the average healthcare organization incurred 2.4 significant data breaches in the past two years, costing each hospital more than $2 million per organization. You would hope this problem would begin to abate with the passage of the HITECH Act (the law enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and meaningful use of health information technology) but that isn’t looking too good either at the moment.
“Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.” John Perry Barlow, Fellow at Harvard University’s Berkman Center for Internet and Society and, more impressively, lyricist for the Grateful Dead.
Prior to the HITECH Act, the Department of Health and Human Services could not impose a penalty of more than $100 for each security or privacy violation or $25,000 for all identical violations of the same provision. Additionally, a covered health care provider, health plan or clearinghouse could also avoid a civil monetary penalty by showing it didn’t know that it violated the HIPAA rules. (this reminds me of that old Steve Martin routine where he says, “I forgot armed robbery was against the law,”, but I digress). The HITECH Act significantly increased the cost of breaching security by increasing the minimum penalty amounts and raising the maximum penalty to $1.5 million for all violations of an identical provision. Also, you can no longer weasel out of fines for an unknown violation unless you successfully correct the violation within 30 days of discovery.
Guess what? In the Ponemon study, 71 percent of senior managers queried said they didn’t think the HITECH Act regulations have significantly changed their practices for handling patient records. Swell.
Commenting on the study, Rick Kam, president and co-founder of ID Experts, put it in pretty stark terms, “We talk with healthcare compliance people dealing with data breach risks every day and they just can’t get their arms around the problem of data exposure. Unfortunately, in healthcare organizations, patient revenue trumps risk management.”
That last quote may contain the answer to the problem. Fining providers when they breach patient security apparently isn’t the right way to structure the incentive. The government must learn what parents have known all along: bribery works. Kid cleans room, kid gets allowance. Kid washes car, kid gets $20. Kid gets a good report card, kid gets to use the car. Okay government: time to make one of those fabled pay-for-performance incentives a reward for keeping patient data safe. If paying providers to adopt electronic means of managing patient data is driving them to adopt EMRs, then paying them to turn on the privacy features might just help.
