With Reform Comes Responsibility
Think of the millions of new records that will be created for those folks who haven't been getting treatment because of lack of coverage. Add that to the ongoing effort to shift from paper to electronic health records for those who already are have health insurance, and you've got a herculean automation task. And with that comes huge new privacy risks.
The reform legislation that the president signed makes frequent reference to the need to comply with the HIPAA privacy and security rules as healthcare organizations submit more data to Medicare and others to measure quality and other factors. The legislation also calls for new standards for electronic funds transfers and claims attachments, among other healthcare transactions, which could mean even more information will be exchanged.
Someone has to be an advocate for patient privacy. Why not you?
Meanwhile, thanks to the HITECH Act, hospitals and physicians are gearing up to apply for Medicare and Medicaid incentives for fully implementing EHRs, and eventually, exchanging records with other providers at the local, regional, state and national level.
That's leading some to say, "Not so fast." Before we push providers to take advantage of emerging health information exchanges, more attention needs to be paid to security issues, argues consultant Kate Borten of the Marblehead Group.
"Our first priority must be to get up to snuff on privacy and security," she argues. "The government has done way too little on security and privacy compliance and enforcement. That has to be front and center, rather than taking it on as we move forward."
Others, including consultant Janie Tremlett of Concordant, point to the need for more aggressive education of physicians on how to safeguard patient privacy. Regional extension centers, funded by HITECH and now in development, could play a major role in that arena. But they need to launch their educational efforts sooner rather than later.
And when it comes to ramping up enforcement of federal privacy and security rules, the effort appears to be getting off to a slow start.
The Office for Civil Rights within the Department of Health and Human Services apparently has not yet kicked off its HIPAA security compliance audit effort as required under the HITECH Act. We could learn more details about that effort May 11-12, when the office will co-sponsor a conference about safeguarding health information that will include an update on federal enforcement efforts.
Although state attorneys general, thanks to HITECH, now can file civil suits over HIPAA violations, so far only one, the Connecticut attorney general, has taken that step.
Here's hoping that both federal regulators and state officials beef up their privacy enforcement efforts soon as more Americans get health insurance and more records are automated and exchanged.
When hospitals, clinics and insurers see some of their peers getting into hot water for violations, more will likely step up their own privacy protection and risk management efforts.
Meanwhile, if you work at a hospital or clinic that's shifting more clinical information from paper to digital formats, don't forget to keep security top of mind. Someone has to be an advocate for patient privacy. Why not you?