Strachan says if patients won't sign a release that holds the provider harmless for sending the EHR unencrypted, the provider should not be obligated to send the EHR that way.
Community Health, with annual revenues topping $2 billion, is a network of seven hospitals whose total bed count is approximately 1,500 and includes more than 200 ambulatory sites throughout central Indiana. CIOs such as Stratchan aren't going it alone in their enterprises on such HIPAA decisions. Corporate privacy officers, compliance officers, and attorneys are part of the decision-making process, Strachan says.
"The way the people who I know in the business look at it, it's not a question of if you're going to have a breach," Strachan says. "The question is really when and how it is going to occur, and then how you react to your notification and the cleanup."
HIPAA's chief enforcement officer said as much at a June appearance at a patient privacy conference in Washington, D.C.
"Our rules do not proscribe a specific security approach or a specific kind of security, but they do require an actual process to evaluate whether in fact the things you are using are providing you an adequate level of security," said OCR Director Leon Rodriguez.
At the conference, Rodriguez was asked about the tension providers feel to provide healthcare data interoperability and data privacy simultaneously.
"I'm actually a person who thinks that tension is sometimes useful," Rodriguez said. "Tension helps you sometimes balance priorities, balance competing issues. To me, the patient always needs to be the fulcrum of the discussion. A lot of these questions ultimately can be resolved thoughtfully and correctly if both the interest and the dignity and autonomy of the patient are the fulcrum of the discussion and I think generally you'll end up in the right place on these issues."
Technology to oversee HIPAA compliance will play a role in achieving that balance. At CaroMont Health, "we've done what lots of other organizations have done, which is listen to every webinar, printed the omnibus rule and read it a bazillion times, and put together a to-do list of the things that we have to get accomplished in order to be in compliance before the enforcement date," says Donnetta Horseman, vice president of corporate responsibility at the system, which features a 435-bed hospital and 43 primary and specialty physician offices headquartered in Gastonia, N.C.