The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, significantly increased the HHS Secretary’s authority to impose higher monetary penalties for HIPAA violations occurring after Feb. 18, 2009.
Prior to the HITECH Act, the HHS Secretary could not impose a penalty of more than $100 for each violation or $25,000 for all identical violations of the same provision. A covered health care provider, health plan or clearinghouse could also bar the Secretary’s imposition of a civil money penalty by demonstrating that it was unaware that it violated the HIPAA rules.
Section 13410(d) of the HITECH Act strengthened the civil money penalty scheme by establishing tiered ranges of increasing minimum penalty amounts, with a maximum penalty of $1.5 million for all violations of an identical provision. In addition, the HITECH Act removed the right for a covered entity to bar the imposition of a civil money penalty for an unknown violation, unless it corrects the violation within 30 days of discovery. The message is clear: play by the rules, or pay immensely.
HHS is taking security of health information seriously by imposing serious fines for HIPAA privacy breaches, but isn’t important to focus on preventing privacy breaches in the first place? With penalties of over $1 million, it is surprising to learn that the Healthcare Information and Management Systems Society “2009 HIMSS Security Survey” revealed spending on security measures for EHR systems is still negligible. Physician practices and hospitals may need assistance with incentives and funding for IT support.
The 196 study respondents, mostly CIOs and CSOs, reported that within the year 2008-2009 IT spending in most healthcare organizations has remained unchanged, with budgeting for security averaging 3% or less of overall IT spending. Shockingly, more than one-fifth of respondents said security accounted for less than 1% of their budget. This lack of spending for security may be a sign of the economic conditions, but healthcare organizations could also be putting more money and IT resources into their EHR conversion with security support left as an afterthought. This notion is supported by the study findings that only 50% of respondents even have a security breach response plan in place.
Despite low spending, the survey does show evidence that many organizations are implementing some good security practices. The majority of respondents reported that they collect and analyze audit logs; more than 80% review firewall logs; and more than 66% monitor IDS and application logs. In addition, over 50% of study participants reported conducting a formal risk analysis at least once per year. However, with a complete EHR system, is this enough?
This study brings to light some important issues. The government’s answer to protect health information is to impose harsh penalties for security breaches, but they are doing so in a health IT infrastructure that is fragile and bound to break. The big dollar placed on security breaches might “scare” covered entities, but is this really a positive way to motivate people to increase budgeting and planning for health IT security? These questions need to be answered, but regardless, the message is still clear: invest in health IT security measures, or succumb to the steep price tag now imposed on HIPAA security breaches.