[author: Jo Ellen Whitney]
The privacy and security landscape for covered providers will soon be changing. A number of rules are finally making their way through the system in relationship to HIPAA, HiTECH and Stage II Meaningful Use.
At the end of March 2012, "regzilla" or the "mega rule" was submitted to OMB. This rule is intended to encompass all of the regs that never made it out of HHS relating to the HiTECH Act. This includes accounting for disclosures, expanding organizations that are business associates, willful neglect, which will have significant impact upon, human resources, as well as training, marketing and fundraising rules, which will in all likelihood limit marketing processes, rights to request restrictions and disclosures, and finally something other than interim final regs for breach notification provisions. Indications are that this reg also includes references to GINA and a wide variety of other items which are pulled in under the HIPAA rubric.
CMS has also issued the Stage II Meaningful Use notice of proposed rule-making which has a wide variety of requirements, some of which will interact with these HiTECH issues. CMS is indicating that encryption will be the standard for all data systems, including mobile devices. This would include not just the mobile devices that are issued by the hospital or other provider, but also personally owned devices where healthcare information is accessed. Meaningful Use Stage II would also incorporate the ability to provide patients with the ability to view on-line, and transmit health information within four days of receiving the information by an eligible professional, hospitals would have to make this information available within 36 hours of patient discharge. There are also provisions for secure electronic messaging between patients and physicians as part of the Meaningful Use II standards.
Most HIPAA violations have to do with people, the way we behave or the way we don't behave and how we manage the policies that we create internally. Violations tend to be triggered by sloppiness not criminal intent. The Office of Civil Rights, indicates that 69% of all HIPAA violations of 500 or more items are as a result of human error. A recent UCLA case points to this fact when there was a home invasion and a practitioner had his laptop stolen which contained significant patient information. Although the laptop was encrypted, the thieves also took the notebook which had all of the passwords written in it under a big bold heading of PASSWORDS. A quick review of other cases, including the recent HHS settlement with Phoenix Cardiac Surgery also points to the idea of a failure of training, failure to discipline employees who do not meet your HIPAA/HiTECH requirements and human error, plain and simple as the primary causal factor of breaches. Human error encompasses everything from true accidents to employees snooping because they would like to know what their ex-husband's new girlfriend is like.
As we look at trends in the hospital and clinic setting, we can note that the use of personal devices is up, that Iphones and Ipads are considered basic equipment by most physicians that access to a patient's information and distractions, like a quick game of Angry Birds, are getting faster and more prevalent. Providers need to be planning ahead of these issues as we look at the release of new regs and new penalties for failure to meet basic requirements.