Christopher P. Buse, CISA, CISSP, CPA, Larry Marks, CISA, CGEIT, CFE, CISSP, PMP, and Steve Sizemore, CISA, CGAP, CIA
There have been articles in the mainstream media discussing efforts by technology companies and providers to digitize patient records. There is a tremendous push by the US federal government—as well as by some private payers and self-insured employers—to get all US health care providers wired in the near future, in an effort to better coordinate patient care, improve outcomes and “bend the cost curve” all at the same time.
Once patient data, known as protected health information (PHI), are stored electronically, they become exposed to potential data breaches. There are two pieces of recent legislation issued by the US Congress that affect, more than any other recent legislation, the security and privacy areas reviewed by IT auditors in the health care industry:
This article will address the HITECH Act. A second article, publishing in volume 5, 2010, of the ISACA Journal, will address HHS BNR.
Compliance with both of these rules—issued under authority of the HITECH Act by the HHS with respect to health care providers and by the US Federal Trade Commission (FTC) with respect to electronic health care record (EHR) vendors and other similar third parties—requires affected practices and businesses to assess and update their data privacy and security policies and procedures, as well as train all affected staff accordingly.
The HITECH Act was signed into law in February 2009 as part of the ARRA. The HITECH Act:
This article will briefly describe the HITECH Act and its impact on IT professionals in terms of:
On 17 April 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable or indecipherable to unauthorized individuals, as required by the HITECH Act, passed as part of the 2009 ARRA. This guidance was developed through a joint effort by the Office of Civil Rights (OCR), the ONC and the Centers for Medicare and Medicaid Services (CMS). The HITECH Act and its implementing regulations became effective in the fourth quarter of 2009. Auditors and security professionals need to understand this Act and its implementing regulations because they significantly expand the HIPAA security and privacy requirements. Similar breach notification provisions implemented and enforced by the FTC apply to vendors of personal health records and their third-party service providers, pursuant to section 13407 of the HITECH Act.
The HITECH Act has led to the first breach notification requirements in the US. Under the Act, a breach is defined as the unauthorized acquisition, use or disclosure of PHI. Organizations are exempt from the breach notification requirements if they can demonstrate that disclosures do not compromise the security or privacy of the data or lead to a significant risk of harm to affected individuals.
The HITECH Act directed the secretary of HHS to issue technical guidelines to health care providers. Published in August 2009, this guidance:
Under the HHS and FTC regulations, notification is required when information is unsecured. These regulations specify encryption and destruction as the technologies and methodologies that render PHI unusable, unreadable or indecipherable to unauthorized individuals. Entities that secure PHI in accordance with the regulations are relieved from having to notify individuals, the HHS secretary and the news media in the event of a breach. The breach notification regulations became effective in September 2009.
Interim final breach notification regulations, issued in August 2009, implement section 13402 of the HITECH Act by requiring HIPAA-covered entities and their business associates, including those based outside the US, to provide notification following a breach of unsecured PHI. The HHS reports that similar breach notification provisions, implemented and enforced by the FTC, apply to vendors of personal health records and their third-party service providers, as specified in section 13407 of the HITECH Act. Section 164.400 of the interim final rule provides that this breach notification rule is applicable to breaches occurring on or after 30 days from the date of publication of this interim final rule, August 2009.
The legislation indicates that the breach notification rules apply to covered entities under HIPAA and their business associates and require them to provide notification in the case of breaches of unsecured PHI. The Act also requires covered entities to provide to the media notification of breaches. The Act requires covered entities to safeguard electronic PHI and permits covered entities to use any security measures that allow them to reasonably and appropriately implement all safeguard requirements.
The HITECH Act applies to both vendors of personal health records that provide online repositories that people can use to keep track of their health information and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.
Organizations have to do the following to comply with the HITECH Act:
The secretary of HHS is responsible for oversight, enforcing compliance and determining the amount of any proposed penalty.
