sarah kim hipaa for small providers
TRANSCRIPT
Sarah Kim
December 9, 2015
HIPAA for Small Healthcare Providers
Introduction
The advent of electronic health records (EHRs) has allowed an increasing number of
processors and providers in the health care industry access to patients’ personal health
information. The accessibility of such information has streamlined the health care delivery
process and allowed patients better control over their personal health through cloud-based
applications. But it has also contributed to a rise in breaches as the high value of personal health
records, combined with a poor track record for security, make healthcare organizations a ripe
target for cybercriminals.
In 2009, the U.S. government passed the Health Information Technology for Economic
and Clinical Health Act (HITECH) not only to promote the adoption of EHR systems but also to
address privacy and security concerns related to EHRs. This section of HITECH improved upon
an existing law, the Health Insurance Portability and Accountability Act (HIPAA), by mandating
that healthcare organizations and their business associates safeguard electronic protected health
information (PHI)—whereas HIPAA previously referred to paper PHI—and report large data
breaches to the government and affected individuals.
The updates to HIPAA represent a much-needed step in assigning accountability and
creating general security guidelines for healthcare information technology. However, upon closer
examination, it becomes apparent that HIPAA tends to penalize a segment of the healthcare
industry that is not yet equipped for data security. That is, smaller practices and community
hospitals struggle to comply with HIPAA because they have difficulty understanding the law,
implementing security standards, and justifying the costs. Addressing this issue and better
ensuring compliance requires the revision of HIPAA; the full adoption of cloud-based EHRs; the
creation of better risk assessment tools; and the creation of a member-based forum to discuss
more specific issues associated with HIPAA and cybersecurity.
Cybersecurity in the U.S. Healthcare Industry
The Health Information Technology for Economic and Clinical Health (HITECH) Act
promoted the adoption of EHR systems through a two-pronged approach. First, the government
provided incentive payments to Medicare- and Medicaid-eligible professionals and hospitals who
adopted EHRs and applied for the incentive program. Second, in January 2015, the government
began levying financial penalties for Medicare and Medicaid providers who have not transitioned
to EHRs.1
HITECH catalyzed a massive shift from paper to digitized patient records. It also
contributed to a rise in interconnectivity between health devices and equipment—otherwise
known as the Internet of Things. In theory, this would create opportunities for integrated and
coordinated care in a fragmented industry; it would also provide more accurate patient
information, allowing physicians to offer better, individualized, and immediate care.
In reality, the transition to electronic health records (EHRs) has actually placed a huge
financial burden on healthcare organizations and left them vulnerable to criminal attacks. In fact,
cyberattacks on healthcare organizations have increased by 125 percent since 2010.2
Cybercriminals have increasingly targeted healthcare organizations because they see a
large return on investment; an EHR, for example, is worth twenty to fifty times a credit card
number because it contains a wealth of personal information—including a patient’s social
security number, health records, drug administration information, and payment data.3 The
interconnectivity of devices—many of which were designed without security in mind4—and the
tendency to cluster together the storage of personal information create multiple attack nodes for
cybercriminals.
A lackluster security culture among healthcare organizations makes them an even more
enticing target for cybercriminals. In fact, the healthcare industry experiences more breaches
than any other industry, with around ninety percent of healthcare organizations having been
victims of a cyberattack in the past two years5—yet according to research from the Ponemon 1 "EHR Incentives and Certification." HealthIT.gov. U.S. Department of Health and Human Services, n.d. Web. 09 Dec. 2015.2 Ponemon Institute. "Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data." ID Experts, May 2015. Web. 9 Dec. 2015, 1.3 United States. FBI. Cyber Division. Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions. N.p.: n.p., 2014. Print.4 Warner, Jon. "Cyber-Security in the Healthcare Industry." RX4 Group, 26 Oct. 2015. Web. 9 Dec. 2015.5 McCann, Erin. "Healthcare Data Breaches on the Rise." HealthcareITNews. HIMSS Media, 6 Dec. 2012. Web. 9 Dec. 2015.
Institute, most healthcare organizations and their business associates did not express concern
about cyberattacks. Ideally, healthcare companies should spend between ten and forty percent of
their information technology budgets on security—but the industry-wide average is only three
percent.6 While many healthcare organizations report that this is due to insufficient budget and
resources to invest in IT security, these statistics are cause for concern and reveal the lax culture
of security in the industry.
Negligence and resource constraints leave EHRs ripe for theft, and the costs are high. For
a victim of EHR theft, the average out-of-pocket cost is around $13,500; for the healthcare
industry overall, breaches cost about $6 billion per year.7 Thus, the state of healthcare
cybersecurity makes a policy initiative necessary to raise awareness, create accountability, and
guide healthcare organizations in implementing security standards.
