Print
Email
Print Edition Stories
Wednesday, September 1, 2010
How I See It
Health data breaches bring regulation and cost to providers
By Peter G. George, CEO, Fidelis Security Systems
MHT's Emerging Technologies Forum: Health IT and the Cloud
Health care industry eyes iPad
Under the stimulus and health care reform bills, the federal government is investing billions in the development of electronic health records. This promises to increase provider efficiency, improve the patient experience, and eventually produce significant savings for everyone involved in the nation’s health care system.
But there is a cost to putting patients’ medical records into electronic form. That cost is the risk of data breaches, the intentional or unintentional loss of personal and confidential information. Data breaches potentially harm patients. They also inflict large direct and indirect costs on care providers and other organizations.
In response to this increasingly damaging and costly problem, legislators and regulators have jumped into the fray. More than 40 states now have breach notification laws on the books.
Legislators are turning to stricter laws, and those laws and regulations are starting to bite.
California’s health care data rules are Exhibit A in what regulations can cost health care providers. This summer the California Department of Public Health imposed on five California hospitals administrative penalties and fines totaling $675,000 for failing to prevent unauthorized access to patient medical information. The facilities were also required to submit and implement a plan to prevent future incidents.
Laws and regulations like this have serious limitations. They create a patchwork of regulations that can be daunting for large health care providers to navigate. They are next to impossible for a small provider to live with.
A more effective approach has three pillars: education and effective internal policies; technology; and federal legislation.
Every organization should have a well-known data policy, and every employee should be trained in how to obey it. There should be serious consequences for breaking that policy.
After education comes technology. Appropriate technology that understands the context and content of critical data flows can help enforce policies and regulations, as well as assist in a forensic analysis should a breach occur.
Finally, there is federal legislation. As the U.S. Congress considers data privacy legislation, it should be guided by four core principles.
• Clear, uniform and comprehensive application. Legislation should authoritatively define “personal data” and “identity.” It should establish national benchmarks, and it must apply to industry, as well as all levels of government.
• Use of current best practices. State legislators have been joined in the data security effort by businesses, trade associations and advocacy groups. These best practices, many of which are already used by health care organizations, should be used in the development of a national data privacy standard.
• Vigorous enforcement and substantial penalties. Federal agencies must be fully empowered and possess necessary resources to enforce the law. Given the damage caused by data theft, there should be stiff penalties and mandatory incarceration for intentional violations.
• Funded mandates. Implementing and monitoring a federal data protection law will be costly, especially for small health care providers and other businesses. The government should assist organizations in fulfilling a data protection mandate. This could include tax credits or other incentives for buying technology and the training to properly use it.
While data protection laws and regulations like California’s are a good start, they do not fully address the magnitude of the data breach problem. Education and internal policies, technology and federal legislation together will help ensure the adoption of electronic data collection and transmission in health care, and deliver the better outcomes and lower costs promised by the sector’s embrace of 21st century record keeping.
Peter G. George is president and CEO of Waltham-based Fidelis Security Systems.
Comments
If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.
RSS Feeds
