Playing Russian roulette

The impact of HIPAA and HITECH on healthcare data governance.

In 1996, when the Health Insurance Portability and Accountability Act (HIPAA) came into effect, organizations did their best to comply. However, because HIPAA breaches are prosecutable under civil statutes and not considered criminal, HIPAA requirements were like setting a speed limit with no police officers to hand out speeding tickets. Recognizing the lack of specificity in the regulations and the absence of any teeth in its penalties, President Obama signed the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009. The HITECH Act mandates stricter data protection regulations for improved patient privacy and data security. Moreover, when patient privacy has been violated, Attorney Generals can initiate criminal proceedings.

Business associates

The HITECH Act extended HIPAA requirements beyond "providers, payers and clearinghouses" to include business associates. As of the September 13, 2013, deadline, thousands of healthcare business partners must now understand not only the HITECH Act's breach notification requirements, but also how best to encrypt relevant data classifications. This includes all businesses and any subcontractors. So, if you do business with a hospital or doctor's office, your organization must also demonstrate HIPAA compliance when dealing with that organization.

Notification requirement

Among the most important of the HITECH Act mandates is the breach notification requirement for unencrypted health information. Amazingly today, most health organizations do not encrypt patient data stores, which means they are less secure. Developing a system that classifies, protects and provides secure access to data is paramount - and now for more than just direct healthcare providers.

Playing Russian roulette

Most organizations want to do the right thing, but many are so strapped for time and budget that they have not started to address compliance. The longer they wait, the worse it gets. In essence, they are playing Russian roulette with their data. If someone makes a complaint and a preliminary review of the facts indicates a possible violation due to willful neglect, the U.S. Department of Health and Human Services Office for Civil Rights can conduct a full compliance review to determine whether a covered entity or business associate is complying with the applicable requirements. When a violation is found to be the result of willful neglect, penalties are high. In fact, no penalty will be less than $50,000 for each violation, with an upper limit of $1,500,000 for identical violations during a calendar year.

The data governance imperative

The upshot of HIPAA and HITECH for IT practitioners places a new imperative on the practice of data governance - the creation of a documented, identifiable system for data classification, retention and protection - whether in transmission or in storage. The system must demonstrate proactive compliance, and healthcare organizations must be able to demonstrate that their everyday transactional, back-up and storage processes actively preserve patient information security. These requirements for internal controls and an auditable information path are similar to those in the financial industry.

Technology plays a major role

Organizations that have unencrypted data back-up and recovery systems run the risk of exposing information through their data storage practices. To retain and secure electronic protected health information (ePHI), a full data archiving and recovery solution in combination with secure data stores can help.

To be proactively HIPAA compliant, an option is to add an eDiscovery solution. eDiscovery helps hospitals mitigate risks by allowing compliance with laws and regulations on PHI. They must be able to retrieve data, prove it has been retained suitably (audit trails) and, since hospitals often face lawsuits, they must be able to find and produce data for litigation while maintaining the privacy of any privileged PHI. A comprehensive eDiscovery solution can mitigate this risk, reduce the costs of producing and protecting information, and decrease the likelihood of lawsuits.

The main point here is being able to audit your data. Having a full audit trail of the data can allow a hospital to search data and see all interactions with that data. Being able to search data and see the audit trail can allow hospitals to identify policy violations.

Process is paramount

Technology on its own does not convey compliance. You cannot just go out and buy technology to provide a complete data governance solution. To make good governance decisions, it is necessary to separate technology considerations from the actual rules you put in place. Make the rules first, then implement technology to enforce them. To truly build a lasting, compliant and bullet-proof data governance policy, we recommend the following steps:

* Form a cross-functional data governance team.

* Classify your data and create policies around how each classification is handled.

* Create best practices for staff when handling PHI and PII in particular.

* Identify retention periods for each class.

* Create an audit subcommittee to perform checks throughout the year.

(To find out more about each of these, you can read the article "The Rise of Data Governance in Healthcare June 2014, on HMTs website.)

Healthcare practitioners and institutions also need to take into consideration state laws related to patient records. When federal and state laws differ, hospitals should follow whichever state or federal rules are stricter. Compliance, privacy and security officers must constantly educate themselves about any updates to relevant laws and their policies regarding patients' medical records. Policies could include requiring documents with confidential information to be shredded, training for all personnel on HIPAA, eliminating password sharing, etc.

Staying ahead of evolving data types

The healthcare industry has been later to adopt social media and mobile communications than some other highly regulated industries such as financial services. The kind of information your organization generates and stores will alter as new forms of communication continue to evolve. How will you deal with patient-doctor SMS texts or emails, mobile apps, Facebook posts to your corporate page, Linkedln group communications and many other forms of new data generated that will need policies?

Revisiting your existing data governance policies on a regular basis will reveal any gaps. To make adjustments to policies, you can look at other industries and how they have handled data generated in new ways.

Offloading the burden

There are fundamental differences between data back-up systems and data archiving systems. Back-up systems are based on folders, while data archiving systems are based on search techniques. A robust data governance strategy requires both backup and archiving to ensure the integrity of the data as well as the audit trail.

When your organization is required to produce electronically stored information for eDiscovery, your choice of storage system becomes even more critical.

The rise of hosted data archiving solutions offers an entirely different way to develop governance policies and to archive information - without taking on the trouble of buying and maintaining servers in-house. Hosted services provide a complete workflow based on the Electronic Discovery Reference Model (EDRM) and can help you create data governance policies that make sense for your business. T hese systems offer medical organizations the highest level of sophistication in the shortest period of time.

Improving access

HIPAA requires healthcare organizations to provide patient records within 30 days of their request, though if a doctor determines that providing the full record is not in the best interest of the patient, the physician may withhold certain parts of the record.

Healthcare authorities are increasingly enabling patient access to their own medical information. For example, in many states, patients can access their blood test results directly from data stores that labs feed. Most of these data portals offer a mobile app as well as Web access through a PC.

The question is, what is the best way to implement these access points and maintain compliance? Again, a data archiving system with built-in security will allow your organization to provide access to appropriate records more easily.

Data classifications

Restricted information or data is any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.

Examples of restricted data:

* Personal identity information (PII);

* Electronic protected health information (ePHI) protected by federal HIPAA legislation.

Chris Grossman, Senior VP Enterprise Applications, Rand Secure Data