SlideShare a Scribd company logo

Sarah Kim HIPAA for Small Providers

Download as DOCX, PDF
S
Sarah Kim

The document discusses challenges small healthcare providers face in complying with HIPAA security regulations. It notes that while HIPAA and HITECH were meant to improve privacy and security of electronic health records, smaller practices and hospitals struggle with understanding and implementing security standards due to limited resources and technical expertise. This leaves them at greater risk of data breaches compared to larger organizations. Revising HIPAA and providing better guidance tailored to small providers' needs could help address these challenges.

1 of 11
Sarah Kim December 9, 2015 HIPAA for Small Healthcare Providers Introduction The advent of electronic health records (EHRs) has allowed an increasing number of processors and providers in the health care industry access to patients’ personal health information. The accessibility of such information has streamlined the health care delivery process and allowed patients better control over their personal health through cloud-based applications. But it has also contributed to a rise in breaches as the high value of personal health records, combined with a poor track record for security, make healthcare organizations a ripe target for cybercriminals. In 2009, the U.S. government passed the Health Information Technology for Economic and Clinical Health Act (HITECH) not only to promote the adoption of EHR systems but also to address privacy and security concerns related to EHRs. This section of HITECH improved upon an existing law, the Health Insurance Portability and Accountability Act (HIPAA), by mandating that healthcare organizations and their business associates safeguard electronic protected health information (PHI)—whereas HIPAA previously referred to paper PHI—and report large data breaches to the government and affected individuals. The updates to HIPAA represent a much-needed step in assigning accountability and creating general security guidelines for healthcare information technology. However, upon closer examination, it becomes apparent that HIPAA tends to penalize a segment of the healthcare industry that is not yet equipped for data security. That is, smaller practices and community hospitals struggle to comply with HIPAA because they have difficulty understanding the law, implementing security standards, and justifying the costs. Addressing this issue and better ensuring compliance requires the revision of HIPAA; the full adoption of cloud-based EHRs; the creation of better risk assessment tools; and the creation of a member-based forum to discuss more specific issues associated with HIPAA and cybersecurity.
Cybersecurity in the U.S. Healthcare Industry The Health Information Technology for Economic and Clinical Health (HITECH) Act promoted the adoption of EHR systems through a two-pronged approach. First, the government provided incentive payments to Medicare- and Medicaid-eligible professionals and hospitals who adopted EHRs and applied for the incentive program. Second, in January 2015, the government began levying financial penalties for Medicare and Medicaid providers who have not transitioned to EHRs.1 HITECH catalyzed a massive shift from paper to digitized patient records. It also contributed to a rise in interconnectivity between health devices and equipment—otherwise known as the Internet of Things. In theory, this would create opportunities for integrated and coordinated care in a fragmented industry; it would also provide more accurate patient information, allowing physicians to offer better, individualized, and immediate care. In reality, the transition to electronic health records (EHRs) has actually placed a huge financial burden on healthcare organizations and left them vulnerable to criminal attacks. In fact, cyberattacks on healthcare organizations have increased by 125 percent since 2010.2 Cybercriminals have increasingly targeted healthcare organizations because they see a large return on investment; an EHR, for example, is worth twenty to fifty times a credit card number because it contains a wealth of personal information—including a patient’s social security number, health records, drug administration information, and payment data.3 The interconnectivity of devices—many of which were designed without security in mind4—and the tendency to cluster together the storage of personal information create multiple attack nodes for cybercriminals. A lackluster security culture among healthcare organizations makes them an even more enticing target for cybercriminals. In fact, the healthcare industry experiences more breaches than any other industry, with around ninety percent of healthcare organizations having been 1 "EHR Incentives and Certification." HealthIT.gov. U.S. Department of Health and Human Services, n.d. Web.09 Dec. 2015. 2 Ponemon Institute."Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data." ID Experts, May 2015. Web. 9 Dec. 2015, 1. 3 United States. FBI. Cyber Division. Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions. N.p.: n.p., 2014. Print. 4 Warner, Jon. "Cyber-Security in the Healthcare Industry." RX4 Group, 26 Oct. 2015. Web. 9 Dec. 2015.
victims of a cyberattack in the past two years5—yet according to research from the Ponemon Institute, most healthcare organizations and their business associates did not express concern about cyberattacks. Ideally, healthcare companies should spend between ten and forty percent of their information technology budgets on security—but the industry-wide average is only three percent.6 While many healthcare organizations report that this is due to insufficient budget and resources to invest in IT security, these statistics are cause for concern and reveal the lax culture of security in the industry. Negligence and resource constraints leave EHRs ripe for theft, and the costs are high. For a victim of EHR theft, the average out-of-pocket cost is around $13,500; for the healthcare industry overall, breaches cost about $6 billion per year.7 Thus, the state of healthcare cybersecurity makes a policy initiative necessary to raise awareness, create accountability, and guide healthcare organizations in implementing security standards. HIPAA and HITECH HIPAA was originally enacted in 1996 to maintain the privacy and security of patients and their PHI. HITECH enhanced the provisions and enforcement of HIPAA by including protection of electronic PHI, requiring healthcare organizations to report large data breaches to the government and affected individuals, and establishing stricter penalties based on the severity of HIPAA violations. The Final Omnibus Rule of 2013 expanded the scope of HIPAA to include business associates, or organizations that work with or provide services to healthcare organizations, including health information exchanges and data analysis service providers. In its current form, HIPAA defines the circumstances under which a patient’s PHI may be disclosed; mandates that healthcare organizations establish policies and procedures for handling patient information; and requires healthcare organizations to implement a variety of security standards and plan responses to data breaches. Requirements for healthcare organizations also include conducting periodic risk and vulnerability analyses in accordance with NIST standards, assigning a “security official” who is responsible for developing and implementing security policies and procedures, and creating unique codes to track user identities. 5 McCann, Erin. "Healthcare Data Breaches on the Rise." HealthcareITNews. HIMSS Media, 6 Dec. 2012. Web. 9 Dec. 2015. 6 Allen, Arthur. "Billions to Install, Now Billions to Protect." Politico.N.p., 1 June 2015. Web. 09 Dec. 2015. 7 Ibid.
The Office of Civil Rights (OCR) performs audits randomly and in response to complaints that a healthcare organization or business associate has violated HIPAA’s provisions. Penalties for HIPAA violations are tiered depending on the nature and extent of the violation and the severity of harm resulting from that violation. Penalties can range anywhere from $100 to $50,000 per violation, and organizations can incur a maximum penalty of $1.5 million per year.8 Gaps in the Regulatory Environment Large hospitals and insurers are more likely to benefit from HIPAA and invest in the security of PHI. Not only do they have the resources to make such investments, they are also more conscientious about receiving negative media attention following a breach and most. But small healthcare providers—that is, private practices and community hospitals—struggle to comply with HIPAA.9 Ideally, healthcare companies should spend between ten and forty percent of their information technology budgets on security—but the industry-wide average is only three percent.10 Small providers, which have low profit margins and limited staffing, likely invest even less than that. Thus, unlike larger healthcare organizations, small providers are unable to sufficiently allocate resources to important initiatives like hiring a knowledgeable “security official” to assist them in the technical aspects of HIPAA or hiring an independent consultant or auditor to perform an effective risk assessment. Moreover, while health professionals excel at protecting patient privacy, many simply do not know or understand how to comply with the security aspect of HIPAA. Healthcare already lags behind other industries with regards to technology. HIPAA is a complex law and its technical provisions may be confusing and difficult to understand for small providers who lack technological savvy. Many providers still have difficulty navigating EHRs even though they have had several years to adjust to the new systems—yet they were required to be compliant with HIPAA within just six months.11 8 "HIPAA Violations and Enforcement." American Medical Association,n.d. Web. 09 Dec. 2015. 9 "OCR to Begin Phase 2 of HIPAA Audit Program." McDermott Will & Emery, 29 July 2014. Web. 9 Dec. 2015. 10 Allen, Arthur. "Billions to Install, Now Billions to Protect." Politico.N.p., 1 June 2015. Web. 09 Dec. 2015. 11 Irving, Frank. "Docs Say How They Really Feel About EHRs." Healthcare IT News, 13 Nov. 2014. Web. 09 Dec. 2015.
