Part one of a two-part series
You can blame the spotty record of the healthcare industry in protecting the privacy and security of medical records on lax enforcement of federal law, and you'd be right, according to healthcare information technology experts.
Or, you can blame the same poor record on the culture of the healthcare industry itself, and you'd be right, again, at least in the opinion of one those experts.
But the stubborn facts are the record has been spotty and it remains to be seen whether the Obama administration can effect change in either federal enforcement policies or healthcare industry cultural norms toward privacy and security, according to physician IT maven Kenneth Kizer. He is the former head of the National Quality Forum, board chairman of electronic health-record system vendor Medsphere Systems Corp. and, from 1994 to 1999, he served as the top doctor at the Veterans Affairs Department, where he oversaw advancements in the VA's VistA clinical IT system.
It would be a safe bet for healthcare executives, according to Kizer, to assume there will be both tougher enforcement of medical records privacy and security rules and a struggle within healthcare organizations to change their cultures to meet these new enforcement demands.
“You have to take what I call a much more holistic look at it,” Kizer said. “A lot of the ills that people point to in healthcare and what's behind them, are some of the same problems we see in privacy protection. If you don't, all the rules and penalties aren't going to get you where you want to go.
“In a way, I see this as the same as patient safety and quality improvement,” Kizer said. “This just has to become an integral part of the fabric and culture of how healthcare is delivered. It should not be just an add-on or a compliance thing.”
Kizer addressed both law and culture in a 13-page white paper he co-authored, Stemming the Rising Tide of Health Privacy Breaches: The Need for a More Holistic Approach released in June by consultants Booz Allen Hamilton. Glen Day, a Booz Allen principal who heads its cybersecurity and privacy services for healthcare, was Kizer's co-author.
Some of Kizer's and Day's conclusions—that health information privacy and security risks are widespread, systemic and increasing—dovetail with the findings of another report on privacy and security released in October by the Ponemon Institute, Traverse City, Mich., that “conducts independent research on privacy, data protection and information security policy,” according to its Web site.
The 18-page Ponemon report, Electronic Health Information at Risk: A study of IT Practitioners, was based on a survey of 542 healthcare professionals who handle medical information. Respondents were leaders and technicians at hospitals and office-based practices, insurance companies, pharmaceutical and medical device manufacturers, claims handlers, pharmacies and pharmacy benefit managers.
A certain amount of caveat emptor should accrue to both reports. The Ponemon survey was sponsored by LogLogic, a San Jose, Calif.,-based IT login and security management software firm, while Booz Allen provides IT consulting services to the healthcare industry. Increased spending on privacy and security could benefit Ponemon's sponsor and Booz Allen directly.
Still, both reports point to hard evidence of a growing problem.
Kizer's and Day's report contains a table of 11 “Notable Healthcare Breaches” that occurred between April 2006 and February 2009 and in which an estimated total of more than 3 million patient records were exposed through internal fraud; stolen laptops, tapes and other storage media; and Web-based security failures.
The list of healthcare organizations where the breaches occurred reads like a “Who's Who” of the healthcare industry, including providers Kaiser Permanente (twice), New York-Presbyterian Hospital and Johns Hopkins Hospital, and payers Aetna, Humana, WellPoint and UnitedHealthcare.
“If you look at just in the last six months,” said Kizer, referring to several of the 11 California hospitals fined for privacy and security breaches, “these are all premium, top-of-the-line organizations, which again, to me, says that the problem is deeper and more systemic than just some outliers that don't get it. It really goes to the fabric of what's being done. It's just this big disconnect.”
Ponemon researchers found that IT professionals are aware of the current and looming privacy and security threats, but feel somewhat less than sanguine about their prospects for adequately dealing with them.
According to the Ponemon survey:
Less than half of responding healthcare IT professionals (47%) indicated they either “strongly agree” or “agree” with the statement: “My organization takes appropriate steps to comply with the requirements of HIPAA and other related healthcare regulations,” referring to the Health Insurance Portability and Accountability Act.
Just 46% of those surveyed responded similarly to: “My organization has adequate policies and procedures to protect health information.”
And 30% responded that way to: “My organization's senior management views privacy and data security as a top priority.”
Further, the report concludes, “The majority of IT practitioners in our study believe their organizations do not have adequate resources to protect patient's sensitive or confidential information.”
Coming in part II: A breaking storm