Watchdog Reports: Security Catalysts?Inspector General Reports Could Spur Action
This week's reports from the Department of Health and Human Services' Office of the Inspector General call for a ramping up of enforcement of the HIPAA Security Rule and the inclusion of more security requirements in the HITECH Act electronic health record incentive program (see: Watchdog Hits HHS on Records Security).
The HHS Office for Civil Rights, which enforces HIPAA, recently requested a 13.5 percent increase in its fiscal 2012 budget for, among other things, enforcement of the HIPAA Security Rule and compliance reviews of smaller breach incidents (see: More HIPAA Enforcement Funding Sought). "So it's timely to raise the issue of HIPAA enforcement in the middle of the budget discussions," says Dan Rode, vice president of policy and government relations at the American Health Information Management Association.
Meanwhile, the Office of the National Coordinator for Health IT, another HHS unit, is working on requirements for future stages of the HITECH Act's Medicare and Medicaid EHR incentive program. Requirements for stage two are due at year's end. Thus, the inspector general report on standards helps raise issues to be considered.
Rode calls the two reports "a good wakeup call" on health information security issues.
Deven McGraw, co-chair of the Privacy & Security Tiger Team that's advising ONC, says the inspector general's reports "shine a spotlight on the need for healthcare providers to better implement security technologies to protect health data." But she says the reports failed to highlight "the need for a coordinated security strategy coming out of HHS, if not the White House. ... The failure to have a comprehensive, coordinated strategy is at the root of the issues raised in the reports."
HITECH EHR Incentives
Joy Pritts, chief privacy officer at ONC, says two committees advising ONC on incentive program requirements are considering, or soon will consider, some of the general IT security controls the inspector general report cited as missing in the stage one requirements.
She points out that healthcare organizations already must comply with the HIPAA Security Rule, which, among other things, specifies the use of administrative, physical and technical safeguards. "The meaningful use [EHR incentive program] requirements were written with that context in mind," Pritts stresses.
Stage one "meaningful use" requirements for the EHR incentive program reinforce the HIPAA mandate to conduct a risk assessment and take action to mitigate any risks identified, she points out. Plus, the EHR software criteria for stage one spell out multiple security functions that are required within the applications.
Pointing to additional requirements in the works for stage two of the program, Pritts says, "We have always seen the meaningful use process as an incremental process, where people will get on the bottom of the escalator and move up over time."
Limited AuthorityMcGraw, however, offers a different perspective. Although the inspector general criticizes ONC for not paying sufficient attention to general security that would apply to the entire data environment, ONC's authority is limited to setting the criteria for certified EHR technology, McGraw notes. "In general, EHR vendors seek certification for their products - there is no certification of hospital EHR systems or environments that would enable ONC to monitor how they are being implemented and if security is extended to the entire environment," she says.
The issue of enterprise security is covered under the HIPAA Security Rule, McGraw notes. "But the Security Rule provides an enormous amount of flexibility with respect to implementation, and OCR has not updated the rule with additional guidance to reflect new threats and new demands on the security infrastructure. Couple that with a history of lackluster enforcement that only recently appears to be changing, and it's not a surprise that the healthcare industry lags significantly behind other industries with respect to consistent adoption of strong security safeguards."
McGraw also notes that the Centers for Medicare & Medicaid Services has the final word on the "meaningful use" guidelines for how EHRs must be implemented to earn incentives. "They have to date shown a reluctance to use the meaningful use incentive program as a policy lever for getting the health care industry to actually adopt and implement broader privacy and security protections," she asserts. "They even rejected a recommendation from the Health IT Policy Committee to disqualify a provider from meaningful use in any year in which they were fined for a significant (willful neglect or criminal) violation of HIPAA."
Security ControlsMac McMillan, CEO of the consulting firm Cynergistek, contends the inspector general report "is absolutely correct in its observation that not enough attention has been given to general IT security controls and standards" in the EHR incentive program's stage one requirements.
