“If individuals lack trust that information will be protected as health IT moves forward and as mobile devices continue to be used, it’s going to affect their willingness to disclose and share information and could have life-threatening consequences,” John Benevelli, acting senior advisor, HIPAA Compliance and Enforcement, Office for Civil Rights. Benevelli spoke on a panel discussing privacy and security at the Centers for Medicare & Medicaid Services’ 2013 eHealth Summit on Aug. 2.
Benevelli urged providers to perform risk analyses and then develop mitigation strategies to address risks appropriate to that environment. New technologies, including iPhones and iPads, need to be included in the security analysis as possible risks. “Make sure the apps you upload are appropriate,” he advised.
As mobile devices change, a security analysis must be done again. Appropriate sanctioning for violations must be developed as well, he said.
From the payer side, Marilyn Zigmund Luke, senior counsel and compliance officer, America's Health Insurance Plans, said privacy and security must be the cornerstone of every health insurance transaction to guard against hackers and other nefarious actors.
Like Benevelli, she urged the identification of risks and challenges. For instance, privacy and security risks of employees taking their own devices into a healthcare environment require consideration. If allowed, their devices should require encryption, she said. Security needs are “more than just a password.”
Mark Savage, director of health IT policy and programs, National Partnership for Women & Families, said while privacy and security are important, there is not inherent tension between these elements and the exchange of health information.
Citing a survey of patients, he said two-thirds did not want to stand in the way of the proper exchange of information but 80 percent worried about security and privacy.
To address widespread concerns, privacy and security priorities must be embedded in the culture, with related activities weaved into the workflow. Limitations allowing providers to collect only what they need, patient consent, policies that forbid re-identification of de-identified patient data are some examples he cited that could bolster privacy and security.
Mary Rita Hyland, vice president, Cooperative Exchange, said from a technical side, every entity that handles patient data must be held accountable. "Data protection is everyone’s responsibility—patients, providers, vendors, payers—everyone is responsible."
All systems require testing before integrating into external systems, she said, noting that breaches could occur if the wrong information is disclosed or input.
“We have to think about the potential of privacy and security failing points in external and internal systems. It could come down to one individual having a bad day and inadequately testing a new release or updating something that was collected incorrectly,” she said.
Hyland also said extensive system and software upgrades to accommodate ICD-10 could offer an opportunity for providers to test their privacy and security systems as well.