HIPAA and HITECH
HIPAA was originally enacted in 1996 to maintain the privacy and security of patients
and their PHI. HITECH enhanced the provisions and enforcement of HIPAA by including
protection of electronic PHI, requiring healthcare organizations to report large data breaches to
the government and affected individuals, and establishing stricter penalties based on the severity
of HIPAA violations. The Final Omnibus Rule of 2013 expanded the scope of HIPAA to include
business associates, or organizations that work with or provide services to healthcare
organizations, including health information exchanges and data analysis service providers.
In its current form, HIPAA defines the circumstances under which a patient’s PHI may
be disclosed; mandates that healthcare organizations establish policies and procedures for
handling patient information; and requires healthcare organizations to implement a variety of
security standards and plan responses to data breaches. Requirements for healthcare
organizations also include conducting periodic risk and vulnerability analyses in accordance with
NIST standards, assigning a “security official” who is responsible for developing and
implementing security policies and procedures, and creating unique codes to track user identities.
The Office of Civil Rights (OCR) performs audits randomly and in response to
complaints that a healthcare organization or business associate has violated HIPAA’s provisions.
Penalties for HIPAA violations are tiered depending on the nature and extent of the violation and 6 Allen, Arthur. "Billions to Install, Now Billions to Protect." Politico. N.p., 1 June 2015. Web. 09 Dec. 2015.7 Ibid.
the severity of harm resulting from that violation. Penalties can range anywhere from $100 to
$50,000 per violation, and organizations can incur a maximum penalty of $1.5 million per year.8
Gaps in the Regulatory Environment
Large hospitals and insurers are more likely to benefit from HIPAA and invest in the
security of PHI. Not only do they have the resources to make such investments, they are also
more conscientious about receiving negative media attention following a breach and most. But
small healthcare providers—that is, private practices and community hospitals—struggle to
comply with HIPAA.9
Ideally, healthcare companies should spend between ten and forty percent of their
information technology budgets on security—but the industry-wide average is only three
percent.10 Small providers, which have low profit margins and limited staffing, likely invest even
less than that. Thus, unlike larger healthcare organizations, small providers are unable to
sufficiently allocate resources to important initiatives like hiring a knowledgeable “security
official” to assist them in the technical aspects of HIPAA or hiring an independent consultant or
auditor to perform an effective risk assessment.
Moreover, while health professionals excel at protecting patient privacy, many simply do
not know or understand how to comply with the security aspect of HIPAA. Healthcare already
lags behind other industries with regards to technology. HIPAA is a complex law and its
technical provisions may be confusing and difficult to understand for small providers who lack
technological savvy. Many providers still have difficulty navigating EHRs even though they
have had several years to adjust to the new systems—yet they were required to be compliant with
HIPAA within just six months.11
While NIST guidelines provide a general, user-friendly framework for tackling
cybersecurity risks, it is not tailored to the healthcare industry, much less small providers.
Because the burden of implementing security standards in a short time frame lies on the
physician or the head of the community hospital, it is vital that they have clearer guidance
8 "HIPAA Violations and Enforcement." American Medical Association, n.d. Web. 09 Dec. 2015.9 "OCR to Begin Phase 2 of HIPAA Audit Program." McDermott Will & Emery, 29 July 2014. Web. 9 Dec. 2015.10 Allen, Arthur. "Billions to Install, Now Billions to Protect." Politico. N.p., 1 June 2015. Web. 09 Dec. 2015.11 Irving, Frank. "Docs Say How They Really Feel About EHRs." Healthcare IT News, 13 Nov. 2014. Web. 09 Dec. 2015.
tailored to their industry, size, and segment so they can better understand exactly what policies
and procedures they need to enforce.
Exacerbating the lack of understanding is the lack of existing tools to help small
providers assess risk. For the overall industry, the majority of organizations report that their risk
assessments following security incidents were either an ad hoc process or a manual process
developed in-house.12 Therefore, it would be helpful for small providers to have access to
automated, healthcare-specific tools rather than having to internally develop tools that may be
insufficient.
Finally, small providers are dangerously complacent. Many small providers do not
believe that their small practice or hospital could be of interest cybercriminals when there are
larger targets out there.13 Penalizing these small practices for breaches is not enough to create a
sense of urgency about implementing security standards before it is too late.
HIPAA is problematic because small providers are not yet ready to comply with its
provisions. Penalties for noncompliance are not enough to encourage learning and
implementation of sufficient security standards, as small providers currently do not have the
capability to do so. Thus, other initiatives must be taken to supplement HIPAA and address the
gaps in the existing regulatory environment. The solutions for addressing the current problems in
the regulatory environment must be easy to understand, trustworthy, and cost- and time-
effective.
Addressing the Gaps in HIPAA
1. Clarify HIPAA
For many providers, being HIPAA-compliant is difficult because it is a complex law.