While NIST guidelines provide a general, user-friendly framework for tackling cybersecurity risks, it is not tailored to the healthcare industry, much less small providers. Because the burden of implementing security standards in a short time frame lies on the physician or the head of the community hospital, it is vital that they have clearer guidance tailored to their industry, size, and segment so they can better understand exactly what policies and procedures they need to enforce. Exacerbating the lack of understanding is the lack of existing tools to help small providers assess risk. For the overall industry, the majority of organizations report that their risk assessments following security incidents were either an ad hoc process or a manual process developed in-house.12 Therefore, it would be helpful for small providers to have access to automated, healthcare-specific tools rather than having to internally develop tools that may be insufficient. Finally, small providers are dangerously complacent. Many small providers do not believe that their small practice or hospital could be of interest cybercriminals when there are larger targets out there.13 Penalizing these small practices for breaches is not enough to create a sense of urgency about implementing security standards before it is too late. HIPAA is problematic because small providers are not yet ready to comply with its provisions. Penalties for noncompliance are not enough to encourage learning and implementation of sufficient security standards, as small providers currently do not have the capability to do so. Thus, other initiatives must be taken to supplement HIPAA and address the gaps in the existing regulatory environment. The solutions for addressing the current problems in the regulatory environment must be easy to understand, trustworthy, and cost- and time- effective. Addressing the Gaps in HIPAA 1. Clarify HIPAA For many providers, being HIPAA-compliant is difficult because it is a complex law. Checklists for audit preparation may be simple for an individual who has a basic understanding of information security, but may be too complicated for physicians who has not had any 12 Ponemon Institute."Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data." ID Experts, May 2015. Web. 9 Dec. 2015, 5. 13 Allen, Arthur. "Billions to Install, Now Billions to Protect." Politico.N.p., 1 June 2015. Web. 09 Dec. 2015.
experience with cybersecurity. The NIST framework is broad and meant to be a starting point for approaching cybersecurity risks.14 Other, more healthcare-specific frameworks that integrate the NIST framework with HIPAA guidelines do exist, but they still fall short. The organizations that are addressed in HIPAA are extremely diverse, ranging from large hospitals, to medical billing companies, to small private practices. Even a general healthcare-specific framework is insufficient in clarifying HIPAA and security policies and procedures required for each unique case. A possible solution to the confusion caused by HIPAA’s vague provisions is to reword HIPAA and create separate guidelines that are relevant to the size, maturity, and segment of the organization. These guidelines should include, in clear language, how to perform risk assessments and educate staff on basic security practices. Revising HIPAA requires a significant investment of time for the government, but the payoff would be high as small providers and other organizations better understand how to be compliant. 2. Increase Adoption of Cloud-Based EHRs While most providers have already adopted cloud-based EHRs, thousands still have not yet moved to the cloud and instead use server-based EHRs.15 This presents a cause for concern when considering the vulnerability of healthcare organizations and the large number of patient records housed in each practice, regardless of the size of the practice. Thus, achieving higher adoption rates of cloud-based EHRs should serve as a simple first step toward compliance with HIPAA. Cloud-based EHR systems are already HIPAA-compliant and are better equipped for data protection. Practices relying on client-server systems are more susceptible to human error and system failures, leading to loss of critical patient data, whereas cloud-based EHR systems are backed up on the server. Unlike client-based servers, cloud-based EHRs enhance data security through encryption. Moreover, cloud-based EHR systems are much cheaper than client-server systems; some of the most trusted cloud-based EHR systems, such as Practice Fusion, are free.16 14 Sorebo, Gib. "HITRUST or High Risk? The Health Information Trust Alliance's Common Security Framework." RSA Conference, 14 May 2014. Web. 09 Dec. 2015. 15 Jayanthi, Akanksha. "Cloud-Based EHRs Deemed Physician Favorites." Becker's Health IT & CIO Review. Becker's Healthcare, 4 June 2015. Web. 09 Dec. 2015. 16 Congdon, Ken. "The Truth Behind "Free" EHRs." Health IT Outcomes. N.p., 25 Jan. 2013. Web. 9 Dec. 2015.
Moreover, the opportunities for analysis of de-identified data and integration across devices improves overall health outcomes for patients. Cloud-based EHRs collect large amounts of data that can be used to understand patients’ health decisions, compare a patient’s case and possible treatments with those of a similar demographic, and use aggregated data to focus on preventative care. Integration across devices also improves health outcomes in two ways. First, it makes the care delivery process more efficient by reducing the burden of communication among healthcare organizations (from the insurance company to the doctor). Second, it allows patients to have greater control over their own health. And patients do value having this control. For example, Hello Health is another free cloud-based EHR that places the burden of the cost on the patients— about $36 to $120 per year to support the platform. Patients willingly pay this cost because they enjoy the benefits that Hello Health offers, including online scheduling and video conferences with their physicians in lieu of an office visit.17 Thus, cloud-based EHR systems are a cost-effective method of offloading the more technical security risks onto more experienced vendors, and they improve the quality of care delivered. It is important that cloud-based EHR platforms capture the remainder of the market by aggressively advertising to those practices that still rely on server-based EHRs. Convincing these physicians require acquiring their trust by highlighting the cost savings, the risk of a breach relative to server-based platforms, and the value added to patients. 3. Create Incentives for Research and Development for Risk Assessment Tools Most risk assessment tools in healthcare are created manually or in-house, which may not be sufficient to get a holistic understanding of gaps and vulnerabilities in a given provider’s system. The Office of the National Coordinator for Health Information Technology (ONC) has created a risk assessment tool that is hundreds of pages—which may be holistic but is certainly cumbersome. If small providers could access more user-friendly risk assessments, they are likely to perform these risk assessments more often. Thus, it is vital for segment-specific tools to be automated, cost- and time-effective, and segment-specific—which requires incentives. Grants from the government or even nonprofits—including the Robert Wood Johnson Foundation and 17 Congdon, Ken. "The Truth Behind "Free" EHRs." Health IT Outcomes. N.p., 25 Jan. 2013. Web. 9 Dec. 2015.
Johnson & Johnson Innovation—who award grants for innovations in healthcare would create these incentives for private research and development into more specific risk assessment tools. 4. Raise Awareness and Educate Providers Even if HIPAA were to be reworded, it could not possibly cover every case and organization that is subject to the law. And it may not necessarily change the complacency of some small providers. Thus, small providers would benefit from additional information that may be more specific or more relevant to their size, maturity, segment, and current security policies. Health professionals and experts in information security should collaborate in a forum created by and for members. A healthcare-specific Information Sharing and Analysis Center (ISAC) currently does exist, but because it works closely with government, health professionals may be reluctant to share information in the event that they may be penalized for disclosing incidents.18 Instead, the new forum must be privately owned and ensure that all members are certified health professionals or IT security experts. Health professionals would be encouraged to anonymously share incidents, experiences, security strategies, and concerns about HIPAA compliance. In turn, their peers and cybersecurity experts could respond with advice and experiences of their own. Anonymous information- and incident-sharing resolves the issue of complacency because health professionals would be able to learn about real examples from relatable peers. Moreover, information- and incident-sharing creates opportunities to learn from and develop best practices in healthcare IT security. Conclusion There can never be a guarantee that an organization is completely secure. But reworking HIPAA, ensuring the adoption of better tools and technology, and utilizing trusted sources to clarify confusions would mitigate the high risk that small providers currently face. Because the idea of information security is relatively new to healthcare, these initiatives are a good first step 18 Vamosi, Robert. "Making Incident Sharing Anonymous and Across Industries." Forbes.N.p., 17 Nov. 2015. Web. 9 Dec. 2015.
to becoming more secure. Ultimately, though, the goal is to make information security a norm rather than a burden or requirement for the healthcare industry. The norm of patient privacy already exists; doctors will not share patient information without consent. Not only is it unethical and illegal to do so, it also undermines patient trust— which is unique to healthcare organizations and essential to the survival of a provider’s business. It is likely that patient trust will become an important aspect in turning security into a norm. A breach or loss of patient data will undermine that trust, and patients will no longer have confidence that their provider is capable of improving health outcomes. Thus, security will become a norm, not just because it saves costs and prevents loss of data, but also because it is an important part of forming a relationship of trust with patients.
Works Cited "About HITRUST." HITRUST, n.d. Web. 9 Dec. 2015. Allen, Arthur. "Billions to Install, Now Billions to Protect." Politico. N.p., 1 June 2015. Web. 09 Dec. 2015. Congdon, Ken. "The Truth Behind "Free" EHRs." Health IT Outcomes. N.p., 25 Jan. 2013. Web. 9 Dec. 2015. "EHR Incentives and Certification." HealthIT.gov. U.S. Department of Health and Human Services, n.d. Web. 09 Dec. 2015. "HIPAA Violations and Enforcement." American Medical Association, n.d. Web. 09 Dec. 2015. "How Much Is This Going to Cost Me?" HealthIT.gov. U.S. Department of Health and Human Services, n.d. Web. 09 Dec. 2015. Irving, Frank. "Docs Say How They Really Feel About EHRs." Healthcare IT News, 13 Nov. 2014. Web. 09 Dec. 2015. Jayanthi, Akanksha. "Cloud-Based EHRs Deemed Physician Favorites." Becker's Health IT & CIO Review. Becker's Healthcare, 4 June 2015. Web. 09 Dec. 2015. McCann, Erin. "Healthcare Data Breaches on the Rise." HealthcareITNews. HIMSS Media, 6 Dec. 2012. Web. 9 Dec. 2015. "OCR to Begin Phase 2 of HIPAA Audit Program." McDermott Will & Emery, 29 July 2014. Web. 9 Dec. 2015. Pittman, David. "E-Health Records Ripe for Theft." Politico. N.p., 13 July 2014. Web. 09 Dec. 2015.
Ponemon Institute. "Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data." ID Experts, May 2015. Web. 9 Dec. 2015. Sorebo, Gib. "HITRUST or High Risk? The Health Information Trust Alliance's Common Security Framework." RSA Conference, 14 May 2014. Web. 09 Dec. 2015. United States. FBI. Cyber Division. Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions. N.p.: n.p., 2014. Print. Vamosi, Robert. "Making Incident Sharing Anonymous and Across Industries." Forbes. N.p., 17 Nov. 2015. Web. 9 Dec. 2015. Warner, Jon. "Cyber-Security in the Healthcare Industry." RX4 Group, 26 Oct. 2015. Web. 9 Dec. 2015.

