Home » Data Protection » PCI and Compliance

Industry View

Five Steps to HITECH Preparedness

Ready for HITECH's stringent Personal Health Information protection requirements? ID Experts' Rick Kam provides a high-level plan.

By Rick Kam, ID Experts

June 18, 2009 — CSO —

CSOs in healthcare organizations know that the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law in February 2009, includes new privacy requirements that experts have called "the biggest change to the health care privacy and security environment since the original HIPAA privacy rule." These include:

New requirements around managing Protected Health Information (PHI) information, including extending accountability from healthcare providers to their business associates;
New federal rules for data breach notification, including specific notification thresholds, timelines and methods;
Effective immediately, increased and sometimes mandatory penalties with maximum fines ranging from $25,000 to as much as $1.5 million.

No doubt, the HITECH Act raises the stakes for a data breach. But regulations aside, data breaches can hurt your organization's credibility and can carry huge medical and financial risks to the people whose data is lost. We've managed hundreds of data breaches and helped thousands of identity theft victims. Through this we've learned firsthand that compliance doesn't necessarily equal low risk for data breach. For the well being of the business and patients, healthcare organizations and their partners need to take the most comprehensive approach to securing PHI.

HITECH Compliance Beyond Prevention, Security Beyond IT

Organizations often think first of IT security measures to protect personal data, but we have found through working with healthcare organizations that most data breaches are linked to human error or process failure, rather than technology—a desktop computer with PHI was stolen, a data backup tape lost in transit, a web update wasn't thoroughly tested and left access open.

In fact, a recent study by PriceWaterhouseCoopers, CSO Magazine and CIO Magazine (The 2008 Global State of Information Security Study) found that only 5% of data breaches are caused by malicious cyber-attacks.

These incidents didn't result from lack of HIPAA compliance but rather from mistakenly thinking that compliance measures that had been taken were sufficient to prevent a data breach incident.

In 2008, 44% of breach incidents were due to third-party handling of data. With HITECH, organizations will now be held responsible for a third party's handling of your data. In fact, many of the healthcare-related data breaches in the news have been a result of lax security practices at a third-party service provider or to insider data theft. For example, a medical center used a courier to transport patient files and the files were lost somewhere in transit. The medical center was held accountable and financially responsible even if the courier was at fault.