Achieving Safe Harbor: What the HITECH Act Means for U.S. Healthcare Organizations’ Communications and Business ProcessesExecutive Summary:
Download PDF of this Whitepaper Security and Privacy Driving Improvements Paper records are still common within healthcare organizations (HCOs), insurers, clearinghouses and related business associates (BAs), leaving these organizations susceptible to data breaches and lost patient data. Personal health information (PHI) is sent via fax, mail and other unsecure methods of transfer on a daily basis. Paper breaches year-to-date 2009 jumped to more than 25% of the total reported breaches tracked by the Identity Theft Resource Center (ITRC). This is up from compares to 17.7% reported for the year 2008. Not All Automation is Created Equal While this is clearly a step forward, HCOs and related entities that have implemented electronic methods within their infrastructure face interoperability issues between systems. No standards have been set in place so that providers of service (POS) can effectively transfer records electronically, leaving HCOs and other entities to their own devices. However, the days of recommendations and best practices are gone. Enforcement of the privacy and security of EHRs (electronic health records) is here and its name is ARRA. In February of 2009, The American Recovery and Reinvestment Act (ARRA) was signed into law by the federal government. A portion of this bill, The Health Information Technology for Economic and Clinical Health Act (HITECH), allocates billions of dollars as incentives for HCOs and physicians who can provide “meaningful use” of EHR systems. Additionally, The HITECH breach notification rules require covered entities (CEs) and business associates to send out notifications to affected individuals upon a breach of unsecured protected health information (PHI). The breach notification rules will be enforced beginning February 2010. For information to be protected according to HITECH regulations, provides that PHI will behas to be deemed unusable, unreadable or indecipherable if it has been encrypted. In this regard, the U.S. Department of Health and Human Services (HHS) has followed the lead of more than 45 state breach notification laws that likewise provide “safe harbors” for encrypted information. The guidance is clear that its recitation of information safeguards, though a proposal pending public comment, is intended to be exhaustive. HCOs and other covered entities are will be required to comply with the safe harbor laws by October 2010. . Compliance and Stimulus Money 1. Administrative The HIPAA security rule also states that organizations must provide a documented process. HITECH provides two specific examples of encryption that have been deemed to meet this standard: (1) for data at rest, encryption consistent with the National Institute of Standards and Technology (NIST) Special Publication 800-111 and; (2) for data in transit, encryption that complies with Federal Information Processing Standard 140-2. Additionally, HIPAA Security Rule states that HCO business associates must comply with these standards. In “An Introductory Resource Guide for Implementing the HIPAA Security Rule,” published by NIST, it clearly mandates that HCOs must contractually enforce security standards: “Contracts between covered entities and business associates must provide that business associates will implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the EPHI that the business associate creates, receives, maintains, or transmits on behalf of the covered entity.” The pressure is on to automate clinical processes and exchange information electronically, and to do so in a secure environment. The negative impact of a data breach potentially outweighs government early adopter incentives and non-compliance fines. With data breaches making headlines at an increasing rate, HCOs face intense media scrutiny, customer churn and a tarnished reputation. According to the Ponemon Institute’s report, “The 2008 Annual Study: Cost of a Data Breach,”, breaches are costly events for an organization; the average total cost per reporting company was more than $6.6 million per breach (up from $6.3 million in 2007 and $4.7 million in 2006) and ranged from $613,000 to almost $32 million. Cost of lost business continues to have the highest financial impact with 69 percent of total data breach costs attributed to customer churn. The Current State of Electronic Health Records
The need to share PHR information and collaborate with other organizations is increasingly complex as HCOs are responsible for the privacy of data through the full cycle of data transmission whether it is to patients, payors or outside partners. With the creation of HITECH, most experts say that covered entities and business associates must immediately finalize their breach notification policies and procedures. However, most SMB healthcare organizations don’t have a system in place and many HCOs and their partners are unclear on what the law dictates. Additionally, most HCOs face the task of finding the available resources to comply with the HITECH security guidelines. The HITECH Act focuses on the establishment of a national health infrastructure and on providing incentives for the adoption of electronic health records. HIPAA and Outdated Technology While standards and adoption of standards-based communications grew with the roll out of HIPAA, many processes still required standardization. However, many software vendors created proprietary solutions which weren’t interoperable outside of a healthcare system or that would only work with a specific EHR system. Many EHR systems utilize custom TCP/IP socket protocols. While these are custom implementations that can be made secure while the information is in transit across a network, they only work when both ends of the connection have the same software. Moreover, data is not necessarily encrypted once it is saved and when it arrives at its destination. In the past, many HCOs have used similarly insecure methods to deliver PHI information to outside business partners:
All of these methodologies have been proven to lack the proper security to ensure your PHI is secure. Additionally, these disparate data transfer protocols and solutions introduce islands of manual manageability, thus creating operational complications and multiple tiers of supportability that increase cost and risk. So what are your options? As discussed earlier in this paper, the answer is encryption. Encrypting your EHRs As an HCO, you are responsible for the encryption of EHR information through the whole life cycle. That includes outside the four walls of your organization, whether it’s:
Regardless of where that data breach occurs, If there is a data breach on your or the partner side, it is your responsibility unless you can contractually prove the encryption mandates of your partners. You are responsible for:
The U.S. government and the National Security Agency (NSA) have adopted AES, or Advanced Encryption Standard. The SHA hash functions are a set of cryptographic hash functions algorithms designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. RSA (Rivest, Shamir and Adleman) is the strongest form of public key cryptography and is widely used in electronic commerce protocols. Another characteristic of any proven EHR solution is the ability for integration. Can the solution you choose integrate with your current applications: clinical solutions, back-end office applications, revenue cycle solutions, etc? An EHR solution should work within your existing workflow and minimize complexity caused by increased automation, various Web services and governance requirements. The single most important aspect to successfully implementing a secure EHR system is ease of use. If the solution is too difficult for end users from any and every department within your HCO, it will not be utilized. End users will look for a way to circumvent your secure solution if it is too complex and takes them away from completing their daily tasks. With end users in mind, you should be cognizant of what departments within your organization will need to use your secure communications solutions and how. Like HIPAA, the HITECH Act includes PHI as well as name, social security number, address and insurance account numbers. This affects almost every department within and outside your organization, including:
We’ve covered what HITECH, HIPAA and the safe harbor rules dictate and characteristics of a successful and secure EHR solution and implementation within your HCO. Now how can you comply with an easy-to-use solution that meets all of these requirements? Ensuring Data Security within Your Organization – The Stonebranch Solution Many of their existing products are architected toward internal transfers only. Others act as standalone solutions with no integration to your entire workload management infrastructure. More than 70 percent of batch processing jobs are related to file transfer. How do you ensure that these data transfers are secure as well? Many of these products end up causing various problems and issues, such as:
Stonebranch’s solutions work as an integrated platform that eliminates these issues while providing fast deployment and R.O.I. With secure data exchange within your IT infrastructure, you gain:
Through an integrated platform, you can securely send:
Are you ready to claim your stimulus money? Getting Started with Stonebranch and Scribbos Additional Resources: |