Friday, June 8, 2012

HIPAA Compliance and the Hospital CTO

I understand the need to respect patient privacy of personal medical information, and I would expect that hospitals and clinics would take normal IT business precautions to keep this information safe from inappropriate inside and outside access. 

I was shocked to read a recent post on the blog of John Halamka, MD who is Chief Information Officer of Beth Israel Deaconess Medical Center, Chief Information Officer of the Harvard Medical School, and a practicing Emergency physician. 

What is keeping him up at night?  Here's what he said, "as a CIO, it's the mounting regulatory and compliance pressures that keep me up at night. They will require a level of resources and focus that will reshape my plans for the next year or more."

Specifically, here's what he has to implement over that period:
"An enhanced encryption program to ensure all personal laptops/tablets that access hospital systems are encrypted.

*An enhanced mobile/BYOD program that ensures all personal smart phones that access hospital systems are password protected, have timeouts, and encrypted as technology permits

*An enhanced learning management infrastructure so that every person in the BIDMC ecosystem can be held accountable for completing training requirements, including security and compliance topics. Creating this infrastructure requires a new level of identity management that captures roles and characteristics for employees, volunteers, board members, and contract workers.

*Enhanced Conflict of Interest reporting including the management tools needed to followup on any disclosed conflicts

*A comprehensive audit of our security program and polices - where are we "standard practice" and where are we "best practice".

There's no doubt that hospitals, clinics and health care providers never had their databases "hermetically sealed," particularly in the old days when everything was in those awful manila folders flopping around shelves.  No problem, that's why we have IT.  Instead, when you go to visit a clinic for routine medical care, you're told where to stand so that you don't see your neighbor's confidential information or overhear her conversation with the receptionist.  You sign a boilerplate form about the clinic's privacy policy, which nobody reads.  You typically receive on an annual basis a boilerplate report on the clinic's policy and sign off that you have read it.  Do a Google search for "HIPAA compliance" and look at the endless list of IT software, systems and consultants who can help drain money away from care into their pockets.

Does any of this improve the clinical quality or efficiency of our health care?  I think not.  Dr. Halamka's FY 2013 IT budget, he says, will devote over one third (!) of its dollars to security and compliance projects.  Remember that this is not for bringing clinics in Appalachia up to speed.  That level of spend is for parts of the Harvard health system.  I think they know how to respect patient privacy of information without being told by Federal and state governments.

In 2003, medical practitioners writing in peer reviewed journals warned about the added costs for imperceptible benefits.  Since the Federal act merely put a floor on compliance standards, after individual states added their own webs of regulation, we've arrived at the situation that Dr. Hamalka faces.

No comments: