New HIPAA security rules could open door to litigation

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,78684,00.html

By Bob Brewin
FEBRUARY 20, 2003
Computerworld

New federal security standards that cover how personal health
information is electronically maintained or transmitted could create a
legal nightmare for the health care industry, will require a massive
training effort and could cost millions of dollars, according to
hospital industry personnel who specialize in health care IT.

The Health Insurance Portability and Accountability Act (HIPAA)  
security standards (download PDF) become law today with their
publication in the Federal Register, but don't take effect until April
21, 2005, according to the Centers for Medicare & Medicaid Services
(CMS), part of the U.S. Department of Health and Human Services.

Despite that time lag, the new standards will hit the nation's $1.3
trillion health care industry quickly because they become the de facto
security guidelines for federal privacy standards regarding health
care information. Those privacy standards, which govern electronically
protected health information (PHI), go into effect April 14, according
to Mary Henderson, vice president of IT compliance and director of the
national HIPAA program at Kaiser Permamente Health Plan.

Kaiser is the nation's largest nonprofit health maintenance
organization, with 8.4 million members, 29 hospitals and 423 medical
offices staffed with 11,000 doctors.

According to CMS, the new security standards will affect 2.6 million
"covered entities," a group that includes the whole swath of the
health care industry, from individual doctors to hospitals to major
insurance plans such as Kaiser. While it doesn't mandate specific
security technologies or procedures that should be used to meet the
security standards, the CMS does spell out what information must be
protected and what the industry should strive to do.

Specifically, according to the CMS, health care organizations should:  
Insure confidentiality, integrity and availability of all electronic
protected health care information; protect against threats to the
security or integrity of such information; protect against
unauthorized disclosure or use of protected health care information;  
ensure compliance by the entire workforce.

Karen Trudel, deputy director of the office of HIPAA standards at CMS,
said she doesn't disagree that the security standards could become the
de facto standard for PHI, even though they don't go into effect until
2005. But, Trudel said, the privacy rules cover paper and oral
communications as well as electronic health information; the security
regulations cover not only privacy but also the integrity and
availability of information. They are designed to ensure that health
care data is preserved and backed up in case of a system failure.

Richard Marks, a lawyer at the Seattle-based law firm of Davis Wright
Tremaine LLP, said the combination of the privacy rules and the
long-delayed and open-to-interpretation security standards could
become a honey pot for law firms that specialize in class-action
suits. Those firms, Marks said, believe HIPAA could be as lucrative as
"asbestos and breast implant litigation combined." Asbestos and breast
implant lawsuits in recent years have resulted in costly settlements
and bankrupted companies in both fields.

Marks, whose firm handles legal issues related to health care,
estimated that meeting the security and privacy standards could cost
the industry "millions of dollars."

Marne Gordon, director of regulatory affairs at TruSecure Corp. in
Herndon, Va., agreed. "This is all headed for the courts. Everyone is
looking to establish case law." Gordon said she is also concerned that
litigation-shy health care organizations may stick with paper records
rather than roll out computerized physician order entry systems that
could save lives by eliminating medical errors caused by paper
records.

Marks agreed and said concern about litigation over a failure to
adhere to HIPAA security standards could dampen the use of
technologies such as wireless LAN systems in hospitals -- especially
if class-action lawyers hire security consultants to "sniff" hospital
WLANs.

Gordon predicted that any sizable health care organization will need
to establish a chief security officer position to oversee HIPAA
compliance and protect itself against litigation, a view both
Henderson and Marks shared.

Trudel said the HIPAA security standards were carefully crafted to be
"technology neutral" and to allow health care providers wide latitude
to devise their own security policies and practices based on their own
risk assessments and risk management efforts geared to their specific
size and complexity. CMS dropped many mandated requirements contained
in an earlier proposed rule, making them merely "addressable," Trudel
said. In other words, they're optional.

For example, the encryption of PHI transmitted over the Internet is no
longer mandated and can be based on risk assessment. That means that
when one doctor sends e-mail to another doctor about a patient
consultation, encryption may not be necessary. But if "you're a large
[health care] organization sending a bunch of transactions, then you
would want to encrypt," Trudel said.

Jeff Fusile, a consultant at PricewaterhouseCoopers, disagreed, saying
that in his view a doctor-to-doctor e-mail of a consultation on a
patient with an AIDS diagnosis would definitely require encryption
under the HIPAA security standards. That shows how risk analysis is
key to implementing a security standard that doesn't mandate policies,
procedures or technologies but requires health care organization
instead "to think about and determine what is reasonable," Fusile
said.

Kaiser is already engaged in that kind of process, according to
Henderson. From her perspective, two years goes by "awfully fast" when
an organization as large as hers has to perform risk analysis and then
remediation. Kaiser will also face another challenge during the next
two years: training all 126,000 of its employees on security policies,
as required by the act. Marks said the training requirement is so
inclusive that health care organizations will need to train "everyone,
including the cleaning staff, in case they come across PHI."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.