The United States congress and the past several administrations have dedicated considerable funding for incentives focused on accelerating the adoption by the healthcare industry of Health Information Technology (HIT) solutions. The most recent effort towards these objectives includes a focus on the creation of a National Health Information Network that will support large scale exchange of health information. This chapter explores the technical, security and privacy implications of the advent of such an integrated network and the steps towards its successful completion.
TopBackground Of Regulatory Controls In Health Care
In an information system, controls are actions taken by people or software to minimize security risks. Controls also serve to direct desirable behavior and processes in an organization (Carter, Cobb, Earhart, & Noblett, 2008). The healthcare and financial industries are compelled to comply with several government imposed regulations (controls). While many organizations have developed and implemented their own sets of controls, the federal government enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The Act requires security and privacy controls on managing medical data. Organizations are required to comply to HIPAA regulations if the organization provides a health plan for employees, provides healthcare to patients, or provides healthcare insurance. Compliance to HIPAA is enforced by the US Health and Human Services (HHS) Department. The law requires the HHS to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers (HISPC, 2007).
Failure to properly apply HIPAA security controls can result in civil monetary penalties imposed by the HHS. The Security of Treasury is empowered to impose tax penalties on organizations that are not in compliance (Foultz, 2004). After February 18, 2010, the HHS is authorized to penalize HIPAA violators up to $1.5 million, a 60% increase of current limits (CMIO, 2009). This new authorization is problematic because many healthcare providers are not in compliance with HIPAA primarily due to the lack of funds and understanding the regulations (Netchert, 2008; Foultz, 2004).
In 2004, President Bush directed the HHS to develop, plan, and guide the implementation of nation-wide health information technology (GAO-07-988T, 2007). As part of the directive, the HHS is responsible for the protection of personal health information that will populate a nation-wide healthcare database. The GAO report identifies key challenges that have yet to be addressed by the HHS. Challenges associated with the safeguarding the exchange of electronic health information include: understanding and resolving legal and policy issues; ensuring appropriate disclosure; ensuring individual’s rights to request access and amendments to health information; and implementing adequate security measures for protecting health information.
The Health IT for Economic and Clinical Health (HITECH) Act enacted in 2009 gives the HHS authority to impose increased financial penalties on organizations in non-compliance to HIPAA. Maximum fines outlined in HIPAA are a maximum of $25,000. According to HITECH regulations, the HHS can fine organizations up to $1.5 million (HHS, 2009) for HIPAA violations. The Health Information Technology for Economic and Clinical Health (HITECH) Act is part of the contested stimulus legislation. HITECH authorizes limited funding of EHR implementation.