Recommended

GIST 698 Research Paper
GIST 698 Research PaperGIST 698 Research Paper
GIST 698 Research PaperRyan Flanagan
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
Shred-it
 
Hitech Act
Hitech ActHitech Act
Hitech ActISACA New England
 
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
mosmedicalreview
 
lauren_rosen_compliance_article
lauren_rosen_compliance_articlelauren_rosen_compliance_article
lauren_rosen_compliance_articleLauren Rosen
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Hybrid Cloud
 
Cscu module 12 information security and legal compliance
Cscu module 12 information security and legal complianceCscu module 12 information security and legal compliance
Cscu module 12 information security and legal complianceSejahtera Affif
 
Legal Aspects in Health Informatics
Legal Aspects in Health InformaticsLegal Aspects in Health Informatics
Legal Aspects in Health Informatics
Nawanan Theera-Ampornpunt
 

Recommended

GIST 698 Research Paper
GIST 698 Research PaperGIST 698 Research Paper
GIST 698 Research PaperRyan Flanagan
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
Shred-it
 
Hitech Act
Hitech ActHitech Act
Hitech ActISACA New England
 
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
mosmedicalreview
 
lauren_rosen_compliance_article
lauren_rosen_compliance_articlelauren_rosen_compliance_article
lauren_rosen_compliance_articleLauren Rosen
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Hybrid Cloud
 
Cscu module 12 information security and legal compliance
Cscu module 12 information security and legal complianceCscu module 12 information security and legal compliance
Cscu module 12 information security and legal complianceSejahtera Affif
 
