Occasionally, your Guide is able to bring you more information than just what he has crammed in his head. It has always been advisable to get information from as many different sources as you can, in order to make an informed opinion. So, when Mac McMillan shares his thoughts on medical identity theft and the various data security issues that surround the problem, you can bet they will be posted here.
Last month, I shared some thoughts on a report about the Centers for Medicare and Medicaid Services (CMS). Soon after, Mac sent this viewpoint.
Does Healthcare Need Stronger Oversight?
This past month we were all treated to another example of poor security performance, this time by none other than the folks managing Meaningful Use when the Centers for Medicare/Medicaid Services (CMS) were exposed for not filing the appropriate notifications under the Breach Notification Rule – not once, but multiple times. Not exactly the gold standard for setting the example. This had to be tough for the Secretary of Health & Human Services since she owns both CMS and the Office for Civil Rights (OCR), the organization responsible for enforcing HIPAA Privacy and Security, and must have made for an interesting staff meeting. But this is just one indication that patient privacy and security are not quite at the level they ought to be.
Last week we hit 500 major breaches, incidents involving the potential compromise of more than 500 individual medical records, since we started keeping track in 2009. That’s roughly one every other day of the year. We’ll let that sink in for a second. The number of records involved in all of these breaches is just short of 22 million. This of course does not include the tens of thousands of smaller breaches that have also been reported. If that does not feel like enough, lets add the average 10,000 complaints OCR handles each year as well.
So what is causing all of these incidents? When we look at the results of complaint and breach resolutions we find a pattern of inadequate practices, carelessness or lack of attention/priority given. Even OCR themselves in a presentation delivered in May describing their observations from the first twenty random compliance audits conducted this year, stated that “compliance” did not seem to be a priority (PDF). Almost every resolution agreement or corrective action states a need for more workforce education.
But is education really the issue, or is it much broader? Is it perhaps an issue of culture? Has healthcare really accepted privacy and security as priorities and are they a part of our routine workflows, thought processes and decision making? The lack of commitment of resources, adoption of privacy and security technology, the number of incidents as well as the type of incidents and causal factors involved would argue that they are not. Even enforcement is having its challenges as Sen. Franken discovered when examining the Accretive incident this summer. His conclusion was that we needed more regulation, more oversight and more prescriptive controls around protection of patient information.
Franken’s bill - penned as a result of his committee’s investigation - was as much a reflection of the incident that caused it as a reaction to the lag in rules from HITECH, and the lack of action from the authorities handling the breaches. With all due respect to the committee and understanding fully how they could have come to their conclusions, I don’t agree that our industry needs more legislation now. Nor do I think it is appropriate to lay the blame on the workforce.
Ms. Sanches got it right in May – creating the right culture and setting priorities is the purview of leadership. The problems in healthcare security and privacy come down to culture and priorities. Leadership and Education – not legislation – should be the forces that change the course we’re on.