The Expert's View with Tom Walsh

Employees Clueless on How HITECH Impacts Them

Employees Clueless on How HITECH Impacts Them

As a result, workforce members ("workers") may now be fined or penalized by the federal government and/or a state attorney general and face the embarrassment of being named in an unflattering news story. Unless an organization has done a thorough awareness campaign, it is safe to bet that most healthcare workers remain clueless.

On February 17, 2009 President Barack Obama signed the American Recovery and Reinvestment Act of 2009, (Public Law 111-5) also known as the "Stimulus Bill." Title XIII of the act is called the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act has at least three specific requirements that impact all workers:

  1. Breach Notification. A breach is defined as, "the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information." Because of the HITECH Act and the Breach Notification for Unsecured Protected Health Information (45 CFR Parts 160 and 164), healthcare organizations must now report breaches whether intentional or unintentional to HHS. Likewise, a vast majority of state laws also require some type of breach notification. In some extreme cases, the breach notification could also require the covered entity to provide a notification to the local news media. The breach notification process requires healthcare organizations to send first-class letters to the individuals affected by the breach or to their next of kin if the patient is deceased.
  2. Accounting of Disclosures. While the original HIPAA Privacy Rule had a requirement for an accounting of disclosures, healthcare organizations had an exception to the requirement referred to as "TPO" -- Treatment, Payment and healthcare Operations. Under the HITECH Act, the exception for TPO goes away. Healthcare organizations have to comply with the requirement for accounting of disclosures once they have "acquired" an Electronic Health Record (EHR) that meets HHS's definition for "meaningful use."
    Imagine the embarrassment and problems that could arise when a patient finds out that one of your workers viewed their medical record out of curiosity and without a justifiable business need! 

    Imagine the embarrassment and problems that could arise when a patient finds out that one of your workers viewed their medical record out of curiosity and without a justifiable business need!

    Many of the complaints filed with the HHS Office of Civil Rights (OCR) stem from the authorized user (worker) abusing their privileges to look up another patient's record for which they do not have a business need to know. Many times this is from family issues resulting in workers looking at other family members' records out of curiosity or to intentionally use the information against the other person.

    The account of disclosures means that healthcare organizations, and in some cases, business associates, have to have good audit logs, which track what individual users do when they access a medical record.

    Reality time: I've watched nurses on the floor. They do not always log off the clinical application, especially when they are in a hurry. Another employee could easily step up to the workstation, access a patient's record and the "disclosure" will be logged to the original nurse logged on, not to the actual worker that came in afterward to use the workstation. If a worker wanted to check on a family member's record without getting caught, this would be one of the ways they could accomplish this goal.

  3. Penalties. If workers act deliberately and/or with willful intent and violate an organization's policies, not only do they face sanctions from the organization, they may also be personally fined or penalized by the federal government and/or the state attorney general.


Because the laws have changed, most organizations need to:

  1. Re-evaluate their current practices and update their policies, procedures, confidentiality and other signed agreements. For example, some organizations allow their clinical staff to view their own EHR. In the light of the HITECH Act, is this still an acceptable practice?
  2. Validate that security controls are in place to prevent or detect potential incidents and unauthorized disclosures. Wherever possible, implement encryption to protect patient information at rest or in transit. Verify that employees realize that bypassing security controls, for example turning off encryption, may only make things worse if a breach occurs.
  3. Educate their workers, especially their clinical staff and their physicians, about the consequences for willful intent to obtain inappropriate access to an EHR. Often, workers reply, "I didn't know," or "I had no idea," when they are confronted about the possible consequences as a result of their actions in a breach. There needs to be a strong emphasis on the willful intent. If the awareness message is too strong, workers may not report incidents and suspected breaches out of fear.

One last thing to consider...

It is important that organizations make the distinction between two closely related but different terms: incident and breach, due to the implications resulting from a breach. An event or unusual occurrence is an incident. However, not all incidents are breaches and not all breaches must be reported to HHS.

Tom Walsh is president of Tom Walsh Consulting LLC, an Overland Park, Kan.-based firm specializing in healthcare data security issues. He is a nationally recognized speaker and the co-author of three books on healthcare information security. He also has served as information security officer for San Antonio Community Hospital in Upland, Calif. He can be reached at

About the Author

Tom Walsh

Tom Walsh

Founder and Managing Partner, tw-Security

Tom Walsh, CISSP, is the Founder and Managing Partner of tw-Security, a nationally recognized healthcare security firm that began in 2003. Tom is a co-author of four books on healthcare information security. He is frequently a speaker at national conventions and is often quoted in trade journals. Tom has over 28 years of information security experience.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.