Legal Aspects in Health Informatics
Legal Aspects in Health InformaticsLegal Aspects in Health Informatics
Legal Aspects in Health Informatics
Nawanan Theera-Ampornpunt
 
Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Patton Boggs LLP
 
Cost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, CourtneyCost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, Courtneycourtneyquinlan
 
Compliance
ComplianceCompliance
ComplianceMark Lanterman
 
Responding To The Opportunity
Responding To The OpportunityResponding To The Opportunity
Responding To The Opportunity
guest7042c6
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
$4.8m HIPAA Breach
$4.8m HIPAA Breach$4.8m HIPAA Breach
$4.8m HIPAA Breach
Infinisource
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
EMC
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
Concetto Labs
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?
Compliancy Group
 
Digital Health Data
Digital Health DataDigital Health Data
Digital Health DataShahidul Islam Khan Nayeem
 
Governance healthcare financial lever
Governance healthcare financial lever Governance healthcare financial lever
Governance healthcare financial lever
ACCESS Health Digital
 
HIPAA
HIPAAHIPAA
HIPAAAutumn Funderburg
 
Training on confidentiality MHA690 Hayden
Training on confidentiality MHA690 HaydenTraining on confidentiality MHA690 Hayden
Training on confidentiality MHA690 Haydenhaydens
 
hitech act
hitech acthitech act
hitech actpadler01
 
Hippa training on confidentiality
Hippa training on confidentialityHippa training on confidentiality
Hippa training on confidentialitycraig45365
 
arcsight_scmag_hcspecial
arcsight_scmag_hcspecialarcsight_scmag_hcspecial
arcsight_scmag_hcspecialPaul Brian Contino
 
4 Digital Health Trends Affecting Your Revenue Cycle
4 Digital Health Trends Affecting Your Revenue Cycle4 Digital Health Trends Affecting Your Revenue Cycle
4 Digital Health Trends Affecting Your Revenue Cycle
Meduit
 
Legal Aspects in Health Informatics
Legal Aspects in Health InformaticsLegal Aspects in Health Informatics
Legal Aspects in Health InformaticsNawanan Theera-Ampornpunt
 
Sample HIPAA Training
Sample HIPAA Training Sample HIPAA Training
Sample HIPAA Training
Tara Goodwin
 
The Use of Unmanned Air Vehicle
The Use of Unmanned Air VehicleThe Use of Unmanned Air Vehicle
The Use of Unmanned Air VehicleMohammed Dayraki
 
Mental Health and Stress
Mental Health and StressMental Health and Stress
Mental Health and Stress
Andrea Audine Jandongan
 
2011-01-01 workshop - jooddang
2011-01-01 workshop - jooddang2011-01-01 workshop - jooddang
2011-01-01 workshop - jooddang
Team POPONG
 

More Related Content

What's hot

Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Patton Boggs LLP
 
Cost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, CourtneyCost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, Courtneycourtneyquinlan
 
Responding To The Opportunity
Responding To The OpportunityResponding To The Opportunity
Responding To The Opportunity
guest7042c6
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
$4.8m HIPAA Breach
$4.8m HIPAA Breach$4.8m HIPAA Breach
$4.8m HIPAA Breach
Infinisource
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
EMC
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
Concetto Labs
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?
Compliancy Group
 
Governance healthcare financial lever
Governance healthcare financial lever Governance healthcare financial lever
Governance healthcare financial lever
ACCESS Health Digital
 
Training on confidentiality MHA690 Hayden
Training on confidentiality MHA690 HaydenTraining on confidentiality MHA690 Hayden
Training on confidentiality MHA690 Haydenhaydens
 
hitech act
hitech acthitech act
hitech actpadler01
 
Hippa training on confidentiality
Hippa training on confidentialityHippa training on confidentiality
Hippa training on confidentialitycraig45365
 
4 Digital Health Trends Affecting Your Revenue Cycle
4 Digital Health Trends Affecting Your Revenue Cycle4 Digital Health Trends Affecting Your Revenue Cycle
4 Digital Health Trends Affecting Your Revenue Cycle
Meduit
 
Sample HIPAA Training
Sample HIPAA Training Sample HIPAA Training
Sample HIPAA Training
Tara Goodwin
 

What's hot (19)

Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...
 
Cost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, CourtneyCost of Data Breah in Healthcare_Quinlan, Courtney
Cost of Data Breah in Healthcare_Quinlan, Courtney
 
Compliance
ComplianceCompliance
Compliance
 
Responding To The Opportunity
Responding To The OpportunityResponding To The Opportunity
Responding To The Opportunity
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
 
$4.8m HIPAA Breach
$4.8m HIPAA Breach$4.8m HIPAA Breach
$4.8m HIPAA Breach
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
 
Hipaa checklist for healthcare software
Hipaa checklist for healthcare softwareHipaa checklist for healthcare software
Hipaa checklist for healthcare software
 
Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?Do You Know How to Handle a HIPAA Breach?
Do You Know How to Handle a HIPAA Breach?
 
Digital Health Data
Digital Health DataDigital Health Data
Digital Health Data
 
Governance healthcare financial lever
Governance healthcare financial lever Governance healthcare financial lever
Governance healthcare financial lever
 
HIPAA
HIPAAHIPAA
HIPAA
 
Training on confidentiality MHA690 Hayden
Training on confidentiality MHA690 HaydenTraining on confidentiality MHA690 Hayden
Training on confidentiality MHA690 Hayden
 
hitech act
hitech acthitech act
hitech act
 
Hippa training on confidentiality
Hippa training on confidentialityHippa training on confidentiality
Hippa training on confidentiality
 
arcsight_scmag_hcspecial
arcsight_scmag_hcspecialarcsight_scmag_hcspecial
arcsight_scmag_hcspecial
 
4 Digital Health Trends Affecting Your Revenue Cycle
4 Digital Health Trends Affecting Your Revenue Cycle4 Digital Health Trends Affecting Your Revenue Cycle
4 Digital Health Trends Affecting Your Revenue Cycle
 
Legal Aspects in Health Informatics
Legal Aspects in Health InformaticsLegal Aspects in Health Informatics
Legal Aspects in Health Informatics
 
Sample HIPAA Training
Sample HIPAA Training Sample HIPAA Training
Sample HIPAA Training
 

Viewers also liked

The Use of Unmanned Air Vehicle
The Use of Unmanned Air VehicleThe Use of Unmanned Air Vehicle
The Use of Unmanned Air VehicleMohammed Dayraki
 
Mental Health and Stress
Mental Health and StressMental Health and Stress
Mental Health and Stress
Andrea Audine Jandongan
 
2011-01-01 workshop - jooddang
2011-01-01 workshop - jooddang2011-01-01 workshop - jooddang
2011-01-01 workshop - jooddang
Team POPONG
 
presentacion_marisodelys_duran
presentacion_marisodelys_duranpresentacion_marisodelys_duran
presentacion_marisodelys_duranmarisol91
 
