In 2001, Ron Uno, manager of information management at Kuakini Health Systems, made the decision to move his hospital’s medical records system from paper to computers. The main motivation for the costly, multiyear project? The Health Insurance Portability and Accountability Act, or HIPAA, the then five-year-old federal law that sets standards for protecting the security and privacy of American medical records. If the hospital had an electronic medical records (EMR) system, Uno reasoned, it would be easier to monitor who was accessing sensitive patient information and to comply with the law’s privacy and security regulations.
Five years later, Uno is halfway through implementing an EMR system. He estimates that Kuakini, a nonprofit with $275 million in revenue that operates a 250-bed hospital and a 200-bed long-term care facility in Honolulu, has spent $10 million to $15 million on implementing the system and other technologies to help it comply with HIPAA. “Even though we’re a small hospital, we’re trying to comply as much as we can,” says Uno, who is closing in on full HIPAA compliance, though he’s not there yet.
The Long, Hard Road to Compliance
A decade after HIPAA was signed into law, CIOs like Uno are still struggling to comply with its provisions. Some lack the resources to fully meet the requirements of this complex set of rules; others seem to feel little need to hurry since the federal government has not aggressively enforced the law. So it comes as no surprise to learn that HIPAA compliance rates appear to be slipping.
Fewer hospitals and healthcare facilities are fully complying with the law this year than in 2005, according to a recent survey by the American Health Information Management Association (AHIMA), a professional organization for health information executives. And more than one-quarter of U.S. security executives whose organizations need to be HIPAA-compliant admit that they are not, according to “The Global State of Information Security 2006,” a study released last month by CIO and PricewaterhouseCoopers.
These findings stand in sharp contrast to the billions of dollars invested by healthcare CIOs in technologies to protect medical records, including EMRs, firewalls, remote monitoring systems, intrusion detection, auditing software and encryption programs. HIPAA compliance rates declined across institutions of all sizes, but specialists say the problem is most acute at small to midsize hospitals with their limited budgets. “Smaller hospitals with thinner margins and smaller IT budgets will have a more difficult time being compliant,” says Gartner analyst Robert Booz.
There is no question that HIPAA has made patient information more secure. It also accelerated adoption of healthcare IT systems nationwide, an evolution that is boosting efficiency while reducing medical errors. Getting there, however, hasn’t been easy.
Asif Ahmad, CIO and VP of diagnostic services at Duke University Health System, says that HIPAA compliance has created extra burdens, even for large healthcare organizations such as his own. “I can’t imagine a community hospital coming up with all of these resources,” he says.
Uno agrees that it is harder for smaller organizations to secure the resources and support to fully comply with HIPAA. But it can be done. Uno sold his senior management team on the importance of compliance by stressing that failure to meet HIPAA requirements could lead to privacy breaches. “No one wants to be the scapegoat for a privacy breach,” he says.
The Silent Crisis
HIPAA was introduced in 1996 as a broad measure designed to protect confidentiality and security of health data. It called on the Department of Health and Human Services to standardize electronic patient health and financial data and to set security standards to protect “individually identifiable health information.” The law, which applies to all healthcare providers and health plans, as well as insurers, technology vendors and universities, put in place a series of mandates and deadlines. Perhaps the most important to healthcare CIOs were the privacy rules, which took effect in April 2003, and the security rule, which had an April 2005 deadline.
While HIPAA offers a framework for how healthcare organizations need to safeguard data, it does not provide recommendations for specific technologies to do the job. This lack of detail meant that healthcare CIOs scrambled in the early years to get ready for the deadlines. They invested in hardware and software, in addition to training staff on safe ways to access and transmit personal health data.
More recently, however, the focus has shifted away from compliance, say specialists. “The healthcare industry has spent billions on HIPAA compliance, and now what we’re seeing is HIPAA fatigue,” says Gartner’s Booz.
Nearly 39 percent of hospitals and health systems reported full privacy compliance this year, according to AHIMA, which surveyed 1,117 healthcare privacy officers and others whose jobs relate to HIPAA privacy. That’s up from 23 percent in 2004. However, the number of those who believe they are more than 85 percent compliant dropped to 85 percent in 2006, down from 91 percent in 2005. (For more information, read the full AHIMA report, “The State of HIPAA Privacy and Security Compliance.” Find a link to the report at www.cio.com/101506.)