Checklists for audit preparation may be simple for an individual who has a basic understanding
of information security, but may be too complicated for physicians who has not had any
experience with cybersecurity. The NIST framework is broad and meant to be a starting point for
approaching cybersecurity risks.14 Other, more healthcare-specific frameworks that integrate the
NIST framework with HIPAA guidelines do exist, but they still fall short. The organizations that
12 Ponemon Institute. "Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data." ID Experts, May 2015. Web. 9 Dec. 2015, 5.13 Allen, Arthur. "Billions to Install, Now Billions to Protect." Politico. N.p., 1 June 2015. Web. 09 Dec. 2015.14 Sorebo, Gib. "HITRUST or High Risk? The Health Information Trust Alliance's Common Security Framework." RSA Conference, 14 May 2014. Web. 09 Dec. 2015.
are addressed in HIPAA are extremely diverse, ranging from large hospitals, to medical billing
companies, to small private practices. Even a general healthcare-specific framework is
insufficient in clarifying HIPAA and security policies and procedures required for each unique
case.
A possible solution to the confusion caused by HIPAA’s vague provisions is to reword
HIPAA and create separate guidelines that are relevant to the size, maturity, and segment of the
organization. These guidelines should include, in clear language, how to perform risk
assessments and educate staff on basic security practices. Revising HIPAA requires a significant
investment of time for the government, but the payoff would be high as small providers and
other organizations better understand how to be compliant.
2. Increase Adoption of Cloud-Based EHRs
While most providers have already adopted cloud-based EHRs, thousands still have not
yet moved to the cloud and instead use server-based EHRs.15 This presents a cause for concern
when considering the vulnerability of healthcare organizations and the large number of patient
records housed in each practice, regardless of the size of the practice. Thus, achieving higher
adoption rates of cloud-based EHRs should serve as a simple first step toward compliance with
HIPAA.
Cloud-based EHR systems are already HIPAA-compliant and are better equipped for data
protection. Practices relying on client-server systems are more susceptible to human error and
system failures, leading to loss of critical patient data, whereas cloud-based EHR systems are
backed up on the server. Unlike client-based servers, cloud-based EHRs enhance data security
through encryption. Moreover, cloud-based EHR systems are much cheaper than client-server
systems; some of the most trusted cloud-based EHR systems, such as Practice Fusion, are free.16
Moreover, the opportunities for analysis of de-identified data and integration across
devices improves overall health outcomes for patients. Cloud-based EHRs collect large amounts
of data that can be used to understand patients’ health decisions, compare a patient’s case and
possible treatments with those of a similar demographic, and use aggregated data to focus on
preventative care.
15 Jayanthi, Akanksha. "Cloud-Based EHRs Deemed Physician Favorites." Becker's Health IT & CIO Review. Becker's Healthcare, 4 June 2015. Web. 09 Dec. 2015.16 Congdon, Ken. "The Truth Behind "Free" EHRs." Health IT Outcomes. N.p., 25 Jan. 2013. Web. 9 Dec. 2015.
Integration across devices also improves health outcomes in two ways. First, it makes the
care delivery process more efficient by reducing the burden of communication among healthcare
organizations (from the insurance company to the doctor). Second, it allows patients to have
greater control over their own health. And patients do value having this control. For example,
Hello Health is another free cloud-based EHR that places the burden of the cost on the patients—
about $36 to $120 per year to support the platform. Patients willingly pay this cost because they
enjoy the benefits that Hello Health offers, including online scheduling and video conferences
with their physicians in lieu of an office visit.17
Thus, cloud-based EHR systems are a cost-effective method of offloading the more
technical security risks onto more experienced vendors, and they improve the quality of care
delivered. It is important that cloud-based EHR platforms capture the remainder of the market by
aggressively advertising to those practices that still rely on server-based EHRs. Convincing these
physicians require acquiring their trust by highlighting the cost savings, the risk of a breach
relative to server-based platforms, and the value added to patients.
3. Create Incentives for Research and Development for Risk Assessment Tools
Most risk assessment tools in healthcare are created manually or in-house, which may not
be sufficient to get a holistic understanding of gaps and vulnerabilities in a given provider’s
system. The Office of the National Coordinator for Health Information Technology (ONC) has
created a risk assessment tool that is hundreds of pages—which may be holistic but is certainly
cumbersome.
If small providers could access more user-friendly risk assessments, they are likely to
perform these risk assessments more often. Thus, it is vital for segment-specific tools to be
automated, cost- and time-effective, and segment-specific—which requires incentives. Grants
from the government or even nonprofits—including the Robert Wood Johnson Foundation and
Johnson & Johnson Innovation—who award grants for innovations in healthcare would create
these incentives for private research and development into more specific risk assessment tools.
