Healthcare providers are struggling to serve two masters, according to the latest survey by security software maker Imprivata, and unfortunately they’re falling short on both ends.
According to the report (available in PDF format) 76 percent of IT administrators at 600 North American hospitals queried said data breaches or unauthorized access to clinical applications were their biggest concerns.
At the same time, 76 percent reported they were focused on investing in electronic medical records (EMRs), a priority laid forth by the Obama administration and one that pays the most immediate dividends as far as reducing overall healthcare costs and improving patient care and caregiver efficiency.
These dueling agendas — migrating millions of patient records and thousands of outdated computer systems to EMRs and locking down the very networks used by physicians, nurses, insurance companies and patients themselves — has been complicated by new federal regulations requiring increased security and accountability for managing this voluminous personal information.
The Impivata study discovered that 38 percent of hospitals surveyed are still not in compliance with the HITECH Act, a piece of legislation that was included as part of the federal stimulus bill that gives regulatory agencies the teeth to enforce security and privacy components of previously passed HIPAA regulations and standards.
“More than one year after its passage, hospitals continue to be deeply concerned about their ability to meet deadlines imposed on them by the HITECH Act,” Imprivata Chief Marketing Officer Barry Chaiken, said in the report. “Organizations fear security breaches and unauthorized access to patient records, while trying to manage clinical transformation through the deployment of EMR systems to achieve improved care delivery and cost savings.”
Despite respondents repeated claims that they’re terrified by the prospect of making headlines for failing to protect against data breaches, hospitals and medical centers continue are routinely warning patients that their most personal information has been exposed on their watch.
Paying a high price for failing to comply
Whether it’s an innocent mistake such as a physician accidentally posting clinical information to an unsecured page on the hospital website or the outright theft or loss of a laptop, server or portable storage device, hundreds of thousands of patients’ information has already been compromised this year.
That’s precisely why the Department of Health and Human Services (HHS) pushed so hard for harsh penalties and explicit terminology in the HITECH Act passed in February.
Prior to the HITECH Act, HHS could not impose a penalty of more than $100 for each security or privacy violation or $25,000 for all identical violations of the same provision. A covered health care provider, health plan or clearinghouse could also bar the department’s imposition of a civil money penalty by demonstrating that it did not know that it violated the HIPAA rules.
Section 13410(d) of the HITECH Act strengthened the civil money penalty formula by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. A covered entity can no longer bar the imposition of a civil money penalty for an unknown violation unless it corrects the violation within 30 days of discovery.
“The department’s implementation of these HITECH Act enforcement provisions will strengthen the HIPAA protections and rights related to an individual’s health information,” Georgina Verdugo, the director of HHS Office for Civil Rights (OCR), said at the time the legislation was approved. “Such heightened vigilance will give consumers greater confidence in the privacy and security of their health information and in the industry’s use of health information technology.”
Other states, most notably California, have enacted their own legislation and penalties to hold healthcare providers to a high standard of IT security and oversight.
In June, five California hospitals were tagged with a total of $675,000 in fines for failing to secure patient data.
From a consumer and patient perspective, the fact that state and federal regulators are ratcheting up the pressure on the industry to safeguard data is reassuring and will likely lead to immediate improvements considering the money at stake.
A recent study by Compass Intelligence predicts that healthcare IT spending will surge to more than $73 billion in 2010 and will grow on at a compounded annual growth rate of 4.5 percent for the next five years to more than $85 billion in 2014.