By Christina Stacey Brussalis
On May 17, The Hill Group, Inc. partnered with the Hospital Council of Western Pennsylvania to provide an informative panel discussion, HIPAA & HITECH: Navigating an Uncertain Regulatory Environment. The standing-room only event brought together a distinguished and knowledgeable panel of healthcare industry leaders that included U.S. Congressman Jason Altmire (PA-4); Highmark chief information security officer Jim Ansell; Bob Barrett of eClinical Works; Vale-U-Health CEO Sue Flynn; John Kalafut, Director of Healthcare Informatics Research and Strategy for MEDRAD, Inc.; and Hill Group consultant Scott Rogerson.
Panelists explored approaches taken by organizations to comply with new and anticipated federal patient privacy and information security mandates and to avoid costly monetary penalties, which have increased dramatically. Discussion also addressed the future state of Healthcare Information Technology (Health IT), the related security and privacy considerations, and impact on the strategies of healthcare providers, payors, and vendors.
The complications of protecting sensitive information as it follows the patient are exacerbated by the need to move data between electronic and hardcopy mediums. The cross-section of perspectives represented on the panel highlighted the many stakeholders impacted by the evolving regulations and the unique solutions developed by each in addressing current and future regulatory challenges.
Panelists agreed that, while technology plays a part in providing the tools for compliance, developing a workplace culture aware of security and privacy issues can be even more valuable. “There remains a vast amount of gray area in interpreting the standards,” said Hill Group consultant Scott Rogerson. “It is having confidence that the individual faced with a difficult situation is able to make the right decision without causing drastic delays in the process that provides the greatest return on investment.”
The uncertain regulatory environment faced by the nation’s healthcare community is the result of deadlines for meaningful use, expected migration to a “pay for performance” model of healthcare reimbursement, and a lack of clarity due to delays in a long-awaited announcement expected later this year by the U.S. Department of Health and Human Services (HHS). The announcement will clarify rules that, under the 2009 Health Information and Technology for Economic and Clinical Health Act (HITECH), will significantly change Health Insurance Portability and Accountability Act (HIPAA) patient privacy and information security requirements.
Under the new law, HHS has stricter enforcement capabilities and can now impose larger monetary penalties for privacy and security violations. The new HITECH Act revisions allow HHS to impose fines up to $50,000 per violation, up significantly from the maximum $100 per violation allowed under the old law. For the first time in February 2011, HHS imposed civil monetary penalties for HIPAA noncompliance when Cignet Health and Massachusetts General Hospital were fined $4.3 million and $1 million, respectively, under the new penalty structure. Despite the risk of stricter enforcement and penalties, 70 percent of hospitals do not have protecting patient information as one of its top priorities, according to a 2010 Ponemon Institute Study.
“While future regulation remains uncertain,” said Rogerson, “the intent of the regulation has gone unchanged—to promote greater trust between patients and their healthcare providers.” According to HHS, the new HITECH Act enforcement provisions will encourage healthcare providers and other entities to develop programs that “prevent, detect and quickly correct violations of the HIPAA rules.” The provisions also provide healthcare consumers with greater confidence that their personal health information will be protected.
“I have seen firsthand the potential for savings and improved quality of care that can be achieved through the use of health information technology,” Congressman Altmire said. “When doctors have immediate access to complete and up-to-date medical histories through electronic records, they can make better informed decisions on how best to treat their patients. As the use of health IT expands, we need to make sure that patients are reassured that their personal health information will be safeguarded.”
Continued delays with announcement of HHS’s final rules and uncertainty regarding future regulation have forced the healthcare community to anticipate the scope of these upcoming modifications and to move forward with new and expanded information security policies and practices to better prepare themselves for future compliance. While it is critical for organizations to become compliant with privacy regulations, the measures used to ensure compliance should integrate with organizational policies and procedures that can be quickly modified if future regulations warrant.
Rogerson, a certified information systems auditor, explained “In order to develop a defensible strategy to address current and future security and privacy concerns, it remains clear that organizations must focus on complying with current regulations while being adaptable to future requirements in their strategy development and execution.”
For more information, please contact The Hill Group, Inc. at 412.722.1111.