This white paper outlines considerations and recommendations for reducing business risk by ensuring

This paper provides forward looking guidance to health IT managers and healthcare executives who could significantly reduce business risks associated with the confidentiality requirements of electronic health information (EHI). We compare the healthcare regulatory environment to that of financial services regarding the handling of customer confidential information. Because each industry segment has followed very similar paths, and because critical milestones of the financial services legislation were passed years before, the healthcare industry has the opportunity to learn from financial service provider's mistakes. We discuss some of the lessons that can be learned from the financial services industry, how to avoid the pitfalls they have uncovered, as well as how to create an effective and efficient information security program.



Regulatory Parallels
The lessons learned by the financial services industry are important because their compliance requirements are on similar paths regarding data security issues. Roughly, the experience has evolved as follows: IT becomes more integrated with business operations (for both healthcare and financial services) due to regulatory reaction with breach notification laws after the inevitable data security breaches have occurred. This is something to have been expected given the vast data stores of customer/ patient confidential data. Once these laws go into effect, the rate of breach notifications grows significantly.



A Very Brief Regulatory History and Comparison
In financial services a big regulatory milestone occurred in 2001 with section 501(b) of the Gramm-Leach-Bliley Act (GLBA) which required financial service firms, amongst others, to establish standards for protecting the security and confidentiality of customers' non-public personal information. This got the financial services industry really thinking about their information security program. In healthcare, The Health Insurance Portability and Accountability Act (HIPAA) (specifically the Security Rule) was the significant regulatory event that put information security on the industry's radar.



However, what really got financial services acting on their security and taking their information security programs seriously was the State of California breach notification requirements that became effective July 1, 2003 with SB 1386. In that California State Senate Bill any disclosure of a customer's unencrypted confidential information required the entity that lost the information to notify the customers whose data was compromised. Knowing that sending out the "oops we lost your data" letters to a big list of customers inevitably winds up in the news, this bill essentially shamed institutions into taking their information security programs seriously. This was a California state based law, but because most large customer databases (no matter where those companies were headquartered) contained some California residents, the legislation affected most companies nationwide. It also prompted most other states to follow suit with similar laws - currently most states have similar breach notification laws.


The number of reported data breaches and lost records has grown significantly since the enactment of SB 1386 and the similar laws enacted since then in most other states. Now Governor Schwarzenegger has expanded California's Breach notification law with the passage of AB 1298, which became effective January 1, 2008. It expands the definition of personal information in SB 1386 to include medical information and health insurance information. In addition, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009 is meant to improve the quality and efficiency
of healthcare with $19.2 billion in funding to promote electronic health records (EHRs) via health IT. It was signed into law on February 17, 2009 by President Obama as part of the stimulus package - the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act extends the security and privacy provisions of HIPAA and expands the definition of a covered entity. It requires that covered entities provide notification to individuals whose information was compromised as well as the Secretary of Health, Human Services, and media outlets for breaches of 500 or more records. It also extends the HIPAA Privacy and Security Rule to include business associates. ARRA also provides cash incentives for compliance, as well as penalties for non-compliance.



Expect additional security breach incident news in the healthcare industry due to this kind of legislation.



Of course it is not the number of breaches that grow due to breach notification requirements, just our awareness of them, because security incidents that were otherwise undisclosed are publicized. However, the business impact of a breach is magnified when an incident hits the news. There have been hundreds of breaches disclosed due to the notification requirements and a review of some of the high profile cases make it clear the extent of the business impact.



There have been hundreds of breaches disclosed due to the notification requirements...




For questions and comments please email Redspin at info@redspin.com.




To view the full article please visit our website at http://www.redspin.com/research_request_HealthcareLeaders.html