A recent survey described in an article by Healthcare IT News notes that preventing data breaches is the NUMBER ONE priority for IT decision makers in US hospitals.
While reducing risks of data breaches is important to them, of these same decision makers:
- 38 percent still report they cannot track inappropriate access in accordance with the regulations
- 19% of respondents said they themselves do no understand the HITECH Act.
The implication is clear, that while preventing data breaches is of greatest importance to them, their ability to address the HITECH compliance obligations and in doing so eliminating data breaches from occurring, is sorely lacking.
"The results of survey demonstrate that hospitals are struggling to balance the need for greater security with the established workflow of physicians and staff. It is imperative that hospitals secure user access without re-engineering established clinician workflows, say survey officials."
The new privacy rules recently published by the Department of Health and Human Services in the NPRM (Notice of Proposed Rulemaking), if enacted, will only accentuate the challenges to hospitals. It would require that hospitals, and other HIPAA covered entities, "provide notice to individuals indicating that most disclosures of PHI for which the covered entity receives renumeration would require the authorization of the individual."
So going forward, hospitals will be required to gain permission from patients to share information about them with any entity that is compensating the hospital for use of the data. In the past, they were permitted to share without permission, and it is likely that their systems and processes lack the appropriate level of granularity today to allow patients this level of control. More work for the hospital IT security team.