Win $3000+ FREE participation in Online Contest of Design, Media, Apps, Video...
Win $3000+ FREE participation in Online Contest of Design, Media, Apps, Video...Win $3000+ FREE participation in Online Contest of Design, Media, Apps, Video...
Win $3000+ FREE participation in Online Contest of Design, Media, Apps, Video...
Institute of Digital Marketing
 
Lasmejoresimagenes2007
Lasmejoresimagenes2007Lasmejoresimagenes2007
Lasmejoresimagenes2007
Pelo Siro
 
Viral Marketing
Viral Marketing Viral Marketing
Viral Marketing
Institute of Digital Marketing
 
Submarines Atmosphere Control and Air Treatment
Submarines Atmosphere Control and Air TreatmentSubmarines Atmosphere Control and Air Treatment
Submarines Atmosphere Control and Air TreatmentMohammed Dayraki
 
Ballroom Dancing (Waltz, Chachacha)
Ballroom Dancing (Waltz, Chachacha)Ballroom Dancing (Waltz, Chachacha)
Ballroom Dancing (Waltz, Chachacha)
Andrea Audine Jandongan
 
Arts and Crafts of India and Iran
Arts and Crafts of India and IranArts and Crafts of India and Iran
Arts and Crafts of India and Iran
Andrea Audine Jandongan
 
The Art of Philippine Films
The Art of Philippine FilmsThe Art of Philippine Films
The Art of Philippine Films
Andrea Audine Jandongan
 
砂漠からの脱出(コンセンサスゲーム)
砂漠からの脱出(コンセンサスゲーム)砂漠からの脱出(コンセンサスゲーム)
砂漠からの脱出(コンセンサスゲーム)
Jun Chiba
 

Viewers also liked (13)

The Use of Unmanned Air Vehicle
The Use of Unmanned Air VehicleThe Use of Unmanned Air Vehicle
The Use of Unmanned Air Vehicle
 
Mental Health and Stress
Mental Health and StressMental Health and Stress
Mental Health and Stress
 
2011-01-01 workshop - jooddang
2011-01-01 workshop - jooddang2011-01-01 workshop - jooddang
2011-01-01 workshop - jooddang
 
presentacion_marisodelys_duran
presentacion_marisodelys_duranpresentacion_marisodelys_duran
presentacion_marisodelys_duran
 
Win $3000+ FREE participation in Online Contest of Design, Media, Apps, Video...
Win $3000+ FREE participation in Online Contest of Design, Media, Apps, Video...Win $3000+ FREE participation in Online Contest of Design, Media, Apps, Video...
Win $3000+ FREE participation in Online Contest of Design, Media, Apps, Video...
 
Lasmejoresimagenes2007
Lasmejoresimagenes2007Lasmejoresimagenes2007
Lasmejoresimagenes2007
 
Viral Marketing
Viral Marketing Viral Marketing
Viral Marketing
 
Submarines Atmosphere Control and Air Treatment
Submarines Atmosphere Control and Air TreatmentSubmarines Atmosphere Control and Air Treatment
Submarines Atmosphere Control and Air Treatment
 
Ballroom Dancing (Waltz, Chachacha)
Ballroom Dancing (Waltz, Chachacha)Ballroom Dancing (Waltz, Chachacha)
Ballroom Dancing (Waltz, Chachacha)
 
kapil_ CV
kapil_ CVkapil_ CV
kapil_ CV
 
Arts and Crafts of India and Iran
Arts and Crafts of India and IranArts and Crafts of India and Iran
Arts and Crafts of India and Iran
 
The Art of Philippine Films
The Art of Philippine FilmsThe Art of Philippine Films
The Art of Philippine Films
 
砂漠からの脱出(コンセンサスゲーム)
砂漠からの脱出(コンセンサスゲーム)砂漠からの脱出(コンセンサスゲーム)
砂漠からの脱出(コンセンサスゲーム)
 

Similar to Sarah Kim HIPAA for Small Providers

Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH Era
Rapid7
 
Patient Privacy Protections
Patient Privacy ProtectionsPatient Privacy Protections
Patient Privacy Protectionskwittman
 
A Personal Health Record ( Ehr )
A Personal Health Record ( Ehr )A Personal Health Record ( Ehr )
A Personal Health Record ( Ehr )
Tasha Holloway
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxPage 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
karlhennesey
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxPage 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
honey690131
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Envision Technology Advisors
 
Page 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docxPage 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docx
smile790243
 
Hipaa
HipaaHipaa
Hipaa
belziebub
 
Health information technology (Health IT)
Health information technology (Health IT)Health information technology (Health IT)
Health information technology (Health IT)
Mohammad Yeakub
 
Apa format450 words1 biblical integration34 minutes ago
Apa format450 words1 biblical integration34 minutes agoApa format450 words1 biblical integration34 minutes ago
Apa format450 words1 biblical integration34 minutes ago
aman341480
 
Course Point account for the nursing.pdf
Course Point account for the nursing.pdfCourse Point account for the nursing.pdf
Course Point account for the nursing.pdf
sdfghj21
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
wlynn1
 
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDSMANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
ijsptm
 
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docxONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
mccormicknadine86
 
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docxONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
vannagoforth
 
Peer Review FormComplete the form by inserting your answer.docx
Peer Review FormComplete the form by inserting your answer.docxPeer Review FormComplete the form by inserting your answer.docx
Peer Review FormComplete the form by inserting your answer.docx
templestewart19
 
Electronic Health Record Essay
Electronic Health Record EssayElectronic Health Record Essay
Electronic Health Record Essay
Paper Writer Service Terre Haute
 
What is HIPAA Why was it passed What arc the potential benefits to .pdf
What is HIPAA Why was it passed What arc the potential benefits to .pdfWhat is HIPAA Why was it passed What arc the potential benefits to .pdf
What is HIPAA Why was it passed What arc the potential benefits to .pdf
archigallery1298
 
Laws & regulations surrounding the evolution of Telemedicine
Laws & regulations surrounding the evolution of TelemedicineLaws & regulations surrounding the evolution of Telemedicine
Laws & regulations surrounding the evolution of Telemedicine
Lynne Watanabe
 
1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docx1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docx
teresehearn
 

Similar to Sarah Kim HIPAA for Small Providers (20)

Protecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH EraProtecting Patient Health Information in the HITECH Era
Protecting Patient Health Information in the HITECH Era
 
Patient Privacy Protections
Patient Privacy ProtectionsPatient Privacy Protections
Patient Privacy Protections
 
A Personal Health Record ( Ehr )
A Personal Health Record ( Ehr )A Personal Health Record ( Ehr )
A Personal Health Record ( Ehr )
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxPage 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
 
