Protecting Health Information

Protecting Health Information


Privacy and security
of health information are of utmost
importance in today’s
technologically-advancing world. The increased use
of electronic health records as well as smartphones,
tablets, and patient portals are changing how we look
at our healthcare. The laws and regulations
that protect our information also need to change. Currently, the Health
Insurance Portability and Accountability Act,
or HIPAA, sets the standards for
protecting the privacy, confidentiality, and security
of health information. Dr. William Braithwaite,
who was instrumental in drafting the privacy
and security rules, was known when they first
came as “Dr. HIPAA.” Let’s hear what
he has to say. When we talk about HIPAA,
particularly privacy and security, we’re thinking
about the HIPAA Administrative Simplification
subtitle. The rest of
this huge law was about health insurance
portability and so on. It all started with a workgroup
on electronic data interchange back in the early ’90s
who decided that healthcare was wasting 30 percent
of the money that was being put
into health insurance by doing
very strange and… actually absurdly expensive
exchanges of information between providers
and health plans. So, they went to Congress,
they talked to some folks about that, a couple
of laws were drafted, and at the same time
in the House, laws were being drafted
about privacy based on the same fair information privacy
practices that resulted in the 1974
Federal Privacy Act, but those privacy rules
had never been able to be passed
by Congress. So, when the Administrative
Simplification idea came up, it didn’t get
very far, but in 1993, when Clinton’s
health reform bill was coming through, there was
a whole section in there about health information
technology, and I was sort of the right
person at the right place at the right time
and managed to put together a coalition of staff
from the House and the Senate, both parties,
and with industry input came up with this law called
Administrative Simplification, which laid out the standards
that everybody would have to follow
in order to save this money, but also took
into consideration the fact that as we turned
people’s health information into electronic form
and started shooting it around over the internet or any
other form of connection that the security and privacy
of that information had to be protected,
because at that time, there were no laws
on a federal level to protect your
health information. So, the combination
was very powerful, and when Clinton’s health reform
bill didn’t get passed, the Administrative
Simplification law got saved and got attached to every
health reform bill that got introduced over
the next two or three years, and finally in 1996,
when HIPAA as a Health Insurance
Portability Act got passed, the Administrative
Simplification law was attached to it. Now, by that point,
Congress had realized that they couldn’t pass
a privacy law. They promised they would,
but they never did. So, when the law was
about to be passed and signed, we got them to change
a few words. So, in addition
to setting the standards for doing
Administrative Simplification, it says that Congress
agrees to pass a comprehensive health information privacy law
within three years, but if they fail,
the Secretary is given the power to do it
by regulation. And so, when you look
into the HIPAA law for “Where’s the privacy law,”
there isn’t one. The law actually
didn’t appear until it became regulation
in the year 2000. Providers are more accepting
of HIPAA now because when it
first came out, it came out in a way
that scared everybody. I think–I don’t know exactly
why or where it started, but the idea of,
“HIPAA’s this new law, it makes you do things that
you’ve never had to do before, and you don’t see
a reason for it, and it’s expensive,
and it’s scary ’cause they’re gonna throw you
in jail if you don’t do it,” none of which
was true, but– the whole idea,
for example, that the Privacy Rule
in HIPAA was based around
one simple concept, which is: don’t surprise
the patient. Patients are learning more
and more over time about it. They’re becoming more aware,
particularly when they start using Facebook and all these
new social media, they realize, especially when
they watch what their kids do with this stuff, they realize
that that information, which is not secret anymore,
can be hurtful. They also realize that
the healthcare system is more complex and that
it isn’t just their doctor that needs
this information. So, the whole
idea that patients should be educated
about what privacy is about and what people do
with their health information was the reason why
everybody’s given a notice. When you go to the doctor’s
office for the first time, you’re given a notice of
their privacy practices. That was the first attempt
to educate people about what really
goes on. I think what happened
was most people just put that in the–
they signed it, and then they put
it in the trash because it was too long,
it was too complicated, it was written
by a team of lawyers. We’ve gotten around
that now, and finally, those notices are
aimed at the patient and educating them about
what the real issues are. So, I think they’re catching
on, and they’re getting better about being aware
of the privacy issues. In 2009, a new law