While the stage one requirements focus on controls within EHR software, they don't address more general system controls, such as requiring two-factor authentication when remotely accessing a health IT system, the report says.
McMillan agrees, saying it's unrealistic to believe that a secure EHR can adequately protect patient information "within an unsecure enterprise." He adds: "Adopting electronic health records without appropriate protections will raise risks." And he says applying the HIPAA Security Rule, alone, is inadequate.
In contrast, security consultant Kate Borten, president of the Marblehead Group, argues that the best way to address the lack of security controls for EHRs and other systems is by "beefing up the HIPAA Security Rule, which applies to all covered entities and business associates. ... Keep in mind that many healthcare players subject to HIPAA are not affected by meaningful use [EHR incentive program rules]."
HIPAA ComplianceThe inspector general's report on HIPAA enforcement made a splash by spelling out the results of seven hospital audits conducted. It used the deficiencies found in those audits, such as the lack of a firewall separating wireless from internal wired networks, to call attention to the need for ramped up HIPAA compliance reviews.
"Since these high-impact findings came from only seven hospitals, imagine how many more security problems could be found among other hospitals, and, even worse, at other provider organizations, such as long-term care facilities, clinics and doctors' offices, where real understanding of information security is generally weak," Borten says. "I don't believe compliance levels will improve significantly until audits and other enforcement activities are stepped up."
Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society, says the perceived lack of enforcement of the HIPAA Security Rule is often cited as one reason why security professionals at healthcare organizations are unable to gain sufficient funding for security measures. "Any visible increase in enforcement, coupled with publication of audit requirements or guidelines, would give folks leverage for increasing efforts on security," she says.
HIPAA Enforcement FundingBut AHIMA's Rode stresses that the Office for Civil Rights has not yet ramped up enforcement to a much higher level because of a lack of funding. Faced with limited resources, OCR has focused its efforts on investigating complaints and conducting reviews of the major breach incidents that have been reported, he notes.
And McMillan of Cynergistek argues that the inspector general's report was far too critical of OCR's enforcement efforts. He contends that the office, which took over HIPAA security rule enforcement from the Centers for Medicare & Medicaid Services in 2009, has done a far better job than CMS.
"OCR has closed more complaints, levied more corrective actions, conducted more investigations and has recently begun stepping up punishments," he notes. For example, OCR levied a $4.3 million civil monetary penalty against Cignet Health for a HIPAA privacy violation (see: HIPAA Privacy Fine: $4.3 Million).
An Office for Civil Rights spokesman offered a brief statement: "OCR takes our enforcement of the HIPAA Privacy and Security Rules seriously, and we hope our recent actions have sent a very clear message to covered entities and their business associates regarding the importance of compliance." The spokesman says OCR is evaluating the inspector general's report, which it asserts focused primarily on CMS' enforcement policies.
OCR is continuing work on a HITECH-mandated HIPAA compliance audit program, which is long overdue. Last week, Susan McAndrew, deputy director for health information privacy at OCR, said the office was preparing to hire a contractor to test one model for the audits, but she did not specify when the program will begin (See: Breach Rule Enforcer Offers Advice).
Unless a relatively large number of organizations are audited under that new program, it may not serve as a major compliance catalyst, McMillan argues. So he calls for even higher fines for non-compliance than those already called for under the HITECH Act, as well as Medicare reimbursement penalties for non-compliance.
Privacy, Security EducationAHIMA's Rode says a key element to any effort to protect EHRs is education. For example he calls on OCR to publish a list of key lessons learned based on the major breaches it has investigated.
Meanwhile, ONC's Pritts acknowledges that the OIG reports are serving a valuable purpose: "The OIG reports have done a very good job of raising the awareness of very important privacy and security issues that need to be attended to now."
Use these links to view the inspector general report on HIPAA enforcement and the report on the standards for the EHR incentive program.