HITECH Act and Protecting Health Privacy

November 12, 2009 by ADMIN

Share |

By Doug Pollack, Chief Marketing Officer for ID Experts

September 23, 2009 marked a major milestone for patient rights.

That is when the new Health Information Technology for Economic and Clinical Health (HITECH) Act took effect, requiring healthcare organizations to take more responsibility for protecting patient records and health information.

The HITECH Act seeks to streamline healthcare and reduce costs through the use of health information technology, including the adoption of electronic health records.

To ensure technology and security go hand-in-hand, the HITECH Act also includes strict new rules for notification in the case of a data breach incident where protected health information (PHI) is improperly exposed.

Healthcare organizations and their business partners are now required to notify individuals affected by a data breach and the federal government, who will post the information publicly.

The HITECH Act also stiffens penalties for non-compliance—up to $1.5 million.

It is too soon to see the full impact of the HITECH Act. Certainly, government agencies are fine-tuning—and debating—the details.

But, whatever happens in Washington, healthcare organizations would be smart to ask:

Will the federal and state governments impose even stricter privacy initiatives over the next six months as a result?
Will the move toward electronic health records increase healthcare breaches?
Regulatory penalties aside, what are the consequences of a data breach, such as loss of credibility for my organization, and medical and financial risks to people whose data was lost?

Tighter Privacy Laws - More Data Breaches

These new regulations come at a time when healthcare breaches are on the rise; according to the 2009 ITRC Breach Stats Report healthcare breaches account for over 66 percent of all records breached this year (up from 20 percent in 2008).

In fact, some of the largest names in healthcare suffered data breaches.

In one incident, an employee at a high-profile medical center allegedly stole the personal information of 1,000 patients with the intent to defraud insurance companies.

Another case involved the theft of a laptop that may have contained PHI such as medical record numbers, names, and Social Security numbers.

And at a New York City hospital, an admissions employee was suspected of selling 2,000 patients’ data as part of an identity theft scheme and illegally accessing nearly 50,000 records.

Data Breaches Don’t Have to Spell Disaster

With these new regulations in place, healthcare organizations are scrambling to understand the requirements and how to adapt and comply.

Unfortunately, we have learned firsthand through managing hundreds of data breaches that few organizations actually have breach response plans in place, despite the laws.

For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to data breach preparedness, as one customer did:

Thieves broke into a prominent healthcare facility and took, among other items, a desktop computer containing patients’ personal information. Approximately 4,000 medical records were at risk.

The breach team at ID Experts provided a risk assessment for the hospital, communication with the affected population, and protection and recovery services for those affected.

In the end, ID Experts handled more than 1,500 calls; only a handful of callers required assistance directly from the hospital.

We delivered notifications to more than 5,000 people and provided membership in our protection and recovery services program to more than 1,200 people.

An excellent tool for establishing procedures in advance of a data breach is the incident response plan.

ID Experts offers services that provide guidelines for establishing an incident response team and outlines responsibilities and actions. The plan contains instructions, worksheets and materials that can be used to streamline the response process.

The new HITECH Act requirements will likely affect every aspect of your operations: business and healthcare processes; IT data security, retention, and monitoring; contracts and business relationships.

With increasing risks, having a response plan in place will benefit your patients, your employees and your business.

* * *

Stay Informed With ISR News Alerts:

* * *

Doug Pollack has 20+ years of industry experience in computing, networking, and software. He currently resides in Portland, Oregon and is Chief Marketing Officer for ID Experts, leader in data security breach prevention and remediation. His background includes over 13 years in Silicon Valley in management positions at Apple, 3Com, and a software startup that grew to $25MM and an IPO. After relocating to Oregon, Doug led marketing & business development for GemStone Systems, a Java technology company with close ties to Sun Microsystems & IBM, to an acquisition in 2000. Doug has also acted as interim CEO for two venture-backed software startups and prior to ID Experts was VP of marketing and business development for Digimarc, a $100MM publicly traded corporation (DMRC). Doug’s educational background includes a BSEE from Cornell Univerisity and an MBA from the Stanford Graduate School of Business.

ID Experts provides data breach solutions, risk assessment, forensic investigation and fully managed victim identity restoration to corporations, financial institutions, healthcare organizations and government agencies. As a leader in data breach prevention and remediation, the company has managed hundreds of data breach events, protects millions of individuals from identity theft and authored the Identity Crime Victim’s Bill of Rights. ID Experts is actively involved with industry organizations including ANSI/Identity Theft Prevention and Identity Management Standards Panel, International Association of Privacy Professionals, Internet Security Alliance, and the Santa Fe Group.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.