Kroll’s advice on complying with HITECH
In April of this year Kroll Fraud Solutions released a report showing that the Healthcare industry tends to be more reactive than proactive when it comes to data security. This, frankly, is not good enough. The move to electronic health records (EHRs) through HITECH (the Health Information Technology for Economic and Clinical Health Act) is gathering pace: and at the same time the associated data protection regulations are becoming more stringent. In particular, a more rigid mandatory breach notification scheme imposes a naming a shaming regime wherever companies regulated by HITECH ‘lose’ personal health information; and it’s an industry where the ‘shaming’ aspect could be catastrophic.
Far better to abandon the old reactive stance and become proactive; both to comply with the regulations and to avoid the breach notification requirements by avoiding a breach. Brian Lapidus, the chief operating officer for Kroll’s Fraud Solutions division, offers five security tips to ensure this. If you are defined as a covered entity under HITECH:
Protect outsourced data. You must know exactly where and how your data is stored with all of your third-party vendors; because even if it is they that suffer the breach, it is you who must notify the individuals and the appropriate federal entities.
Make sure all portable media devices are fully encrypted. The bottom line is that encrypted data cannot be ‘lost’ as far as the Act is concerned.
Train your staff. “Employee training,” says Lapidus, “is the most important thing an organization can do to assure that its privacy and security policies are correctly implemented. The most successful organizations make training part of the culture as compared to those organizations who limit training to reviewing a manual and signing an agreement.”
Plan for an event, and then test your plan. The HITECH act specifies that notification must occur without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. “Let’s face it,” says Lapidus, “from the moment you uncover a breach, every second counts. That’s why all healthcare organizations are under pressure to develop and implement a breach preparedness and actionable incident response plan.”
Understand the complexity of breach response and notification requirements. Even though the new HITECH requirements are federal, your organization will still be required to comply with state laws that govern the breach of PII and PHI. Depending upon the number of affected individuals, among other variables, your notification requirements under HITECH (and other applicable state laws) could include notifying Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), local media, state attorneys general offices, as well as affected businesses. Missing deadlines could result in hefty penalties or fines.