 |
| Kurt Long |
If we are to reap the benefits of electronic health records, health care providers must silence criticism from the paper dinosaurs--those unwilling to leave behind paper records--and welcome a sensible model for sustained HIPAA privacy and security auditing.
The unannounced HIPAA audit in March at Piedmont Hospital, Atlanta, already has had a positive effect on health care privacy, security and compliance. While results of the audit are not yet available, some providers have taken notice and revisited existing business processes and systems to identify vulnerabilities. These same organizations have pushed security investments to the top of the priority list in order to address these risks. Subtle changes in priorities are all that are needed to ensure care providers continue to adequately invest in privacy, security and compliance.
However, this short-term uptick in privacy, security and HIPAA compliance investments must be sustained. Unannounced audits by the Department of Health & Human Services are just the medicine needed to demonstrate that the government is serious about the privacy and security of its patient citizens.
Self-Enforcement Doesn’t Work
There are many complex and vested factors that make up the U.S. health care cost structure, some of which we cannot control. However, common sense tells us that EHRs can reduce costs and improve patient care. For those who debate this point, consider the financial services industry, where computer and Internet technologies have dramatically reduced associated cost structures while providing more control over our money and improved information about our investments.
Meanwhile, the paper dinosaurs cling to the old way of doing things and continue to find new criticisms of EHRs, the primary one being the potential for privacy and security breakdowns. Unfortunately, headlines reveal new patient privacy and information security incidents every day. And with the emergence of medical identity theft--“the information crime that can kill” according to the World Privacy Forum--health care must soberly assess the state of its privacy and security safeguards.
HIPAA provides a solid foundation of privacy and security process and system requirements. But to be truly effective, it requires enforcement. Health care is one of the few industries in which privacy and security audits are not connected to an organization’s accreditation and ability to continue operating. Other entities that hold sensitive public information now have routine privacy and security audits tied to a governmental oversight board. This is because self-enforcement doesn’t work. Banks, credit unions, mortgage companies and public companies all went through major crises that jeopardized citizens’ finances and the credibility of core institutions. Ultimately, health care will prove to be no different. But there is no reason to go through a full-scale crisis.
The question is not whether there should be systematic HIPAA audits tied to a care provider’s accreditation. Rather, it is, what is an appropriate auditing model for the health care industry? Keep in mind, according to the U.S. Department of Labor, health care has 545,000 care facilities and 14 million workers who potentially access protected health information.
This is a tall challenge when to date, there has been exactly one HIPAA audit performed.
Consistent, Random Audits
Given the reaction to the Piedmont Hospital audit, it will not take 545,000 audits before care providers take the government seriously. A very select number of random audits would quickly drive the behaviors the industry needs. Consider individuals’ behavior when filing income taxes. If the IRS conducted no audits, only the most disciplined and conscientious citizens would take great care in filling out their 1040s. However, the idea that one in 100 or one in 1 million returns could be audited quickly gets the preparer’s rapt attention.
In other words, the U.S. government does not need to audit every single health care provider to improve privacy and security in health care. It only need consistently audit a select random group.
Silencing the Paper Dinosaurs
Savvy provider organizations are taking action. There are a handful of major institutions expressing a new seriousness about privacy and security. In July, Park Nicollet, Minneapolis, voluntarily instituted a new zero-tolerance program for “even a well-meaning look into electronic records of friends and relatives,” according to the Star Tribune. This kind of program runs against the grain of an unspoken truth: Providers routinely look the other way when it comes to VIP, co-worker, friend, family and neighbor medical record snooping. Unfortunately, by turning a blind eye to these privacy offenses, health care organizations set themselves up for medical identity theft incidents that can result in complete institutional collapse.
For the sake of EHR adoption, we can only hope that the government arrives at a sensible process for nudging health care toward systematic HIPAA audits. And as an industry we must embrace this new and inevitable era in which electronic privacy and security are paramount. This would go a long way toward silencing the last of the paper dinosaurs.
Kurt Long is the founder and CEO of EpicTide, a St. Petersburg, Fla.-based compliance and information security company.
GIVE US YOUR COMMENTS!
HHNMostWired welcomes your comment on this article. E-mail your comments to hhn@healthforum.com, fax them to Most Wired Magazine Editor at (312) 422-4500, or mail them to Editor, Most Wired Magazine, Health Forum, One North Franklin, Chicago, IL 60606.
If you would like a FREE Subscription to Most Wired OnLine, please click here to register.
This article first appeared on August 22, 2007 in HHN's Magazine online site.
To respond to this article, please click here.
