Three Things you may not know about the HITECH Act

Three Things You May Not Know About the HITECH Act...But Should

From Healthcare IT News, published in partnership with HIMSS, June 16, 2010 - Mahmood Sher-Jan, Senior Director of Product Management, ID Experts –There has been much discussion around the HITECH Act and what it means since the enactment of ARRA last year. It is now widely known that the Department of Health and Human Services has issued regulations for breach notification by covered entities under HIPAA. Yet unlike the poor enforcement record of HIPAA regulations, the new HITECH Act provides for substantial financial penalties for failing to comply with these rules. And we are seeing these penalties are actually starting to be enforced.

In order to avoid these penalties and demonstrate compliance, healthcare organizations must have documented policies and procedures, assigned responsibilities for privacy and security, and ongoing training for staff. Keeping track of a myriad of Federal and State level laws and regulations concerning patient and staff privacy is necessary but clearly challenging -- especially when there's often insufficient guidance for compliance, conflicting terminology, and/or the rules that are open to multiple interpretations. Here are three important things you may not know about the HITECH Act and should, in order to keep up with the evolving regulatory landscape:

* Risk assessment (general vs. incident-specific)
* Data sensitivity and context
* Notification (requirement vs. courtesy)

1. Risk Assessment (general vs. incident-specific). Organizations subject to the HITECH Act are required to conduct general HIPAA privacy and security risk assessments annually, document their results, and take proactive steps to reduce the risk of unauthorized exposure of protected health information (PHI). However, organizations may not be aware that they are also expected to conduct an incident-specific risk assessment when a data breach incident occurs -- think of it as a post-breach risk assessment.

This incident risk assessment will determine whether the breach poses a "significant risk of financial, reputation, or other harm to the affected individuals." It is ironic that medical harm is not explicitly called out, but it is safe to assume that it is implied. Notification is only necessary if this harm standard is met. Organizations are struggling with how to conduct this type of risk assessment given the lack of sufficient guidance on the rules, and might consider experts who can work with them to provide compliant data security incident risk assessments.

Some organizations have developed a decision tree but the process lacks adequate consistency and documented audit trail. It is important to understand these two very distinct types of risk assessments -- general vs. incident-specific -- as each carries its own unique objectives, framework, and considerations.

2. Sensitive data and context. Privacy is all about balancing the rights of individuals and their PHI and the obligations of healthcare entities and their business associates that process PHI. But did you know that not all PHI data is equal? We tend to think of PHI as the 16 data elements that are defined as "direct identifiers," or data that can be used to identify individuals. These are considered the most sensitive and subject to mandatory notification when exposed unsecured.

However, there are many other data elements such as diagnostics information that are processed by healthcare organizations, which are also considered PHI but are often considered less sensitive. The key to remember is that the sensitivity of data elements depends on the context in which the data is compromised and whether the data can be used to identify the individual. For example, name, address and clinic visit date maybe pose low risk of harm under ordinary circumstances. However, if the same information was associated with a celebrity's visit to a substance abuse treatment center, it could pose "significant" reputational harm.

When assessing harm, it is important to consider all dimensions including reputational, health, and financial harm.

3. Notification (requirement vs. courtesy). When it comes to breach notification, you may not know that you need to consider state privacy laws and standards in addition to complying with HITECH Act. Today five states -- Arkansas, California, Missouri, Virginia, and Texas -- have privacy laws that include PHI. But did you know that out of these states only two, Virginia and Missouri, require attorney general notification? In addition to the HITECH Act notification requirements, these states require attorney general notification if more than 1,000 individuals are affected.

Unfortunately, the HITECH Act obligations are not always simple to follow, especially when the state laws establish different standards. While notifying the Department of Health and Human Services is mandated, notification to a state's attorney general is often considered a courtesy, except for those few states with PHI notification laws. However, there is a growing expectation for many local and state agencies to be notified regardless of the size and severity of the breach incident.

So each organization needs to make a determination about the benefit and risk of these courtesy notifications since they can result in additional inquires and disclosures. In short, this is just one more growing complexity and risk when dealing with data breach incidents.