Thursday, November 19, 2009

HITECH HIPAA - HR can't just push the burden onto IT

Every healthcare and HR professional in the US knows about HIPAA. Its that difficult piece of legislation that says you can't treat an individual's protected health information in the same lax way that organizations do every other aspect of an individual's 'private' data - you can't leak it, share it, sell it, or generally let it out of your sight. The problem is, although everyone knew about the legislation and new at a high-level what it meant, at many levels it lacked any real threat to make people pay attention.

The penalties from the legislation itself appeared to be more like "we expect you to screw up and release a bunch of personal information, so if you do we'll scold you a little, and we know you'll do it again anyway, so we won't penalize you too much", than a real deterrent. The fact that HIPAA worked at all in healthcare appeared to me to be that the bad press that would come from a failure. For example, the Seattle health system, Providence, was finally hit with a $100k fine, but this took repeated offenses and the loss of healthcare records of 386,000 people. According to Anne Zieger on FierceHealthIT:
The fine that will be paid by Providence is actually fairly unusual, as very few HIPAA fines have actually been imposed to date. However, its security issues are also unique. While many health organizations have lost a single laptop or backup tape to theft or disorganization in recent years, I haven't encountered any that have actually had to report multiple losses. That might explain why federal monitors took a particular interest in this organization's troubles.
As I looked through the backlog of news I had been avoiding reading this week, I started to see more stories about the Health Information Technology for Economic and Clinical Health (HITECH) Act. At a time when the government is pushing electronic medical records (welcome to the 20th century US healthcare), someone is also thinking about how badly companies are likely to implement their systems. This story jumped out at me: HIPAA Enforcement Gets More Teeth:

Prior to the HITECH Act, the maximum penalty was $100 for each violation or $25,000 for all identical violations of the same provision. A covered healthcare provider, health plan, or clearinghouse could also avoid the imposition of a fine by demonstrating that it did not know that it violated the HIPAA rules.

The HITECH Act strengthened the enforcement program by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. In addition, a covered entity can no longer prevent the imposition of a fine for an unknown violation unless it corrects the violation within 30 days of discovery.

The provisions for the hefty fines appear to only apply to health care providers, clearinghouses and health plans. Since HR does not fall into these categories, all the HR professionals are wondering why they were suffering HIPAA fatigue back in 2005 when the security regulations started to really hit them. The problem for HR is that they pass protected health information (often referred to as PHI) to the three types of "covered entity", therefore they fall under HIPAA security rules.

There is a a great article that talks about the role of HIPAA security in HR back in 2005: "HR's Role in HIPAA Security Compliance" By Philip L. Gordon of Littler Mendelson, P.C. As the article states, HR passed the data security issue to IT, "because that's what IT does, right?". The fact is that, unless HR takes care of its own controls and policies around the handling of protected health information, during every phase of a the relationship with an employee, including recruitment and employment through to beyond termination, there is little that IT can do but store already compromised information. If HR takes information into its own custody and loses it there (a desk drawer, papers on top of a broken shredder, files on a stolen laptop), IT can not take the blame.

For HR, make sure that the business processes you run that touch PHI can be enforced, the data captured can be secured from the point of receipt, and that there is full opportunity to audit everything that you do. You can absolutely do that with manual mechanisms, though email makes data security far more complex than you can imagine. To make HIPAA compliance less of a burden, suggest pushing the responsibility for business processes down to a dedicated business process / workflow automation tool. At a minimum this can show that you are following best practices should the worst happen and the HHS comes knocking at your door. And on a routine basis, the demonstration of compliance again becomes a 'systems' issue for IT or your software solutions vendor to handle.

Like many forms of compliance and governance, making use of process improvement technology designed for running your business better can automatically put you in a better position with HHS, and any other agency or regulator that pushes onerous, but necessary regulation.

A post from the Improving It blog

To implement workflow and process automation in your business today, visit

Coming soon... Download the podcast of this blog post

No comments: