The privacy/security tiger doesn't have any teeth

Amid the recent firestorm of debate and controversial regulation aimed at curing the nation's healthcare system, significant effort and focus have been paid to matters of availability of care and to payment/compensation structures. Largely ignored by the mainstream media have been parallel and ongoing efforts under the guise of "meaningful use" of EHRs to financially incentivize many of the controls that are required by HIPAA security and privacy rules and those of the American Recovery and Reinvestment Act. In the meantime, healthcare providers seemingly continue to hemorrhage protected health information unabated.

Sure, Connecticut Attorney General--and now Senator-elect--Richard Blumenthal sued Health Net for failing to secure the information of 446,000 individuals whose data was on a lost, unencrypted hard drive. Sure, HHS Secretary Kathleen Sebelius has begun to publicize breaches of unprotected PHI affecting over 500 individuals. Each is empowered to do so by ARRA. 

But what you may not have heard is that Connecticut settled the case for $250,000, with a conditional $500,000 to be paid in the event that the breach proves to have led to the access of personal information. Perhaps, too, it has been little reported that in the course of just one year (Sept. 22, 2009, to Sept., 20, 2010), the HHS website reflects that 5,349,568 individuals were affected by reported breaches.

In testimony before the House Ways and Means Committee's health subcommittee, National Health IT Coordinator Dr. David Blumenthal stated that ARRA has provided four objectives for the meaningful use of EHRs, one of which is "to bolster trust in electronic IT systems through ensuring privacy and security." Supporting this objective, the privacy and security "tiger team" that Blumenthal appointed has begun to deliver credible recommendations to the Health IT Policy Committee.

Nevertheless, for a second straight year, the 2010 Healthcare Information and Management Systems Society (HIMSS) Security Survey has shown that 31 percent of all healthcare providers experienced a breach of patient information. Worse, the Ponemon Institute and security firm ID Experts released findings that hospitals are exposed to a loss of $6 billion annually as a result of breaches, and that 70 percent of respondents indicated that patient data protection is not even a priority within their organizations.

So what reasonable hope should we have that the early 2011 release of updated HIPAA rules or pending HHS Office for Civil Rights audits will prove panacea to the very same problem that resulted in ManorCare Health Services' PHI to be found literally blowing in the wind? In the case of the payment card industry's Data Security Standard (DSS), despite it being unregulated, failure to achieve compliance can lead to hefty penalties for merchants, increased transactional costs and loss of the ability to accept credit card payments. Certainly then, a regulated healthcare provider's refusal to take the necessary steps to secure patient data will result in similar repercussions, no? Perhaps. However, it is far more likely that the situation will be weighed against the public interest and met with a begrudging continuance of the organization's ability to treat patients.

While the outcome of the approaching crossroads will be closely monitored within the field of experience, it is my suggestion that without providers being required by their private-sector insurers to establish a reasonable security baseline as to demonstrate both compliance with applicable regulations and organizational ability to respond to either OCR or independent audit, true patient privacy and security will remain elusive.

Unfortunately for Dr. Blumenthal, so too will public trust. Until then, the tiger doesn't have any teeth.

Peter Spier is president of the Western New York chapter of the Information Systems Audit and Control Association and manager of professional services at Frederick, Md.-based Fortrex Technologies.