4. Raise Awareness and Educate Providers
17 Congdon, Ken. "The Truth Behind "Free" EHRs." Health IT Outcomes. N.p., 25 Jan. 2013. Web. 9 Dec. 2015.
Even if HIPAA were to be reworded, it could not possibly cover every case and
organization that is subject to the law. And it may not necessarily change the complacency of
some small providers. Thus, small providers would benefit from additional information that may
be more specific or more relevant to their size, maturity, segment, and current security policies.
Health professionals and experts in information security should collaborate in a forum
created by and for members. A healthcare-specific Information Sharing and Analysis Center
(ISAC) currently does exist, but because it works closely with government, health professionals
may be reluctant to share information in the event that they may be penalized for disclosing
incidents.18
Instead, the new forum must be privately owned and ensure that all members are certified
health professionals or IT security experts. Health professionals would be encouraged to
anonymously share incidents, experiences, security strategies, and concerns about HIPAA
compliance. In turn, their peers and cybersecurity experts could respond with advice and
experiences of their own.
Anonymous information- and incident-sharing resolves the issue of complacency because
health professionals would be able to learn about real examples from relatable peers. Moreover,
information- and incident-sharing creates opportunities to learn from and develop best practices
in healthcare IT security.
Conclusion
There can never be a guarantee that an organization is completely secure. But reworking
HIPAA, ensuring the adoption of better tools and technology, and utilizing trusted sources to
clarify confusions would mitigate the high risk that small providers currently face. Because the
idea of information security is relatively new to healthcare, these initiatives are a good first step
to becoming more secure. Ultimately, though, the goal is to make information security a norm
rather than a burden or requirement for the healthcare industry.
The norm of patient privacy already exists; doctors will not share patient information
without consent. Not only is it unethical and illegal to do so, it also undermines patient trust—
which is unique to healthcare organizations and essential to the survival of a provider’s business.
It is likely that patient trust will become an important aspect in turning security into a norm. A 18 Vamosi, Robert. "Making Incident Sharing Anonymous and Across Industries." Forbes. N.p., 17 Nov. 2015. Web. 9 Dec. 2015.
breach or loss of patient data will undermine that trust, and patients will no longer have
confidence that their provider is capable of improving health outcomes. Thus, security will
become a norm, not just because it saves costs and prevents loss of data, but also because it is an
important part of forming a relationship of trust with patients.
Works Cited
"About HITRUST." HITRUST, n.d. Web. 9 Dec. 2015.
Allen, Arthur. "Billions to Install, Now Billions to Protect." Politico. N.p., 1 June 2015. Web. 09
Dec. 2015.
Congdon, Ken. "The Truth Behind "Free" EHRs." Health IT Outcomes. N.p., 25 Jan. 2013. Web.
9 Dec. 2015.
"EHR Incentives and Certification." HealthIT.gov. U.S. Department of Health and Human
Services, n.d. Web. 09 Dec. 2015.
"HIPAA Violations and Enforcement." American Medical Association, n.d. Web. 09 Dec. 2015.
"How Much Is This Going to Cost Me?" HealthIT.gov. U.S. Department of Health and Human
Services, n.d. Web. 09 Dec. 2015.
Irving, Frank. "Docs Say How They Really Feel About EHRs." Healthcare IT News, 13 Nov.
2014. Web. 09 Dec. 2015.
Jayanthi, Akanksha. "Cloud-Based EHRs Deemed Physician Favorites." Becker's Health IT &
CIO Review. Becker's Healthcare, 4 June 2015. Web. 09 Dec. 2015.
McCann, Erin. "Healthcare Data Breaches on the Rise." HealthcareITNews. HIMSS Media, 6
Dec. 2012. Web. 9 Dec. 2015.
"OCR to Begin Phase 2 of HIPAA Audit Program." McDermott Will & Emery, 29 July 2014.
Web. 9 Dec. 2015.
Pittman, David. "E-Health Records Ripe for Theft." Politico. N.p., 13 July 2014. Web. 09 Dec.
2015.
Ponemon Institute. "Fifth Annual Benchmark Study on Privacy and Security of Healthcare
Data." ID Experts, May 2015. Web. 9 Dec. 2015.
Sorebo, Gib. "HITRUST or High Risk? The Health Information Trust Alliance's Common
Security Framework." RSA Conference, 14 May 2014. Web. 09 Dec. 2015.
United States. FBI. Cyber Division. Health Care Systems and Medical Devices at Risk for
Increased Cyber Intrusions. N.p.: n.p., 2014. Print.
Vamosi, Robert. "Making Incident Sharing Anonymous and Across Industries." Forbes. N.p., 17
Nov. 2015. Web. 9 Dec. 2015.
Warner, Jon. "Cyber-Security in the Healthcare Industry." RX4 Group, 26 Oct. 2015. Web. 9
Dec. 2015.