The economic recession probably brought healthcare CEOs closer to their organizations' day-to-day activities. New federal HIPAA laws should have too. Daniel Nutkis, CEO of The Health Information Trust Alliance (HITRUST), believes compliance with HIPAA privacy and security starts from the top.
"Our experience shows that the more executive management and the board of directors are engaged in understanding the challenges and issues the more diligent the organization is in addressing information protection," says Nutkis. "HITRUST has seen a significant increase in the number of organizations that have added information protection as a component of their overall corporate responsibility measure or corporate philosophy."
HealthLeaders Media caught up this week with Nutkis for a Q&A about HIPAA privacy and security. The following are some highlights. The full Q&A can be found on the HCPro, Inc. HIPAA Update blog.
HealthLeaders Media: Federal laws on HIPAA changed with the signing of the American Recovery and Reinvestment Act (ARRA) of 2009. Did you see this coming?
Nutkis: ARRA is pushing for the broad adoption and utilization of health information systems, electronic health records, and electronic exchanges of health information. ARRA also recognizes the importance of information security in meeting this objective. Efficiency and reduced costs for consumers was the driver. HITRUST recognized this long before the signing of the bill, and we continue to be an advocate for more effective and efficient information protection in the healthcare industry.
HealthLeaders Media: What were the major flaws in HIPAA rules before the signing of the ARRA?
Nutkis: The primary issues with HIPAA are a lack of clear requirements and enforcement by government agencies. ARRA allows for a risk-based implementation of the safeguards outlined in HIPAA, which are themselves subject to interpretation, meaning there is no consistent application of security controls across the industry. While there are penalties for non-compliance, the industry rarely saw repercussions and subsequently rarely took HIPAA serious. While ARRA does not necessarily provide the prescriptive security requirements needed in HIPAA—like we find with PCI https://www.pcisecuritystandards.org/—it does provide focus for covered entities on breach notification, securing PHI, and business associate compliance.
HealthLeaders Media: What kind of an impact does the move to electronic health records have on HIPAA privacy and security?
Nutkis: The impact from EHRs comes in the form of increased focus on privacy and security. It is widely known to the general public that this is the direction the healthcare industry must go to contain costs and increase efficiency in healthcare. However, without proper security and assurance that personal health information will be kept private, consumers will be no more willing to share their health information electronically than they would their bank account or credit card number.
HealthLeaders Media: How should healthcare facilities be reacting right now to the new HIPAA laws in the Health Information for Economic and Clinical Health (HITECH) Act?