[ISN] New HIPAA security rules could open door to litigation

From: InfoSec News (isnat_private)
Date: Fri Feb 21 2003 - 02:55:25 PST

  • Next message: InfoSec News: "[ISN] REVIEW: "Mike Meyers' Security+ Certification Passport", Trevor Kay"

    By Bob Brewin
    FEBRUARY 20, 2003
    New federal security standards that cover how personal health
    information is electronically maintained or transmitted could create a
    legal nightmare for the health care industry, will require a massive
    training effort and could cost millions of dollars, according to
    hospital industry personnel who specialize in health care IT.
    The Health Insurance Portability and Accountability Act (HIPAA)  
    security standards (download PDF) become law today with their
    publication in the Federal Register, but don't take effect until April
    21, 2005, according to the Centers for Medicare & Medicaid Services
    (CMS), part of the U.S. Department of Health and Human Services.
    Despite that time lag, the new standards will hit the nation's $1.3
    trillion health care industry quickly because they become the de facto
    security guidelines for federal privacy standards regarding health
    care information. Those privacy standards, which govern electronically
    protected health information (PHI), go into effect April 14, according
    to Mary Henderson, vice president of IT compliance and director of the
    national HIPAA program at Kaiser Permamente Health Plan.
    Kaiser is the nation's largest nonprofit health maintenance
    organization, with 8.4 million members, 29 hospitals and 423 medical
    offices staffed with 11,000 doctors.
    According to CMS, the new security standards will affect 2.6 million
    "covered entities," a group that includes the whole swath of the
    health care industry, from individual doctors to hospitals to major
    insurance plans such as Kaiser. While it doesn't mandate specific
    security technologies or procedures that should be used to meet the
    security standards, the CMS does spell out what information must be
    protected and what the industry should strive to do.
    Specifically, according to the CMS, health care organizations should:  
    Insure confidentiality, integrity and availability of all electronic
    protected health care information; protect against threats to the
    security or integrity of such information; protect against
    unauthorized disclosure or use of protected health care information;  
    ensure compliance by the entire workforce.
    Karen Trudel, deputy director of the office of HIPAA standards at CMS,
    said she doesn't disagree that the security standards could become the
    de facto standard for PHI, even though they don't go into effect until
    2005. But, Trudel said, the privacy rules cover paper and oral
    communications as well as electronic health information; the security
    regulations cover not only privacy but also the integrity and
    availability of information. They are designed to ensure that health
    care data is preserved and backed up in case of a system failure.
    Richard Marks, a lawyer at the Seattle-based law firm of Davis Wright
    Tremaine LLP, said the combination of the privacy rules and the
    long-delayed and open-to-interpretation security standards could
    become a honey pot for law firms that specialize in class-action
    suits. Those firms, Marks said, believe HIPAA could be as lucrative as
    "asbestos and breast implant litigation combined." Asbestos and breast
    implant lawsuits in recent years have resulted in costly settlements
    and bankrupted companies in both fields.
    Marks, whose firm handles legal issues related to health care,
    estimated that meeting the security and privacy standards could cost
    the industry "millions of dollars."
    Marne Gordon, director of regulatory affairs at TruSecure Corp. in
    Herndon, Va., agreed. "This is all headed for the courts. Everyone is
    looking to establish case law." Gordon said she is also concerned that
    litigation-shy health care organizations may stick with paper records
    rather than roll out computerized physician order entry systems that
    could save lives by eliminating medical errors caused by paper
    Marks agreed and said concern about litigation over a failure to
    adhere to HIPAA security standards could dampen the use of
    technologies such as wireless LAN systems in hospitals -- especially
    if class-action lawyers hire security consultants to "sniff" hospital
    Gordon predicted that any sizable health care organization will need
    to establish a chief security officer position to oversee HIPAA
    compliance and protect itself against litigation, a view both
    Henderson and Marks shared.
    Trudel said the HIPAA security standards were carefully crafted to be
    "technology neutral" and to allow health care providers wide latitude
    to devise their own security policies and practices based on their own
    risk assessments and risk management efforts geared to their specific
    size and complexity. CMS dropped many mandated requirements contained
    in an earlier proposed rule, making them merely "addressable," Trudel
    said. In other words, they're optional.
    For example, the encryption of PHI transmitted over the Internet is no
    longer mandated and can be based on risk assessment. That means that
    when one doctor sends e-mail to another doctor about a patient
    consultation, encryption may not be necessary. But if "you're a large
    [health care] organization sending a bunch of transactions, then you
    would want to encrypt," Trudel said.
    Jeff Fusile, a consultant at PricewaterhouseCoopers, disagreed, saying
    that in his view a doctor-to-doctor e-mail of a consultation on a
    patient with an AIDS diagnosis would definitely require encryption
    under the HIPAA security standards. That shows how risk analysis is
    key to implementing a security standard that doesn't mandate policies,
    procedures or technologies but requires health care organization
    instead "to think about and determine what is reasonable," Fusile
    Kaiser is already engaged in that kind of process, according to
    Henderson. From her perspective, two years goes by "awfully fast" when
    an organization as large as hers has to perform risk analysis and then
    remediation. Kaiser will also face another challenge during the next
    two years: training all 126,000 of its employees on security policies,
    as required by the act. Marks said the training requirement is so
    inclusive that health care organizations will need to train "everyone,
    including the cleaning staff, in case they come across PHI."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Feb 21 2003 - 05:18:13 PST