Privacy and Security: How to Make Sense of all the Regulations

It seems like not a week goes by without some organization being fined in excess of a million dollars for some type of PHI (Protected Health Information) security breach. The latest breach this week has to do with a leased photocopier. Apparently Affinity Health Plan, a New York-based managed care plan, returned a leased photocopier that contained PHI on the hard drive for up to 344,579 individuals.  

According to an article by Healthcare IT News, “the investigation revealed that Affinity failed to incorporate the electronic PHI stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule.” But which security rule? One would assume HIPAA. But could it be The Joint Commission, or Meaningful Use, or even State rules? And within all those rules, where does it spell out how leased equipment must be handled? And how many people must Affinity Health Plan have on staff to comb through all these rules and enforce them?

With 806 employees, Affinity Health Plan might have the resources to absorb the costs of continually monitoring and enforcing all the rules and regulations. But what about small healthcare facilities, or especially, a solo-practice primary care physician? Trying to keep up with all the privacy and security rules, among all the other mounting overhead requirements in healthcare is causing many healthcare providers to rethink their career path.

One organization that is gaining attention in the healthcare privacy and security area is HITRUST. At first glance, HITRUST appears as if it might be one more organization with additional rules and regulations regarding privacy and security policy. But, in fact, there are no new rules or regulations imposed by HITRUST, rather they consolidate 17 authoritative sources on privacy and security into one place.

HITRUST offers a tool called their Common Security Framework (CSF). This tool can be used as a self-assessment, or can be used to provide certification by 3rd-party independent auditors. One key aspect of the CSF is that it is flexible enough for small organizations to use.

It is these small organizations in particular that don’t have the resources to comb through all the rules and regulations themselves and don’t have the financial capability to pay someone to do it for them.  The CSF self-assessment allows the little guys to use the tool and get feedback on how they are doing without sorting through all the regulations independently.

Maybe one of the reasons there are so many headlines about privacy and security breaches is because the number of sources and the sheer volume of rules makes it an almost insurmountable task for healthcare facilities to do their due diligence. Should Affinity Health Plan have known that they were liable for leased equipment, or that those copiers were storing scanned images indefinitely?

PHI is very important to protect. But, the industry needs concise and clear guidance on privacy and security policy – something a small practice can get their hands around. Is HITRUST the solution?  It seems like a good start.