A Q&A with Amit Trivedi, Healthcare Program Manager for ICSA Labs
When the American Recovery and Reinvestment Act of 2009 was signed by President Obama on February 17, 2009, it included the Health Information Technology for Economic and Clinical Health (HITECH) Act, which calls for programs under Medicare and Medicaid to provide incentive payments for the “meaningful use” of certified electronic health records (EHR) technology. I spoke with Amit Trivedi, healthcare program manager for ICSA Labs, an independent division of Verizon that’s involved in the certification and testing process for health records, about the concept of “meaningful use” and HITECH’s ramifications for data security.
Can you explain in layperson terms the “meaningful use” component of HITECH?
The idea behind meaningful use is that as part of healthcare reform, there’s roughly $20 billion earmarked as incentives for providers who meet the “meaningful use” benchmark. These incentives are designated for hospitals and providers, which are using certified electronic health records for “meaningful” activities such as electronic prescribing, exchanging health information with other providers or business partners, and submitting information about clinical quality and other measures. In this first of three planned stages of adoption of the law, which will most likely run until June 2012, organizations need to prove they are meaningful users according to the Stage 1 criteria, and that they are using certified systems.
Can the electronic health records (EHR) requirements also be a curse in that they create additional privacy exposures (and liability)?
As people begin to synthesize electronic records and IT systems into their organizations it will naturally open them up to vulnerabilities or risks they might not have had before. Adopting an EHR will lead to growing pains — as does the adoption of any new technology that is critical to operations and workflow. But even organizations that already have advanced clinical systems are going to have to move towards greater interoperabilit and that is going to bring new risks, too. Another thing to keep in mind is size and scope: A solo doctor’s office and a large academic center with multiple hospitals are each going to have their own risks and complexities to figure out. What we do know is that HITECH gives added teeth to existing Health Insurance Portability and Accountability (HIPAA) legislation. Whereas in the last decade HIPAA wasn’t actively enforced it will now be monitored much more closely by the Office of Civil Rights, and there are now incentives for clinicians to purchase and implement secure, certified, electronic health record systems.
What are some of the potential pitfalls in data security with regard to EHRs?
There are a number of things that could potentially go wrong. One of the biggest things to keep in mind for administrators is that now that organizations are required to publicly notify victims of data breaches, which can potentially be a big black eye for an organization. We’ve seen a number of healthcare organizations land on the front page of the paper for data breach incidents. Not having the proper policies and controls in place can lead to a breach. You often read about a stolen laptop or data hacked from a contractor’s unencrypted hard drive that contained private health information. The integrity of the network is that much more critical when these EHRs go online. In the past, hospitals wouldn’t be expected to have a hotshot IT department that could handle various issues but now they need to be prepared to deal with any incident, just like all other major institutions.
What are accountable care organizations (ACOs)? How do they play into the legislation and do they add risk?
ACOS are another layer of the new provisions. They are a network of doctors and hospitals that share responsibility for providing quality care to patients. The idea behind the whole program is improving healthcare and being able to demonstrate that in a quantifiable manner. ACOs are given financial incentives for demonstrating improved care. For organizations, they add an additional level of administration. There are requirements for ACOs to be able to share de-identified, aggregated data, which can be complicated from a privacy perspective.
What can a customer do to mitigate risks for EHR security?
The main thing, when introducing any new technology, is to be aware of the risks involved and the best practices to follow. Security often gets left out of the budget but it’s an important item. You have to do due diligence and set up the proper procedures and controls. While this is new to the healthcare industry, there are plenty of other industries out there to learn from.
It is important to look beyond the incentive dollars and at the big picture behind the idea of “meaningful use.” Clinicians are not just being asked to slam in new technology. They are being asked to demonstrate that they have the right technology in place and that they can use it to safely and securely improve care delivery. With any new technology that is introduced into an environment, it is important to perform due diligence and ensure that the proper policies, procedures, and controls are in place to safeguard private health information.
This past year we conducted a Cyber Liability & Data Breach Insurance Claims study and one of our findings was that the healthcare sector business clients suffered the most losses (payable under cyber risk insurance) of all the sectors we covered. This ranges from staff mistakes to lost laptops to hacker breaches, but very often there is a third party business associate, contractor or vendor involved—and this is where the actual breach occurred. There are more than 600 vendors that offer EHR software and technology to the healthcare industry and all of these vendors, along with thousands of healthcare entities, are currently undertaking the process to demonstrate meaningful use and comply with HITECH. As Mr. Trivedi has said, with this process will come growing pains and inevitable data breach incidents.