Health IT Still Seeks a Security Blanket

MDNG Primary Care, October 2009, Volume 11, Issue 10

August has traditionally been a sleepy month for government regulatory agencies, but this year, Washington’s usual summer torpor was interrupted by a rush of new initiatives, as more than three-quarters of a trillion dollars from the American Recovery and Reinvestment Act surged into a mind-boggling range of projects. One of these efforts, the Health Information Technology for Economic and Clinical Health Act (HITECH), provides a billion-dollar bolus of funding for EHRs.

Speaking at an August 20 press conference, Secretary of Health and Human Services Kathleen Sebelius explained, “We’re announcing $1.2 billion in grants directed to two primary areas; the first is helping doctors and hospitals adopt electronic health records and get assistance from regional health centers, and the second is to help support health information exchange—help states set up systems where we’ll be able to communicate across the lines of healthcare agencies.” Sebelius added that “this is just the first wave of resources invested in health technology, aimed at really transforming our paper-driven system to an electronic system over the next several years.”

Health IT proponents cheered the new funding, but many have reservations about other aspects of the Act. In particular, HITECH is shining a spotlight on the problem of data security in health IT, an issue that has long been regarded as the field’s biggest challenge.

HIPAA reaches out

HHS officials agree. “Security is absolutely essential, it’s foundational, and we are tasked by the law to develop new methods and to examine technologies for assuring security, and we are going to be asking our health information technology policy committee to look directly at that subject in the very near future, so we understand that that’s critical,” said David Blumenthal, MD, National Coordinator for Health Information Technology.

Indeed, HITECH already implements some new security requirements. Most notably, the Act expands the coverage of the earlier Health Insurance Portability and Accountability Act (HIPAA). Previously, entities such as hospitals and clinics were covered by HIPAA, but their contractors, software vendors, and other business associates were not, a loophole that incensed many privacy advocates. Under HITECH, all of these business associates will now be subject to HIPAA’s stringent security requirements and legal penalties.

“HITECH is a real game changer with respect to the legal obligations of business associates, and it’s going to have a significant impact on business associate relationships and all vendor relationships,” says Reece Hirsch, a partner in the law firm of Morgan, Lewis, & Bockius in San Francisco, CA. Hirsch, who specializes in healthcare regulation, adds that “there are a whole host of new individual rights with respect to [personal health information] for patients, and... they all relate to rights of patients with respect to electronic health records.”

Most of the new rules will take effect in February, a deadline that has some vendors sweating. “For large business associate organizations like a major outsourcing company, let’s say, it’s highly likely that they’ve already implemented a comprehensive security compliance program, [but] for smaller business associates, particularly those who aren’t exclusively dedicated to the healthcare industry, they may have a lot of work to do, because between now and February 18, they’ll be required to get that kind of formal, comprehensive security compliance program in place,” says Hirsch, who recently presented a webinar reviewing the changes.

Although the business associate rules will affect most physicians indirectly, other HITECH measures will have a direct impact. For example, the new funding includes “almost $600 million of support for what are called regional extension centers... whose purpose is to support physicians and hospitals in the adoption and meaningful use of electronic health records, and... approximately $600 million in support for state-designated entities to promote health information exchange within their jurisdictions,” according to Blumenthal (http://tinyurl.com/yes4cgl).

Making tinfoil hats fashionable

HITECH also provides for a series of incentive payments for Medicare and Medicaid providers to spur them to adopt EHRs between 2011 and 2015, after which the government will begin penalizing those who have not adopted electronic records (see Timeline). For cash-strapped hospitals and overworked physicians, those dates appear imminent, but public health officials argue that deadlines are an essential component of the legislation.

“If you never have a deadline then you really will end up with people being all over the place; they might decide from one day to the next ‘well this isn’t such a priority if it doesn’t have to be done tomorrow, and we’ll use our resources somewhere else,’” says Rachel Block, Deputy Commissioner of Health Information Technology Transformation in the New York State Department of Health.

Block adds that meeting the deadlines will require individual doctors and hospitals, as well as state governments, to tackle data security problems at several levels simultaneously. “Policy is one issue, but we really need to look as well at the implementation, support, and the... institutional or cultural variables that might determine whether security is considered important or not,” she says. In other words, sophisticated encryption systems become useless if a doctor’s password is “password.”

To address those problems, New York and other states are now implementing a wide range of security measures to protect exchanges of health data between systems. “Ultimately, we will have audit policies and protocols, and we will be setting up monitoring systems to ensure that those audits are being conducted, and that any findings are followed up on,” says Block.

Those efforts don’t come cheap, though. New York’s state government and hospitals will spend close to a half-billion dollars on health IT implementation over the next four years, and other large states will likely see similar expenditures. Block says that the $1.2 billion in new federal funding from HITECH, while helpful, will still leave states, hospitals, and individual physicians picking up a big tab. One way New York has reduced the overall cost is by storing records in a federated network rather than a centralized database. Each clinic or hospital stores its own patient records, and data are only exchanged across the network in response to specific, authenticated requests. Besides spreading and reducing costs, this approach could also provide better security; a breach of one server will not affect patient data on other nodes of the network.

The briar patch

Potential data breaches are also a hot topic for federal regulators. In September, new HHS rules came into effect requiring data holders to notify patients when their information may have fallen into the wrong hands (http://tinyurl.com/m5ojt8). Any breach affecting more than 500 patient records triggers automatic notification of the media as well. The data breach rules are just the first of what will likely be a large body of new federal regulations on EHR security. At least 45 states already have laws covering various aspects of electronic health privacy (http://tinyurl.com/y8qecob), so a unified federal policy could actually simplify the regulatory situation—that is, if regulators can address some of the thorny questions still surrounding the issue.

Many of those questions came to light at a September 18 meeting of the HHS’s Health IT Policy Committee in Washington, DC, and the ensuing debate hinted at the challenge now facing regulators. For example, Deborah Peel, MD, founder of the bipartisan Coalition for Patient Privacy, asked the committee to implement a straightforward and stringent policy based on patient consent. In Peel’s formulation, each request to access a patient’s information would have to be approved by the patient, who could selectively segment the data for different levels of access.

However, Deven McGraw, Director of the Health Privacy Project at the Center for Democracy and Technology, argued that a purely consent-based system would fail: “It absolutely doesn’t surprise me that people in focus groups and in surveys say ‘give me control of the data,’ but consent doesn’t work as well to protect privacy as we would like it to.” She added that “healthcare doesn’t present us with good opportunities in a lot of cases to provide people with a meaningful right to say no.” Instead, McGraw advocates a robust framework of regulations—analogous to the security rules governing e-commerce websites—that would provide blanket prohibitions against certain types of abuse and also establish a strong enforcement mechanism to deal with violations.

Formulating such a framework will be tricky, though. While few patients would object to doctors having general access to their immunization or allergy records, other types of information may need to be compartmentalized, and not just for the patients’ sake. “Our providers risk their personal safety by coming to work every day and doing their job,” said Eileen Twiggs, National Director of Information Systems and Technology at Planned Parenthood. Twiggs concedes, though, that simply walling off certain types of care will not solve the problem, as that information may become critical in a patient’s future treatment.

As the meeting wrapped up, at least two things were clear about health IT: electronic health records are on the way, and the debates surrounding their security will not cool off anytime soon.

Alan Dove is a freelance healthcare and science writer.