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docxPage 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
Page 9 of 15Capstone ProjectYaima OrtizIDS-4934.docx
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
 
Page 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docxPage 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docx
 
Hipaa
HipaaHipaa
Hipaa
 
Health information technology (Health IT)
Health information technology (Health IT)Health information technology (Health IT)
Health information technology (Health IT)
 
Apa format450 words1 biblical integration34 minutes ago
Apa format450 words1 biblical integration34 minutes agoApa format450 words1 biblical integration34 minutes ago
Apa format450 words1 biblical integration34 minutes ago
 
Course Point account for the nursing.pdf
Course Point account for the nursing.pdfCourse Point account for the nursing.pdf
Course Point account for the nursing.pdf
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
 
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDSMANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
 
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docxONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
 
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docxONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
ONE Featherfall Medical CenterThe 1920s Featherwall Consulting.docx
 
Peer Review FormComplete the form by inserting your answer.docx
Peer Review FormComplete the form by inserting your answer.docxPeer Review FormComplete the form by inserting your answer.docx
Peer Review FormComplete the form by inserting your answer.docx
 
Electronic Health Record Essay
Electronic Health Record EssayElectronic Health Record Essay
Electronic Health Record Essay
 
What is HIPAA Why was it passed What arc the potential benefits to .pdf
What is HIPAA Why was it passed What arc the potential benefits to .pdfWhat is HIPAA Why was it passed What arc the potential benefits to .pdf
What is HIPAA Why was it passed What arc the potential benefits to .pdf
 
Laws & regulations surrounding the evolution of Telemedicine
Laws & regulations surrounding the evolution of TelemedicineLaws & regulations surrounding the evolution of Telemedicine
Laws & regulations surrounding the evolution of Telemedicine
 
1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docx1)Health data is sensitive and confidential; hence, it should .docx
1)Health data is sensitive and confidential; hence, it should .docx
 

