The trusted source for
healthcare information and
Stop identify theft Spend more on security?
One-third of providers say their organization has had at least one known case of medical identity theft, and some of those cases might not have been reported, according to a recent survey by the Healthcare Information and Management Systems Society (HIMSS).
The survey interviewed 272 IT and security professionals at hospitals and medical practices. Now in its third year, the 2010 HIMSS Security Survey, sponsored by Intel, reports the opinions of information technology (IT) and security professionals from health care provider organizations across the country regarding key issues surrounding the tools and policies in place to secure electronic patient data at health care organizations.
The rate of medical identity theft is surprising to Eduard Goodman, JD, a privacy lawyer and chief privacy officer for Identity Theft 911, a company in Scottsdale, AZ, that provides data protection and similar services. He was surprised that health care providers still are facing so much identity theft even with significant HIPAA penalties hanging over their heads.
"HIPAA is one of the few areas of law in which the injury is just the release of the information itself. It's not about whether anyone uses that information to commit a crime," Goodman says. "With that in mind, you would expect providers to work harder to protect that data, and a third are saying they've failed on that point."
Not all conducting risk analyses
The security data is particularly important for providers trying to meet the meaningful use objectives. How do you measure up against your peers?
The Electronic Health Record Incentive Program identifies 14 meaningful use objectives for eligible hospitals and 15 core meaningful use objectives for eligible professionals. (The final rule is available at http://edocket.access.gpo.gov/2010/pdf/2010-17207.pdf. The language describing the objectives and measures is on pages 19-57, and a grid that identifies each objective and measure is on pages 58-63.) Meeting those objectives is required to receive funds for transitioning to electronic health records provided through the new Medicare and Medicaid incentive program.
Additionally, hospitals and eligible providers also must focus on five of 10 menu set objectives to quality for incentive funds. One of these rules specifically stipulates that they must protect electronic health information created or maintained by the electronic health record (EHR) by conducting or reviewing a security risk analysis. These organizations also must implement security updates as necessary and correct identified security deficiencies as part of their risk management process. Risk analysis is a key requirement of the Health Insurance Portability and Accountability Act (HIPAA) final security rule, and as such, has been a requirement for health care organizations for many years.
Results from the 2010 HIMSS Security Survey indicated that three-quarters of all respondents reported that they perform a risk assessment at their organizations. "While this is similar to the percentage reported last year, this year's study has a greater representation of medical practices, and there is a clear difference in the percent of respondents that indicated they conducted a risk analysis," the report says. "Respondents working for medical practices were twice as likely to report that their organization does not conduct a risk analysis compared to those that work at a hospital (33% compared to 14%)." (See story, right, for more results from the survey.)
Quarter wouldn't qualify now
The meaningful use criteria states that not only are organizations required to conduct a risk analysis, but they also must correct deficiencies identified during the risk analysis process.
"At present, one-quarter of the sample population would not qualify for meaningful use," the report states. "In addition, establishing a robust security environment is crucial as hospitals and medical practices increasingly share information outside of their organizations."
Overall, a high percentage of those that are conducting a risk assessment reported using this information to determine which security controls should be put into place at their organizations. The risk assessment results also were used by many organizations to identify gaps in existing security controls, policies, and/or procedures. As a result of the risk assessment, organizations were able to actively take steps to correct deficiencies. The survey data serves to emphasize the important role and value that ongoing security risk analysis can play in protecting health data.
The risk analysis is particularly important as providers move toward EHRs, Goodman says.
"I think people are truly underestimating the level of security and diligence that will have to go into protecting those electronic records," Goodman says. "When someone tries to steal 200 paper records with health information, that's a couple of boxes at least. Now you'll have thousands on a thumb drive, and that convenience makes them that much easier to steal. More portable for you means it's more portable for a thief, too."
Eduard Goodman, JD, Chief Privacy Officer, Identity Theft 911, Scottsdale, AZ. Telephone: (888) 682-5911. E-mail: firstname.lastname@example.org.