Securing our Private Health Information


Dayton Green, MCP, NCSS, Network+, Security+, CHP, CSCS

As the Rio Grande Valley and South Texas continues to grow, the demand for technical advancements in healthcare systems and services are growing at rapid rates.  As an example, the HITECH Act of 2009 was signed into law requiring that all healthcare providers implement Electronic Medical Records (EMR) by January 2014.  A true convergence of healthcare and technology advancement is necessary as we approach a paperless healthcare system recently mandated by the federal government.

As our private medical information is made available electronically, many questions arise concerning the safety of our personal information.   With cyber crime and identity theft on the rise and boasting a lucrative business, how easy will it be for cyber criminals to gain access to our personal information?

Legislation such as HIPAA and the HITECH Act do provide provisions to address some of the security concerns of our healthcare information, but at what costs?  The costs will vary depending on the size of an organization and what type of healthcare is being provided.  Initial estimates put implementation costs between $10,000 and $14 Million dollars.  The average estimate of implementation is right around $3.1 Million dollars.  Will small practices and providers be able to support and sustain the cost of becoming compliant and the costs of converting to electronic medical records?  The short answer is that providers will not have a choice.  Many local practices and providers in the Rio Grande Valley do not have internal Information Technology staff to support day to day infrastructure, much less a full time security expert at their disposal.  It will definitely be a challenge for some of the smaller providers and practices to become compliant and convert to electronic medical records.  Some providers and practices might have to consider outsourcing billing and other functions to limit the scope of compliant systems and to fall into “reasonable and appropriate” measures taken.  The legislation does not give specific details or an action item checklist for providers to weigh their security against.  The legislation deems the actions that should be taken to be “reasonable and appropriate” for the size and function of the business.

The legislation and regulations are going to come as a shock to some of our uninformed healthcare providers as we quickly approach the deadline.   Time will be of the essence to not only get educated but to plan and budget for an intense change in the way that healthcare is practiced in the Rio Grande Valley and all over the nation.  To put into perspective the severity of the matter of security and technology in modern medicine, the HITECH Act also introduces stiffer fines and even criminal penalty for negligence and security breaches.  The HITECH Act maximum civil penalty has been raised from $50,000 to $1.5 Million.  The criminal penalty can be between $50,000 and 1 year in prison up to $250,000 and 10 years imprisonment.  The penalties clearly outweigh the extra costs of becoming compliant.

With technology being the change factor for the legislation and at the same time the solution to the problem, now is the time for healthcare providers to start educating themselves and their staff about technology and security.  Not only does research need to be done on how these changes affect providers internally, but business associates, clients, and vendors alike.  Technology and information security is soon to become the primary concern not only for healthcare providers but many other industries as well.  As citizens we must also be concerned and aware of how our own healthcare providers adapt to the changes and secure our private information.