Survey: Health providers not ready for new privacy rules

Many healthcare organizations are not prepared to meet tougher privacy and security terms contained in the health IT stimulus law, according to a survey by the Healthcare Information and Management Systems Society. The HITECH provisions of the law strengthened penalties for mishandling personal health information by providers.

Security budgets are low and organizations lack a plan for responding to threats or a security breach, according to the findings, which were  published Nov. 3. Many healthcare organizations also have not named a chief security officer or chief information security officer.

These hurdles indicate that organizations are not making compliance with the privacy and security provisions of the HITECH Act and future health IT regs a top priority, said Lisa Gallagher, senior director for privacy and security at HIMSS.

“Healthcare organizations must approach all IT activities, including data security, with effective management and efficient use of their budgets, staff and technologies,” she said.

According to the survey findings, healthcare organizations are not taking advantage of all currently available security technologies to keep patient data safe. For instance, respondents said they use audit logs of data from firewalls and servers as common information sources.  Yet only 25 percent reported that they electronically analyze the data.

Also, while 67 percent said they use encryption to secure data in transmission, fewer than half encrypt stored data.

“This complex operating environment, as well as our national goals for health IT, demands such action to ensure quality, safety and improved healthcare delivery,” Gallagher said.

In the future, e-mail encryption and single sign-on were most frequently identified as technologies that those surveyed will install.

Passage of the HITECH Act did not result in larger security budgets, the survey found. About 60 percent reported that their organization spends 3 percent or less of their IT budget on information security. This is consistent with the spending level in the 2008 study, the first year HIMSS conducted the survey.

Nearly all those responding said their organizations share patient data in electronic formats, most often with state agencies. In the future, they are most likely to share data with health information exchanges, the survey showed. About 40 percent said these sharing arrangements have enhanced health information security in their organizations.

Government Health IT magazine is published by HIMSS. The report is online.