Privacy and security: Own it

New HIPAA rule will help reshape attitudes
By Bernie Monegain
12:00 AM

No sooner had HHS Office for Civil Rights Director Leon Rodriguez taken the stage at the Healthcare IT News/HIMSSMedia Privacy and Security Forum last December, than he made his "tough on crime" stance clear. Soon into the interview, he promised more and bigger fines for healthcare entities that do not take the privacy and security of protected health information seriously.
The promise had nothing to do with posturing, threatening or shaming. It had all to do with setting new expectations and moving forward on a goal of gaining trust from all patients across the country, all of whom have a right to expect their protected health information will be exactly that - protected.
People with mental illness or behavioral health issues - any illness, in fact - are often stigmatized, sometimes judged as having caused their own illness. Or thieves steal vital information in order to take on the patient's identity, a situation that can ruin lives as well as credit scores. Is it any wonder patients want to protect their privacy, to make sure their information is secure?
Whether the patient is a regular Joe Smith or pop star, a Kardashian or Clooney, he or she deserves protection from the busy bodies and the casually curious.
The new HIPAA rule that takes effect on Sept. 26, takes a big step toward ensuring tighter control over protected health information. It raises the bar with additional requirements to protect health information. It applies not only to healthcare entities, but also to entities with which they do business - business associates. The fines for violations are stiffer, and we think they will be swifter,
Rodriquez and his team will make good on his promise to make this work for patients.
They have to. The law has to have "teeth" commensurate with the gravity of the offense. And, the new rule, as Healthcare IT News Associate Editor Erin McCann describes it in this month's cover story (Page 4), has more "bite."
Since the forum last December, McCann has made it her business to report on the breaches - to keep them front and center. They run the gamut of offenses from theft of computers - still unencrypted, clinicians who avail themselves of information illegally and oops moments that ended up with patient information on Google.
Even with all the publicity everywhere surrounding the new rule, it seems more breaches - both in number and in seriousness - have occurred over the nine months since last year's privacy forum. Another Healthcare IT News/HIMSSMedia Privacy Forum is set for Sept. 23-24 in Boston.
It's important that we all keep privacy and security center-stage. It's also critical to the success of the many programs both public and private that aim to take the slow-moving healthcare industry into the digital age.
"Underlying all our efforts is the core understanding that we will not succeed if patients do not trust that their health information will be kept safe and secure in an increasingly electronic and interoperable world," ONC chief Farzad Mostashari, MD, wrote in testimony delivered to the Senate Finance Committee on July 17. "We firmly believe that everyone who is involved in the health care sector (including the government, the developers, the health plans, the providers, and the patients) shares the responsibility for protecting patient information."
Mostashari has been nothing if not determined on this issue of privacy and its tie-in to the success of healthcare IT. So has his predecessor David Blumenthal, MD.
"Health information exchange, however, will never reach its potential unless patients and providers are confident that patients' data are private and secure - both when stored in EHRs or other repositories and when flowing through the health care system," Blumenthal, who today works with the Commonwealth Fund, wrote in a Feb. 4, 2010 article in the New England Journal of Medicine.
At last year's privacy forum, OCR's Rodriquez told the audience, "At the end of the day it comes down to leadership: Owning compliance issues and doing so consistently."
Tim Zoph, CIO of Northwestern Memorial Hospital in Chicago since 1993 and also its senior vice president of administration, rallied the audience at the forum, urging everyone to get in the game.
"We're better off together than we are separate," Zoph said. "This is a case where we need more defense because the offense is ramping up. We have to infuse our culture in others that work with us," he said. "We have to have a sense of urgency about it."