was passed: the Health Information
Technology for Economic and Clinical Health,
or HITECH Act. This law was actually part
of the economic stimulus law known as the American Recovery
and Reinvestment Act. HITECH included new provisions
for strengthening the privacy and security protections
for health information. HITECH is essentially an extension of HIPAA
in a variety of areas, and that was passed
not too long ago. And so, every couple of years,
they pass another law that can tweak what
was set out in HIPAA. I don’t think the HIPAA law as
a bolus could be passed today, but increments to make it
better, to improve and fine-tune it, can be
and are being passed. I think the key changes
in HITECH with respect
to HIPAA privacy is in enforcement. That is,
the Department of HHS took a very slow, educational
approach to enforcement, and when breaches happen,
when problems were reported, they sent someone out,
they investigated, and then they said,
“This is what you need to do to fix
this problem.” There were no fines,
there were nobody put in jail, but after ten years,
when the things that should have been fixed
a decade ago didn’t happen, then Congress said, “All right,
it’s time to put the hammer down and make people pay more
attention to this law.” So, the fines were raised,
the ability for state attorneys general
to prosecute under HIPAA instead of just
the federal government, those probably brought
the level of enforcement up a huge amount and made people
go back and pay attention. People were scared when
HIPAA privacy first came out, and then nothing happened,
so they stopped being scared and they stopped paying
attention in many cases, so this sort of raises
the bar again and makes sure that people
are doing the right thing. Now, what they’ve
discovered by forcing people to report
when breaches occur is that millions of people’s
records are being breached. And so, garbage trucks
full of paper records, the top blows off,
and the records get flying all
over the place, so a lot of them
are paper. Doctors, especially
in the old days, used to put the paper records
in their trunk and take them home to look
over the records and sign them, and then someone
would steal the car. So, there were lots of ways
that records could be stolen, but one of the huge issues
right now, particularly because
of the volume, is that people are stealing
portable devices like laptops, and when people who work
on medical records put millions of records
on a laptop, and the laptop gets stolen,
that’s a huge breach even though the purpose
of stealing the laptop isn’t to violate
someone’s privacy, it is to make money
so they can… get money, basically,
from reselling the laptop, but it is
a breach. So, what the Security Rule
says is that you have to do a risk analysis
to figure out what the risks are
and then do something reasonable and appropriate
to mitigate those risks. Well, the risks
of laptops being stolen can be mitigated
if you encrypt the hard disk. So, the guidance
that has come out says, “Follow the Security Rule. This is a real risk now. Pay attention,
encrypt everything.” And if you encrypt it
and you lose the laptop or it gets stolen,
it’s no longer a breach. So, they’ve managed
to enforce the Security Rule by specifying
what can get you out of being enforced against
when a laptop is stolen. But it’s pretty clear
that in the next year, mobile healthcare and the increase
in technology of the cloud and the use of the cloud
and mobile devices, physicians are bringing
their own mobile devices to the hospital
and to the clinic and expecting
to use them, which raises huge
privacy and security risks. You know, doctors
are very powerful in healthcare environments,
and when they say, “I want to use
my mobile device,” the administration
and the technical people, in particular, have a tough
time pushing back against that because it’s the doctors
that bring the patients that bring the money
into the institution, and if they decide
to go somewhere else, then an institution
can lose a lot of money. On the other hand,
bringing in mobile devices that are insecure
threatens the whole institution with a breach
of the health information, and so, there’s a battle
going on right now between those
two forces, and I think technology
will step in and help the CIOs figure out
how to make it work, but they haven’t
done it yet. As we have seen, the Administrative
Simplification provisions that were attached
to the HIPAA law in 1996 were the first attempt
at outlining some guidelines for protecting
health information. In 2000, the Privacy Rule
was established which further described
what needed to be done. At first, HIPAA was seen
as a huge burden, but over time,
healthcare professionals and patients have become
more comfortable with the rules. However, we have seen
that with more adoption of electronic health records,
there are still problems, and it became obvious that
stricter enforcement was needed. The HITECH Act of 2009
further strengthened the regulations
and the enforcement procedures. Protecting the privacy
and security of health information
in the digital age will be
an ongoing process. As technology improves,
new and better ways to protect the privacy of
health information will emerge.

Leave a Reply

Your email address will not be published. Required fields are marked *