Sarah Kim HIPAA for Small Providers

  • 1. Sarah Kim December 9, 2015 HIPAA for Small Healthcare Providers Introduction The advent of electronic health records (EHRs) has allowed an increasing number of processors and providers in the health care industry access to patients’ personal health information. The accessibility of such information has streamlined the health care delivery process and allowed patients better control over their personal health through cloud-based applications. But it has also contributed to a rise in breaches as the high value of personal health records, combined with a poor track record for security, make healthcare organizations a ripe target for cybercriminals. In 2009, the U.S. government passed the Health Information Technology for Economic and Clinical Health Act (HITECH) not only to promote the adoption of EHR systems but also to address privacy and security concerns related to EHRs. This section of HITECH improved upon an existing law, the Health Insurance Portability and Accountability Act (HIPAA), by mandating that healthcare organizations and their business associates safeguard electronic protected health information (PHI)—whereas HIPAA previously referred to paper PHI—and report large data breaches to the government and affected individuals. The updates to HIPAA represent a much-needed step in assigning accountability and creating general security guidelines for healthcare information technology. However, upon closer examination, it becomes apparent that HIPAA tends to penalize a segment of the healthcare industry that is not yet equipped for data security. That is, smaller practices and community hospitals struggle to comply with HIPAA because they have difficulty understanding the law, implementing security standards, and justifying the costs. Addressing this issue and better ensuring compliance requires the revision of HIPAA; the full adoption of cloud-based EHRs; the creation of better risk assessment tools; and the creation of a member-based forum to discuss more specific issues associated with HIPAA and cybersecurity.
  • 2. Cybersecurity in the U.S. Healthcare Industry The Health Information Technology for Economic and Clinical Health (HITECH) Act promoted the adoption of EHR systems through a two-pronged approach. First, the government provided incentive payments to Medicare- and Medicaid-eligible professionals and hospitals who adopted EHRs and applied for the incentive program. Second, in January 2015, the government began levying financial penalties for Medicare and Medicaid providers who have not transitioned to EHRs.1 HITECH catalyzed a massive shift from paper to digitized patient records. It also contributed to a rise in interconnectivity between health devices and equipment—otherwise known as the Internet of Things. In theory, this would create opportunities for integrated and coordinated care in a fragmented industry; it would also provide more accurate patient information, allowing physicians to offer better, individualized, and immediate care. In reality, the transition to electronic health records (EHRs) has actually placed a huge financial burden on healthcare organizations and left them vulnerable to criminal attacks. In fact, cyberattacks on healthcare organizations have increased by 125 percent since 2010.2 Cybercriminals have increasingly targeted healthcare organizations because they see a large return on investment; an EHR, for example, is worth twenty to fifty times a credit card number because it contains a wealth of personal information—including a patient’s social security number, health records, drug administration information, and payment data.3 The interconnectivity of devices—many of which were designed without security in mind4—and the tendency to cluster together the storage of personal information create multiple attack nodes for cybercriminals. A lackluster security culture among healthcare organizations makes them an even more enticing target for cybercriminals. In fact, the healthcare industry experiences more breaches than any other industry, with around ninety percent of healthcare organizations having been 1 "EHR Incentives and Certification." HealthIT.gov. U.S. Department of Health and Human Services, n.d. Web.09 Dec. 2015. 2 Ponemon Institute."Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data." ID Experts, May 2015. Web. 9 Dec. 2015, 1. 3 United States. FBI. Cyber Division. Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions. N.p.: n.p., 2014. Print. 4 Warner, Jon. "Cyber-Security in the Healthcare Industry." RX4 Group, 26 Oct. 2015. Web. 9 Dec. 2015.
  • 3. victims of a cyberattack in the past two years5—yet according to research from the Ponemon Institute, most healthcare organizations and their business associates did not express concern about cyberattacks. Ideally, healthcare companies should spend between ten and forty percent of their information technology budgets on security—but the industry-wide average is only three percent.6 While many healthcare organizations report that this is due to insufficient budget and resources to invest in IT security, these statistics are cause for concern and reveal the lax culture of security in the industry. Negligence and resource constraints leave EHRs ripe for theft, and the costs are high. For a victim of EHR theft, the average out-of-pocket cost is around $13,500; for the healthcare industry overall, breaches cost about $6 billion per year.7 Thus, the state of healthcare cybersecurity makes a policy initiative necessary to raise awareness, create accountability, and guide healthcare organizations in implementing security standards. HIPAA and HITECH HIPAA was originally enacted in 1996 to maintain the privacy and security of patients and their PHI. HITECH enhanced the provisions and enforcement of HIPAA by including protection of electronic PHI, requiring healthcare organizations to report large data breaches to the government and affected individuals, and establishing stricter penalties based on the severity of HIPAA violations. The Final Omnibus Rule of 2013 expanded the scope of HIPAA to include business associates, or organizations that work with or provide services to healthcare organizations, including health information exchanges and data analysis service providers. In its current form, HIPAA defines the circumstances under which a patient’s PHI may be disclosed; mandates that healthcare organizations establish policies and procedures for handling patient information; and requires healthcare organizations to implement a variety of security standards and plan responses to data breaches. Requirements for healthcare organizations also include conducting periodic risk and vulnerability analyses in accordance with NIST standards, assigning a “security official” who is responsible for developing and implementing security policies and procedures, and creating unique codes to track user identities. 5 McCann, Erin. "Healthcare Data Breaches on the Rise." HealthcareITNews. HIMSS Media, 6 Dec. 2012. Web. 9 Dec. 2015. 6 Allen, Arthur. "Billions to Install, Now Billions to Protect." Politico.N.p., 1 June 2015. Web. 09 Dec. 2015. 7 Ibid.
  • 4. The Office of Civil Rights (OCR) performs audits randomly and in response to complaints that a healthcare organization or business associate has violated HIPAA’s provisions. Penalties for HIPAA violations are tiered depending on the nature and extent of the violation and the severity of harm resulting from that violation. Penalties can range anywhere from $100 to $50,000 per violation, and organizations can incur a maximum penalty of $1.5 million per year.8 Gaps in the Regulatory Environment Large hospitals and insurers are more likely to benefit from HIPAA and invest in the security of PHI. Not only do they have the resources to make such investments, they are also more conscientious about receiving negative media attention following a breach and most. But small healthcare providers—that is, private practices and community hospitals—struggle to comply with HIPAA.9 Ideally, healthcare companies should spend between ten and forty percent of their information technology budgets on security—but the industry-wide average is only three percent.10 Small providers, which have low profit margins and limited staffing, likely invest even less than that. Thus, unlike larger healthcare organizations, small providers are unable to sufficiently allocate resources to important initiatives like hiring a knowledgeable “security official” to assist them in the technical aspects of HIPAA or hiring an independent consultant or auditor to perform an effective risk assessment. Moreover, while health professionals excel at protecting patient privacy, many simply do not know or understand how to comply with the security aspect of HIPAA. Healthcare already lags behind other industries with regards to technology. HIPAA is a complex law and its technical provisions may be confusing and difficult to understand for small providers who lack technological savvy. Many providers still have difficulty navigating EHRs even though they have had several years to adjust to the new systems—yet they were required to be compliant with HIPAA within just six months.11 8 "HIPAA Violations and Enforcement." American Medical Association,n.d. Web. 09 Dec. 2015. 9 "OCR to Begin Phase 2 of HIPAA Audit Program." McDermott Will & Emery, 29 July 2014. Web. 9 Dec. 2015. 10 Allen, Arthur. "Billions to Install, Now Billions to Protect." Politico.N.p., 1 June 2015. Web. 09 Dec. 2015. 11 Irving, Frank. "Docs Say How They Really Feel About EHRs." Healthcare IT News, 13 Nov. 2014. Web. 09 Dec. 2015.
  • 5. While NIST guidelines provide a general, user-friendly framework for tackling cybersecurity risks, it is not tailored to the healthcare industry, much less small providers. Because the burden of implementing security standards in a short time frame lies on the physician or the head of the community hospital, it is vital that they have clearer guidance tailored to their industry, size, and segment so they can better understand exactly what policies and procedures they need to enforce. Exacerbating the lack of understanding is the lack of existing tools to help small providers assess risk. For the overall industry, the majority of organizations report that their risk assessments following security incidents were either an ad hoc process or a manual process developed in-house.12 Therefore, it would be helpful for small providers to have access to automated, healthcare-specific tools rather than having to internally develop tools that may be insufficient. Finally, small providers are dangerously complacent. Many small providers do not believe that their small practice or hospital could be of interest cybercriminals when there are larger targets out there.13 Penalizing these small practices for breaches is not enough to create a sense of urgency about implementing security standards before it is too late. HIPAA is problematic because small providers are not yet ready to comply with its provisions. Penalties for noncompliance are not enough to encourage learning and implementation of sufficient security standards, as small providers currently do not have the capability to do so. Thus, other initiatives must be taken to supplement HIPAA and address the gaps in the existing regulatory environment. The solutions for addressing the current problems in the regulatory environment must be easy to understand, trustworthy, and cost- and time- effective. Addressing the Gaps in HIPAA 1. Clarify HIPAA For many providers, being HIPAA-compliant is difficult because it is a complex law. Checklists for audit preparation may be simple for an individual who has a basic understanding of information security, but may be too complicated for physicians who has not had any 12 Ponemon Institute."Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data." ID Experts, May 2015. Web. 9 Dec. 2015, 5. 13 Allen, Arthur. "Billions to Install, Now Billions to Protect." Politico.N.p., 1 June 2015. Web. 09 Dec. 2015.