“This is not a crisis, but more of a silent erosion of HIPAA compliance,” says Dan Rode, VP of policy and government relations at AHIMA. “It’s a wake-up call.”
After the rush to implement privacy and security systems, he says, many institutions now report that support and resources from healthcare organizations are declining in the face of budget constraints. Also troubling to some privacy advocates is what they see as the federal government’s generally lax attitude toward HIPAA enforcement.
According to the Health and Human Services Office of Civil Rights, which enforces the law, more than 22,000 grievances have been lodged since the HIPAA privacy rule took effect in 2003. Most have to do with personal medical information being wrongly revealed. The government has closed 75 percent of these cases, either ruling that there was no violation or no jurisdiction, or after ensuring that hospitals, health plans or doctors’ offices had fixed violations. To date, no fines have been assessed by the department. Out of 339 complaints referred to the Justice Department for possible criminal prosecutions since the privacy rule took effect, only two have been prosecuted fully under HIPAA.
Unlike those who have run afoul of Sarbanes-Oxley, HIPAA violators have not faced high-profile prosecutions that would encourage compliance. “There haven’t been any ‘perp walks’ before news and television cameras,” says Peter Cizik, CEO of consultancy HIPAA Solutions Rx.
Although HIPAA violators are unlikely to get into trouble with the federal government right now, they should strive to comply in order to avoid running afoul of state and federal privacy laws or getting involved in costly class-action lawsuits, says Cizik. He notes that HIPAA provides a “floor” for minimum standards of privacy and security and that if state laws are more stringent, they will prevail. In California, for example, any organization doing business there must notify all individuals affected by a breach of personal information.
The widespread damage that a privacy breach can cause in the healthcare arena came to light this year when Providence Home Services, a division of Seattle-based Providence Health Systems, revealed that backup computer tapes and disks containing personal information and medical records on 365,000 patients were stolen from a parked car. In addition to suffering public embarrassment, the healthcare company paid to inform all its patients via mail and offered to pay for credit monitoring services. The data theft is under investigation by the Oregon attorney general’s office.
“Health care is a ripe target for identity theft,” says Cizik, himself a victim of the Providence breach. He notes that the company spent millions to pay for ID theft protection services and to defend against a class-action lawsuit filed on behalf of former patients.
“For some organizations, unless they think it can happen to them, they won’t take all the necessary steps to keep their information secure,” adds AHIMA’s Rode.
A Plan for Action
As a consultant for HIPAA Solutions Rx, Ross Leo travels the country to help hospitals and healthcare systems achieve compliance. Many small and midsize facilities he works with are struggling to pay for system upgrades; still others are moving slowly “in order to be seen as not ignoring HIPAA.”
Leo feels their pain: He oversaw a HIPAA compliance program as CISO and director of IS for the managed care division at the University of Texas Medical Branch in Galveston. Some of his clients can’t afford the leading-edge technology to track access to patient information.
Leo suggests that companies in this situation start their compliance efforts by drawing up a “risk mitigation plan” that outlines weaknesses in IT security and staff procedures for guarding data privacy. Such a plan can help the CIO pinpoint what needs to change and where to target investment.
After a risk analysis assessment, Leo recommends the addition of or upgrades to security systems. These can range from basic firewalls to more sophisticated EMRs, depending on the hospital’s budget.
Even when a hospital or clinic can’t afford large-scale technology investments, Leo says that changes to IT policies can help bring them toward HIPAA compliance. For example, Leo worked with IT and security staff to develop policies for safe use of the Internet at a midsize Chicago hospital that was starting to deploy PCs with online access at workstations. He recommended that the hospital ban access to patient data on these PCs except in certain cases. Leo also suggested barring remote access to the patient information database for doctors and other staff members who log in from personal computers or laptops.
Leo says minor changes in procedure can make a big difference in protecting patient data. For example, a fax machine placed at a nurse’s station can reveal patient information to anyone walking by. “People usually think their processes are OK when they’re not,” he says.
Cost is a major stumbling block for CIOs determined to bring their organization in line with HIPAA. In fact, the AHIMA survey found that 55 percent of respondents identified resources as their most significant barrier to full privacy compliance.
