Security News > 2003 > February > New HIPAA security rules could open door to litigation

New HIPAA security rules could open door to litigation
2003-02-21 10:55

http://www.computerworld.com/securitytopics/security/story/0,10801,78684,00.html By Bob Brewin FEBRUARY 20, 2003 Computerworld New federal security standards that cover how personal health information is electronically maintained or transmitted could create a legal nightmare for the health care industry, will require a massive training effort and could cost millions of dollars, according to hospital industry personnel who specialize in health care IT. The Health Insurance Portability and Accountability Act (HIPAA) security standards (download PDF) become law today with their publication in the Federal Register, but don't take effect until April 21, 2005, according to the Centers for Medicare & Medicaid Services (CMS), part of the U.S. Department of Health and Human Services. Despite that time lag, the new standards will hit the nation's $1.3 trillion health care industry quickly because they become the de facto security guidelines for federal privacy standards regarding health care information. Those privacy standards, which govern electronically protected health information (PHI), go into effect April 14, according to Mary Henderson, vice president of IT compliance and director of the national HIPAA program at Kaiser Permamente Health Plan. Kaiser is the nation's largest nonprofit health maintenance organization, with 8.4 million members, 29 hospitals and 423 medical offices staffed with 11,000 doctors. According to CMS, the new security standards will affect 2.6 million "covered entities," a group that includes the whole swath of the health care industry, from individual doctors to hospitals to major insurance plans such as Kaiser. While it doesn't mandate specific security technologies or procedures that should be used to meet the security standards, the CMS does spell out what information must be protected and what the industry should strive to do. Specifically, according to the CMS, health care organizations should: Insure confidentiality, integrity and availability of all electronic protected health care information; protect against threats to the security or integrity of such information; protect against unauthorized disclosure or use of protected health care information; ensure compliance by the entire workforce. Karen Trudel, deputy director of the office of HIPAA standards at CMS, said she doesn't disagree that the security standards could become the de facto standard for PHI, even though they don't go into effect until 2005. But, Trudel said, the privacy rules cover paper and oral communications as well as electronic health information; the security regulations cover not only privacy but also the integrity and availability of information. They are designed to ensure that health care data is preserved and backed up in case of a system failure. Richard Marks, a lawyer at the Seattle-based law firm of Davis Wright Tremaine LLP, said the combination of the privacy rules and the long-delayed and open-to-interpretation security standards could become a honey pot for law firms that specialize in class-action suits. Those firms, Marks said, believe HIPAA could be as lucrative as "asbestos and breast implant litigation combined." Asbestos and breast implant lawsuits in recent years have resulted in costly settlements and bankrupted companies in both fields. Marks, whose firm handles legal issues related to health care, estimated that meeting the security and privacy standards could cost the industry "millions of dollars." Marne Gordon, director of regulatory affairs at TruSecure Corp. in Herndon, Va., agreed. "This is all headed for the courts. Everyone is looking to establish case law." Gordon said she is also concerned that litigation-shy health care organizations may stick with paper records rather than roll out computerized physician order entry systems that could save lives by eliminating medical errors caused by paper records. Marks agreed and said concern about litigation over a failure to adhere to HIPAA security standards could dampen the use of technologies such as wireless LAN systems in hospitals -- especially if class-action lawyers hire security consultants to "sniff" hospital WLANs. Gordon predicted that any sizable health care organization will need to establish a chief security officer position to oversee HIPAA compliance and protect itself against litigation, a view both Henderson and Marks shared. Trudel said the HIPAA security standards were carefully crafted to be "technology neutral" and to allow health care providers wide latitude to devise their own security policies and practices based on their own risk assessments and risk management efforts geared to their specific size and complexity. CMS dropped many mandated requirements contained in an earlier proposed rule, making them merely "addressable," Trudel said. In other words, they're optional. For example, the encryption of PHI transmitted over the Internet is no longer mandated and can be based on risk assessment. That means that when one doctor sends e-mail to another doctor about a patient consultation, encryption may not be necessary. But if "you're a large [health care] organization sending a bunch of transactions, then you would want to encrypt," Trudel said. Jeff Fusile, a consultant at PricewaterhouseCoopers, disagreed, saying that in his view a doctor-to-doctor e-mail of a consultation on a patient with an AIDS diagnosis would definitely require encryption under the HIPAA security standards. That shows how risk analysis is key to implementing a security standard that doesn't mandate policies, procedures or technologies but requires health care organization instead "to think about and determine what is reasonable," Fusile said. Kaiser is already engaged in that kind of process, according to Henderson. From her perspective, two years goes by "awfully fast" when an organization as large as hers has to perform risk analysis and then remediation. Kaiser will also face another challenge during the next two years: training all 126,000 of its employees on security policies, as required by the act. Marks said the training requirement is so inclusive that health care organizations will need to train "everyone, including the cleaning staff, in case they come across PHI." - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.


News URL

http://www.computerworld.com/securitytopics/security/story/0,10801,78684,00.html