  • 6. experience with cybersecurity. The NIST framework is broad and meant to be a starting point for approaching cybersecurity risks.14 Other, more healthcare-specific frameworks that integrate the NIST framework with HIPAA guidelines do exist, but they still fall short. The organizations that are addressed in HIPAA are extremely diverse, ranging from large hospitals, to medical billing companies, to small private practices. Even a general healthcare-specific framework is insufficient in clarifying HIPAA and security policies and procedures required for each unique case. A possible solution to the confusion caused by HIPAA’s vague provisions is to reword HIPAA and create separate guidelines that are relevant to the size, maturity, and segment of the organization. These guidelines should include, in clear language, how to perform risk assessments and educate staff on basic security practices. Revising HIPAA requires a significant investment of time for the government, but the payoff would be high as small providers and other organizations better understand how to be compliant. 2. Increase Adoption of Cloud-Based EHRs While most providers have already adopted cloud-based EHRs, thousands still have not yet moved to the cloud and instead use server-based EHRs.15 This presents a cause for concern when considering the vulnerability of healthcare organizations and the large number of patient records housed in each practice, regardless of the size of the practice. Thus, achieving higher adoption rates of cloud-based EHRs should serve as a simple first step toward compliance with HIPAA. Cloud-based EHR systems are already HIPAA-compliant and are better equipped for data protection. Practices relying on client-server systems are more susceptible to human error and system failures, leading to loss of critical patient data, whereas cloud-based EHR systems are backed up on the server. Unlike client-based servers, cloud-based EHRs enhance data security through encryption. Moreover, cloud-based EHR systems are much cheaper than client-server systems; some of the most trusted cloud-based EHR systems, such as Practice Fusion, are free.16 14 Sorebo, Gib. "HITRUST or High Risk? The Health Information Trust Alliance's Common Security Framework." RSA Conference, 14 May 2014. Web. 09 Dec. 2015. 15 Jayanthi, Akanksha. "Cloud-Based EHRs Deemed Physician Favorites." Becker's Health IT & CIO Review. Becker's Healthcare, 4 June 2015. Web. 09 Dec. 2015. 16 Congdon, Ken. "The Truth Behind "Free" EHRs." Health IT Outcomes. N.p., 25 Jan. 2013. Web. 9 Dec. 2015.
  • 7. Moreover, the opportunities for analysis of de-identified data and integration across devices improves overall health outcomes for patients. Cloud-based EHRs collect large amounts of data that can be used to understand patients’ health decisions, compare a patient’s case and possible treatments with those of a similar demographic, and use aggregated data to focus on preventative care. Integration across devices also improves health outcomes in two ways. First, it makes the care delivery process more efficient by reducing the burden of communication among healthcare organizations (from the insurance company to the doctor). Second, it allows patients to have greater control over their own health. And patients do value having this control. For example, Hello Health is another free cloud-based EHR that places the burden of the cost on the patients— about $36 to $120 per year to support the platform. Patients willingly pay this cost because they enjoy the benefits that Hello Health offers, including online scheduling and video conferences with their physicians in lieu of an office visit.17 Thus, cloud-based EHR systems are a cost-effective method of offloading the more technical security risks onto more experienced vendors, and they improve the quality of care delivered. It is important that cloud-based EHR platforms capture the remainder of the market by aggressively advertising to those practices that still rely on server-based EHRs. Convincing these physicians require acquiring their trust by highlighting the cost savings, the risk of a breach relative to server-based platforms, and the value added to patients. 3. Create Incentives for Research and Development for Risk Assessment Tools Most risk assessment tools in healthcare are created manually or in-house, which may not be sufficient to get a holistic understanding of gaps and vulnerabilities in a given provider’s system. The Office of the National Coordinator for Health Information Technology (ONC) has created a risk assessment tool that is hundreds of pages—which may be holistic but is certainly cumbersome. If small providers could access more user-friendly risk assessments, they are likely to perform these risk assessments more often. Thus, it is vital for segment-specific tools to be automated, cost- and time-effective, and segment-specific—which requires incentives. Grants from the government or even nonprofits—including the Robert Wood Johnson Foundation and 17 Congdon, Ken. "The Truth Behind "Free" EHRs." Health IT Outcomes. N.p., 25 Jan. 2013. Web. 9 Dec. 2015.
  • 8. Johnson & Johnson Innovation—who award grants for innovations in healthcare would create these incentives for private research and development into more specific risk assessment tools. 4. Raise Awareness and Educate Providers Even if HIPAA were to be reworded, it could not possibly cover every case and organization that is subject to the law. And it may not necessarily change the complacency of some small providers. Thus, small providers would benefit from additional information that may be more specific or more relevant to their size, maturity, segment, and current security policies. Health professionals and experts in information security should collaborate in a forum created by and for members. A healthcare-specific Information Sharing and Analysis Center (ISAC) currently does exist, but because it works closely with government, health professionals may be reluctant to share information in the event that they may be penalized for disclosing incidents.18 Instead, the new forum must be privately owned and ensure that all members are certified health professionals or IT security experts. Health professionals would be encouraged to anonymously share incidents, experiences, security strategies, and concerns about HIPAA compliance. In turn, their peers and cybersecurity experts could respond with advice and experiences of their own. Anonymous information- and incident-sharing resolves the issue of complacency because health professionals would be able to learn about real examples from relatable peers. Moreover, information- and incident-sharing creates opportunities to learn from and develop best practices in healthcare IT security. Conclusion There can never be a guarantee that an organization is completely secure. But reworking HIPAA, ensuring the adoption of better tools and technology, and utilizing trusted sources to clarify confusions would mitigate the high risk that small providers currently face. Because the idea of information security is relatively new to healthcare, these initiatives are a good first step 18 Vamosi, Robert. "Making Incident Sharing Anonymous and Across Industries." Forbes.N.p., 17 Nov. 2015. Web. 9 Dec. 2015.
  • 9. to becoming more secure. Ultimately, though, the goal is to make information security a norm rather than a burden or requirement for the healthcare industry. The norm of patient privacy already exists; doctors will not share patient information without consent. Not only is it unethical and illegal to do so, it also undermines patient trust— which is unique to healthcare organizations and essential to the survival of a provider’s business. It is likely that patient trust will become an important aspect in turning security into a norm. A breach or loss of patient data will undermine that trust, and patients will no longer have confidence that their provider is capable of improving health outcomes. Thus, security will become a norm, not just because it saves costs and prevents loss of data, but also because it is an important part of forming a relationship of trust with patients.
  • 10. Works Cited "About HITRUST." HITRUST, n.d. Web. 9 Dec. 2015. Allen, Arthur. "Billions to Install, Now Billions to Protect." Politico. N.p., 1 June 2015. Web. 09 Dec. 2015. Congdon, Ken. "The Truth Behind "Free" EHRs." Health IT Outcomes. N.p., 25 Jan. 2013. Web. 9 Dec. 2015. "EHR Incentives and Certification." HealthIT.gov. U.S. Department of Health and Human Services, n.d. Web. 09 Dec. 2015. "HIPAA Violations and Enforcement." American Medical Association, n.d. Web. 09 Dec. 2015. "How Much Is This Going to Cost Me?" HealthIT.gov. U.S. Department of Health and Human Services, n.d. Web. 09 Dec. 2015. Irving, Frank. "Docs Say How They Really Feel About EHRs." Healthcare IT News, 13 Nov. 2014. Web. 09 Dec. 2015. Jayanthi, Akanksha. "Cloud-Based EHRs Deemed Physician Favorites." Becker's Health IT & CIO Review. Becker's Healthcare, 4 June 2015. Web. 09 Dec. 2015. McCann, Erin. "Healthcare Data Breaches on the Rise." HealthcareITNews. HIMSS Media, 6 Dec. 2012. Web. 9 Dec. 2015. "OCR to Begin Phase 2 of HIPAA Audit Program." McDermott Will & Emery, 29 July 2014. Web. 9 Dec. 2015. Pittman, David. "E-Health Records Ripe for Theft." Politico. N.p., 13 July 2014. Web. 09 Dec. 2015.
  • 11. Ponemon Institute. "Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data." ID Experts, May 2015. Web. 9 Dec. 2015. Sorebo, Gib. "HITRUST or High Risk? The Health Information Trust Alliance's Common Security Framework." RSA Conference, 14 May 2014. Web. 09 Dec. 2015. United States. FBI. Cyber Division. Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions. N.p.: n.p., 2014. Print. Vamosi, Robert. "Making Incident Sharing Anonymous and Across Industries." Forbes. N.p., 17 Nov. 2015. Web. 9 Dec. 2015. Warner, Jon. "Cyber-Security in the Healthcare Industry." RX4 Group, 26 Oct. 2015. Web. 9 Dec. 2015.