IT auditors need to know about this regulation because the interim final rule for the HITECH Act, which was issued in April 2009, states that a breach does not occur unless the access, use or disclosure poses “a significant risk of financial, reputational or other harm to an individual.” In the event of a breach, the rule requires covered entities to perform a risk assessment to determine if the harm standard is met. If risk assessment determines that the risk of harm to the individual is not significant, the covered entities are not required to tell their patients that their sensitive health information was breached. The FTC version stipulates that if an individual authorized the discharge of data, the data’s release is not considered a breach. The final rule became effective during August 2009.1
The FTC’s rule also allows for a vendor to engage in a risk analysis and states that if data were never acquired (i.e., officials are fairly certain that nobody saw the material), the incident does not count as a breach and notification does not have to occur. Both agencies have said they will not enforce the data breach rules for 180 days, during which time Devon McGraw, director of the health privacy project at the Center for Disease and Technology (CDT), hopes that HHS will go back to the drawing board.2
With regard to the possible overlap with state regulations specifically over the definition of breach notification, at this time, it appears any US state law is preempted. Auditors employed by a multinational firm or an organization with offices in multiple states will have to take this added complexity into consideration when assessing the organization’s compliance.
The HITECH Act also provides guidance and funding for establishing at least 70 regional centers to help promote EHR adoption. Practice Fusion, a newsletter for physicians, indicated earlier in 2010 that regional centers will offer “technical assistance, guidance and information on best practices to support and accelerate health care providers’ efforts to become meaningful users of EHRs.”3 More than 100,000 primary care providers will be supported by the regional centers. An excerpt from a Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program document says that support should specifically focus on helping providers select the highest-value option, defined as that which offers the greatest opportunity to achieve and maintain meaningful use of EHRs and improved quality of care at the most favorable cost of ownership and operation, including both the initial acquisition of the technology, cost of implementation, and ongoing maintenance and predictable needed upgrades over time.4
Under the HITECH Act Medicare and Medicaid bonus payouts, a physician who can demonstrate “meaningful use” of an EMR in 2011 would be eligible to receive US $18,000 from Medicare for the first year and US $44,000 total through 2015. Incentives are reduced for adoption after 2012. Physicians whose practices feature a high volume of Medicaid patients can qualify for up to US $65,000 in incentives.
1 According to Devon McGraw, director of the health privacy project at CDT, the language was not handed down as part of the US $19 billion health IT section of the economic stimulus package and was expressly rejected by House of Representative staffers who helped craft the measure. He noted its inclusion by HHS is likely the result of lobbying on the part of the health care industry. CDT and its allies favor the approach taken by the FTC in its own data breach mandate, which takes effect the same day as the HHS rule. Noyes, Andrew; “HHS Urged to Rework Data Breach Rule,” Congress Daily, Tech Dose Daily, 17 September 20092 Ibid.3 Practice Fusion, “HITECH EMR Stimulus Information for Physicians,” USA, 2010, www.practicefusion.com/pages/HITECH.html4 Health Information Technology Extension Program: Regional Centers Cooperative Agreement Program, “Funding Opportunity Announcement and Grant Application Instructions,” Office of the National Coordinator for Health Information Technology Department of Health and Human Services, USA, 2009
Christopher P. Buse, CISA, CISSP, CPAis currently the chief information security officer (CISO) for the State of Minnesota (USA), Office of Enterprise Technology. He is a member of ISACA’s Governmental and Regulatory Agencies Area 4 Subcommittee.
Larry Marks, CISA, CGEIT, CFE, CISSP, PMPis a consultant for DTG-Consulting Solutions. He is currently assigned as a project manager for a financial services client. He is a member of ISACA’s Governmental and Regulatory Agencies Area 4 Subcommittee.
Steve Sizemore, CISA, CGAP, CIAis currently an IT audit manager with the Internal Audit Division of the Texas Health and Human Services Commission (USA). He is a member of ISACA’s Governmental and Regulatory Agencies Area 4 Subcommittee.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.