What Healthcare Professionals Need to Know About Protecting Their Digital Records
Posted: March 28th 2015
For healthcare professionals, understanding the relevant legislation can be a daunting task. They must learn how to adapt to changes in the world or face stiff fines and other penalties. This is especially true in the field of digital information management.
In 1996, then-US President Bill Clinton signed into law the Health Insurance Portability and Accountability (HIPAA) Act. The first part of the law protects the health insurance coverage of workers and their families when they change companies or lose their jobs. The second part mandated the creation of national standards for electronic health records (EHR).
Lawmakers would soon take this objective to the next level. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act granted the US Department of Health and Human Services (HHS) nearly $26 billion. These funds went toward advancing the efforts prompted by the HIPAA Act. Since then, healthcare professionals have been working to improve their digital systems.
Meaningful Use and the Criteria for Compliance
The government has also instituted an incentive policy for eligible medical practices and hospitals. The program pays healthcare professionals if they start using EHR technology. The payments range from $44,000 over five years for Medicare providers and $63,750 over six years for Medicaid providers.
To earn the government payments, hospitals and medical practices must show that their digital systems are in "meaningful use." This term refers to specific requirements that healthcare professionals must meet when they are using EHR for patient care.
In 2014, the program's Stage 2 rules for meaningful use of EHR systems went into effect. Eligible professionals must complete 20 objectives in order to prove meaningful use. Hospitals need to fulfill only 19 objectives. Among other things, these requirements include the following issues and implementations:
- Providing patients the ability to view, download, and send their health information online
- Using a computerized provider order entry for medication, radiology, and laboratory orders
- Generating and transmitting prescriptions electronically
- Using certified EHR technology for identifying patient-specific education resources
- Submitting electronic data for immunization registries
- Using secure services for digital communications with patients
- Protecting digital healthcare information
Signing up for the incentive program is voluntary. However, if medical professionals do not join by 2015, then they will receive negative adjustments to their Medicare/Medicaid fees. These adjustments will start at a 1 percent reduction, but will increase to 3 percent by 2017.
The Penalties for Failing to Protect Digital Databases
Although the incentive program is not mandatory, medical workers must still follow the rules set out in HIPAA and HITECH. Many of these rules, particularly those involving cyber security, overlap with the meaningful use criteria. Failure to follow them can be very costly.
Managed care company WellPoint Inc. learned this lesson in July 2013 after the company filed a report to HHS about digital security weaknesses. The report stated that the health information of 612,402 individuals was accidentally made available on the Internet due to flaws in their EHR system.
HHS started looking into the company after it filed the report. Its investigation determined that WellPoint had failed to sufficiently implement policies for authorizing access to its online database. The investigators accused the company of inadequately performing a technical evaluation of its system. They also said that it failed to establish safeguards for user identity verification. In the end, the company agreed to settle the matter by paying $1.7 million to the government.
The Need to Create a Safe and Secure Computer System
According to the HHS, the WellPoint case sent an important message about the dangers of failing to follow the law. The situation showed that those who fail to create a secure digital database could end up paying huge sums of money. This is true even for companies that update their systems, but fail to do so in the right way.
Medical facilities need comprehensive cyber security agendas if they want to become compliant with both the meaningful use criteria and the overarching legislative framework. They must also perform a security risk analysis and create a risk management strategy. The best way to get started is by contacting an experienced IT company.