complied with 2 of the 3 Stages of Meaningful Use in effect have dodged penalties. It is thought that Stage 3 will be less rigid. Rule makers have taken out their editing pens, and are adjusting Stage 3 with lessons learned from Stage 2.
The stages of Meaningful use:
Stage 1: Began in 2010. It involved getting providers to both convert records to EHRs and standardize data gathering processes.
By now, Doctors and Hospitals seeking incentive payments will have “attested” to the adoption of EHR on the Centers for Medicare and Medicaid Services (CMS) website. In so doing, they have also become subject to surprise audits.
Stage 2: Late 2012. Raised levels of compliance in clinical support, care-coordination and patient information exchange.
Stage 3: Late 2014-2016. Began inclusion of Medicare/Medicaid patients and includes team-based and outcomes-oriented care models.
Meaningful Use is important to you as an IT manager because if your organization can demonstrate implementation, it becomes eligible for incentive payments. The budget for incentives is $30B. Need I say more?
Failure to comply with Meaningful Use stages results in penalties.
As you may know, to be eligible for these incentives, organizations must use government certified EHR technology to prove they are compliant.
There’s so much red tape in all of this. But your organization can and may have already hired an outside consulting firm to help you dial it all in. Here’s a tip sheet.
Serving International Patients
- U.S.-EU Safe Harbor is the European Commission’s Directive on Data Protection.
“The European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection.”
This regulation will apply to healthcare providers, possibly in big cities, that serve international patients. These patients and their banks will transact across the Atlantic.
Approval to transact directly from the healthcare provider to overseas bodies would come from executive levels of your organization. Compliance certification framework is published by the US Department of Commerce. Given the number of cyber crimes originating in the Ukraine and Russia, it might be useful for IT Managers to be aware of security regulations and which countries meet adequacy standards.
Documentation of Non-sharing Practices
- The Gramm-Leach-Bliley Act (GLBA) of 1999 limits the amount of private information that financial institutions are allowed to share to other companies.
This is different from HIPAA compliance for IT, as it pertains to non-medical information. This is the kind of information that a credit card company has.
Growing concern about information sharing came to a head in 1997, after Charter Pacific Bank of Agoura Hills, California sold millions of credit card numbers to an adult website company, which then proceeded to bill customers for access to Internet porn sites they did not request.
In another instance, Representative Joe Barton started receiving the Victoria’s Secret Catalog at his Washington D.C. area home without having requested it. Neither Barton nor his wife shopped there. He alleged that his credit union, the only institution that had his D.C. address, had sold his information to Victoria’s Secret.
As a result banks, insurance companies, and other financial institutions must inform people with accounts of their information sharing practices. And, all sharing practices have to be communicated in writing or in electronic form.
GLBA raises the stakes of securing your organization’s accounts payable and accounts receivable transaction records.
- PCI DSS, the Payment Card Industry Data Security Standards Council is an open forum that was launched in 2006 to develop, manage, educate and raise awareness of secure use of credit cards.
The Council’s five founding global payment brands — American Express, Discover Financial Services, JCB International, MasterCard, and Visa—enforce their own compliance standards.
Their vendors are required to:
- Build and maintain a secure network with a firewall and passwords.
- Cardholder protections including secure personal data and encrypted transactions
- Maintain a vulnerability management program including software and secure systems and applications
- Implement strong access control measures
- Monitor and test systems
- Maintain information security policy
Check out Payment Card Industry (PCI) Data Security Standard, Navigating PCI DSS, Understanding the Intent of the Requirements, table of contents for a more intensive list.
The need for strong security oversight of electronic records and financial transactions intensifies the importance of your role in the patient protection process.
It does feel like the government keeps piling it on. But take heart. The incentive money is in place to get expert help. There are plenty of consulting companies whose only offering is to help Healthcare providers HIPAA/HITECH pass audits.
If you’d like to conduct HIPAA compliance self-audit, here’s a video to give you some tips.