When Kuakini’s Uno started looking for an EMR system, he knew cost would play a key role in his decision. EMRs are not required under HIPAA, but they make it much easier to comply. Where other facilities in the Honolulu area have spent $35 million to $40 million implementing EMRs, Uno would have to get by on a much smaller budget—approximately $15 million. So when he chose Cerner to provide the EMR, he negotiated carefully with his longtime vendor to make sure he could complete the project on his limited budget.
“We examined each contract line item with a fine-tooth comb to see if it was really needed or if we could find an alternative. There were items included that we didn’t need, such as a standalone [uninterruptible power supply],” says Uno. “[Eliminating] it saved us a lot of money. The bottom line? You need to know how each item fits in the project infrastructure.”
To help implement the EMR system, a six-member in-house IT team works in concert with the Cerner consulting staff. Uno says this approach has helped Kuakini realize significant cost savings and better monitor the project.
“Foremost in my mind during this process was the fact that we are not a rich hospital,” says Uno. “We formed a partnership with Cerner and keep constant tabs on the cost of the project.”
The cost of compliance is also on the mind of Rick Casteel, VP of MIS at Upper Chesapeake Health, which has revenue of $162 million and operates two hospitals in Harford County, Md. Casteel started preparing for HIPAA six years ago. He considers HIPAA an essential foundation for assuring security and privacy of medical data but one that is complex and demands constant attention and dollars. Casteel wouldn’t specify how compliant Upper Chesapeake is with HIPAA, but says he is comfortable that “we have balanced electronic security well against the demand for data and the need for quality and safety.” Like Uno, he is always looking to contain his compliance costs.
Casteel started his organization’s compliance effort with a complete inventory of existing tools such as firewalls and other security software programs. Upper Chesapeake undertook this assessment utilizing a Web-based tool from Xpediate. The tool provided a structure for an in-house inventory while allowing Casteel to use internal resources rather than bring on additional staff or hire expensive consulting assistance. After completing the inventory, Casteel went to his current vendors and worked with them to find different versions of software that would help the healthcare provider reach compliance.
“We were looking for vendors who would show us how we could use their tools to meet compliance requirements,” Casteel says. For example, a partnership with Trigeo helped Casteel’s team see how valuable systemwide log management could be in relation to HIPAA and how the vendor’s tool fit into the healthcare provider’s IT infrastructure.
In that way, Casteel says, he has avoided excessive spending on all new HIPAA security and privacy systems. One key to success, he says, is to avoid hype from vendors looking to sell new products.
“I would avoid vendors that bill themselves as HIPAA compliant,” he says, noting that HIPAA provides a framework and does not require specific vendors or products.
HIPAA has pushed IT executives like Uno and Casteel to move forward with EMRs and other technology initiatives that make it easier to audit access to sensitive patient data. However, such systems also create new risks and new demands on IT.
“I’m required to give more people access to more data,” says Casteel. This increased access provides more opportunity for data to escape. “Privacy breaches are what keeps an IT manager up at night,” he adds.
Healthcare CIOs have another reason to focus on keeping their data private and secure. In 2004, President George Bush charged the IT and healthcare industries with building a National Health Information Network (NHIN), a system to provide every citizen with an electronic medical record by 2014. He appointed Dr. David Brailer to coordinate the effort. Brailer resigned in April but the Department of Health and Human Services is pressing ahead with NHIN.
Looking forward, Uno and Casteel agree that the most important HIPAA compliance deadlines are behind them, although several lesser provisions remain to be implemented. For example, the deadline for healthcare organizations to start using a “national provider identifier” (NPI) is next May. The NPI is a unique health identification number that will be assigned to healthcare providers to simplify communication between providers and health plans and to cut the risk of fraud.
Compliant at Last
Uno intends to keep fine-tuning his systems to bring Kuakini in line with HIPAA. It’s been a long road but compliance appears to be just around the corner.
By the first quarter of 2007, Uno says, doctors at his hospital will use an identity management system from Oracle. It will allow physicians to use a single sign-on to gain access to several hospital systems; it will also provide clearer auditing and tracking to see who has used the systems.
The EMR and other in-process systems for computerized physician order entry and electronic medication administration records will come online later in the year. “We hope to be 100 percent HIPAA-compliant sometime in 2007,” says Uno.
Despite the financial burden of working to comply with HIPAA, Uno says, the alternative—exposure of patient data—could spell disaster. “With regards to healthcare privacy,” he says, “no one wants to be in the spotlight.”