HIPAA was all bark when it came to penalties for failing to protect personal health and financial records. HITECH is already showing some bite.
Connecticut Attorney General Richard Blumenthal grabbed headlines early this year with a high-profile legal shot fired over the bow of the health insurance industry and directly at Health Net of Connecticut.
Health Net publicly acknowledged last fall that a portable hard drive loaded with millions of documents related to the health and private financial records of its members had gone missing. Acting under the Health Information Technology for Economic and Clinical Health Act (HITECH) — federal legislation passed in early 2009, providing strict new measures on data protection — Blumenthal became the first attorney general in the nation to take advantage of the expanded enforcement powers of the security law when he brought a lawsuit claiming that Health Net not only had violated a new federal rule demanding prompt consumer notification of such breaches but also had failed to encrypt the data.
The actual loss of the data occurred in May, six months before the public was told, the attorney general claimed, just days after launching his bid for the Senate seat of Christopher Dodd. Both are Democrats; Dodd is retiring.
He excoriated the insurer for “foot-dragging” when it came to alerting its members.
At the beginning of March, the U.S. Department of Health and Human Services (HHS) followed up with a list of 41 separate instances in which covered entities under the law — generally plans, providers, clearinghouses, and the plans’ business associates (usually vendors) — reported security breaches in the previous five months. Several of the breaches included insurers, from the 528 health records from Brown University exposed to unauthorized access, to the 500,000 files that disappeared when a hard drive was stolen from a Blue Cross & Blue Shield of Tennessee training facility on Oct. 2, 2009.
For security experts, the Connecticut lawsuit and the spotlight that is now being trained on every security breach that is covered under HITECH highlights the dawn of a new era for health insurers. They spent years gaining a hard-won reputation as one of the best prepared of all industries in health care for guarding data. Now, any slip by a managed care organization — from an attack by hackers to the loss of a data disk — can expose a plan to a considerable amount of unwelcome attention, as well as the wrath of a new group of state enforcers.
“Before this law came out, some people might have detected a breach but they didn’t have to notify anyone,” says Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). “Now, because of increasing regulation, there is an increased focus on breaches and notification of breaches, and we’re just now getting a glimpse of what’s going on out there.”
Officials at Blue Cross & Blue Shield of Tennessee said that they were quick to notify members just days after thieves stole computer equipment loaded with patient data. They, like Health Net, emphasized that there was no indication that any of the records had been used for some nefarious purpose — or for any other purpose.
But that won’t deflect the new attention being given to something the experts see as a long-standing threat.
“This sector is a target,” says Gallagher. “Health records are rich with information about the patient. They include health information and financial information, Social Security numbers, and maybe credit cards. When there is financial identity theft, most of the required information is there. We also see medical identity theft where some records are stolen for obtaining medical care or getting care paid for.”
HITECH also unleashed a new set of consumer watchdogs when it empowered the country’s 50 attorneys general to get involved.
“The state attorneys general are a real wild card on this stuff,” says Kirk Nahra, a lawyer with Wiley Rein and a HIPAA expert who has been helping his health plan clients work on HITECH compliance. “They can do whatever they want. HHS stated they weren’t going to enforce it for six months, but that doesn’t bind the state, which is unfair.”
For others in the field, though, it is all long overdue.
“I view the HITECH Act as an extension of the HIPAA security rules,” says Brian Evans, director of program management for CynergisTek, a security consulting group that specializes in health care. “HIPAA security fell on its face. There was really no enforcement.” But HITECH added teeth to “the toothless rule” that was HIPAA.
“I can look back to the ’90s, when it was a challenge to get people to focus on the confidentiality of patient information,” adds Evans, who recently contributed a chapter on security to a new book from HIMSS. Back in 2005, when new HIPAA security rules were scheduled to go into effect, the feds did nothing and a lot of companies that were right on the cusp of compliance either backed away or just dropped the ball.
“You need to protect the data; that’s an obligation under the law,” says Gallagher. “Also, when there is a breach, you need to be prepared to deal with it and do right by your patients. There are more people watching this. You have to be on top of it. And there are a lot of consequences for not following the reporting laws.
“We’ll see more reports from HHS and see the trends,” adds Gallagher. But the message is clear: “It is time to comply and manage your risk actively.”
Of all the covered entities, though, health plans are one of the best positioned, Evans says.
“I would say plans are in a much better position, for various reasons,” Evans notes. “They’ve been more diligent in addressing the HIPAA security rule, providing leadership and execution. They have really focused on that from the get-go and realized it was a multiyear project way back when. I’m looking at health plans now that have been compliant with the HIPAA security rule and use them as an example to the provider side.”
Nahra asserts that, “The health care industry is on top of these new rules, but that doesn’t mean that everyone knows what to do every time. I’m getting a ton of questions from my clients about specific details related to risk, requirements, and the right things to do.”
But there aren’t always answers.
“HHS has promised to say what has to be included in new business associate agreements, and they haven’t yet,” Nahra noted in mid-March. “It is all over the map in terms of whether the contracts have been revised.”
Gallagher says that, “There is a real awareness issue.” At virtually every talk she gives on the subject, someone with a business associate relationship with a covered entity comes up and makes it clear that he or she has no clear understanding of what is happening.
“I’ve looked at business associates that do business with health plans and providers and it is more of a challenge for them,” agrees Evans. “They [sometimes] take care of patient information in a less than diligent manner.”
“The bottom line with business associates is that the statute is clear,” says Gallagher. “They are subject to the HIPAA security rule and portions of the privacy rule and have to disclose [breaches].”
Gallagher concedes that she is also waiting for the feds to dot all the I’s and cross all the T’s.
“We are waiting to hear from [the HHS Office of Civil Rights] on what the compliance audits will look like,” Gallagher adds. “They have said they are busy writing other regulations, but this is a big topic of interest. How will they conduct audits, who gets audited, and why?”