Braithwaite: Security Funding EssentialBuilding Trust Requires Adequate Investment
"Privacy and security are given short shrift with budgets because people don't yet understand how important they are," Braithwaite laments. "The age of the patient trusting a doctor who kept all the records in a locked cabinet is past. The patients still trust their doctors; we have to enable them to trust the whole system that shares their health information."
In an interview (transcript below) with Howard Anderson, executive editor of HealthcareInfoSecurity.com, following his presentation at the National HIPAA Summit, Braithwaite:
Braithwaite is chief medical officer for Anakam, a security technology company now owned by Equifax. He spent seven years as a senior adviser at the Department of Health and Human Services. He was one of the authors of the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 and a major contributor to the subsequent regulations setting federal standards for privacy and security.
HOWARD ANDERSON: Given your background, and being involved in HIPAA from the beginning, how do you see HIPAA continuing to evolve in the years to come?
WILLIAM BRAITHWAITE: Well it's interesting that the two parts of HIPAA that we are discussing here at the HIPAA Summit 2011 are privacy and security. HIPAA originally meant health insurance portability, but HIPAA in the industry today means privacy and security. And I think those two things are going in different directions. That is, privacy was written as something very specific ... and that was because the thinking was that the principles behind privacy are things that have been around [a long time], unchanged basically, although they've been expressed in several different ways in different countries around the world. Those concepts have been the same for decades. In order to apply those basic principles to the way healthcare is operated, we needed to put out very specific policies and procedures and mechanisms to make it work.
Security, on the other hand, is looking at a lot of technology, and [considering] mechanisms for both violating security and preventing violations of security, which are changing very rapidly. So the security rule was written at a very high level to analyze what the problems are, fix the problems, monitor them and go back and keep doing that to keep up with the technology.
So, what I see happening is in the privacy world, the rules are getting more refined; societal norms about what we want to do to preserve the privacy of individuals is changing very slowly. But as it changes, we can tweak the privacy rule pretty easily to meet those new needs. Patients are becoming much more aware of their medical information and the fact that they have rights to access it, and so they are tweaking the privacy rule to make that access more electronic, more modern, and so it doesn't violate any of the original underlying principles, but it is enabling people to get better access to their information. ...
For security, what we're seeing is that the rule isn't changing. The rule is the same as it was when it was first published, because it is so general. What's happening is we are getting guidance ... a good example of that is encryption. Encryption is now really easy to implement and it's really cheap to implement, and we're seeing more and more breaches of health information caused by the loss or theft of portable devices or media. So [federal authorities] put out guidance that says if your security is breached, you've got to do something significantly expensive about that, like notifying everybody and facing fines and so on ... as a carrot to do something about it. And they put out guidance that says if you implement encryption, which is one of the options under the security rule, but not a demand, then you won't be subject to the consequences of reporting those kinds of breaches caused by theft and los. ...
HITECH EHR Incentive ProgramANDERSON: The only privacy and security criteria for Stage 1 of the HITECH Act electronic health record incentive program is to conduct a risk assessment and take action to address the risks that are identified.
BRAITHWAITE: Which is the basic HIPAA security rule.
ANDERSON: That's right. The draft criteria for Stage 2 of the incentive program don't yet include anything further, but those will be added later on this year. Would you like to see it include an encryption mandate?
BRAITHWAITE: ... Because the technology changes so fast, it's tough. But at the moment, I would say yes, because I believe that encryption is the right answer to many of these questions. Because the two major gaps, from my perspective, in the security realm have to do with loose data - which encryption would deal with - that gets passed on to other people through theft and loss, and the lack of identity management. In fact, meaningful use requires that people open up the electronic data in the EHR to the patients. The patients have to be given access to the information. And there are a variety of ways of doing that of course, but the cheapest way to do that is to have a patient portal so the patient can log in and get their own information in whatever form they want.
But there is no ... standard for managing the identities of those patients so that you are certain that the person logging in is, in fact, the patient or someone that the patient has given proxy rights to. It is common knowledge at this point that user name and pass code is not enough to secure very sensitive information. So adding multi-factor authentication ... for remote access to sensitive information is something that I think should be a requirement.
Business Associate AgreementsANDERSON: The proposed modifications to HIPAA under the HITECH Act make it clear that business associates must now comply. Do you believe healthcare organizations still need to draft detailed business associate agreements?
BRAITHWAITE: Yes ... The issue is that the business associates are not allowed to do everything that a covered entity is. ... What the business associate agreement does is contractually limit what the business associate can do with that information. So in addition to "You must follow privacy and security rules like the rest of us," it limits the availability of that information and what they can do with it and thereby protects the information.
Budgets for Security Inadequate
ANDERSON: Any other final advice on HIPAA compliance tips that you wish more people would keep in mind?
BRAITHWAITE: Well you know the biggest thing is education. ... I am just totally blown away by the fact that privacy and security are given the short shrift with budgets ... because people don't yet understand how important it is. They don't understand that the age of the patient trusting the doctor who kept all the records in a locked cabinet in the back office is past. The patients still trust their doctors, but we have to enable them to trust the whole system that shares their health information for a whole incredible number of valuable things for both the patient themselves, and for the operation of the healthcare system, and for improving the health of the population in general.
And as long as we are sharing that kind of information, we have to do it in a way that's secure, that ensures the patient's privacy and is transparent enough to provide the patient with a sense of trust that even though the doctor isn't the one holding my information any more, I still trust that my information is going to be used appropriately for my benefit and for the benefit of the whole population. Therefore, I feel comfortable about sharing that information, and, where appropriate, I give them my permission for it to be shared in this trusted system.
If the patients and/or the doctors don't trust the system, they won't share the data, and all the benefits for doing electronic health information technology and sharing and using that information for the benefit of all will be lost.