When most people think of regulations that affect the healthcare IT industry, they tend to think of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. There’s no doubt that these two acts – passed in 1996 and 2009, respectively – have had a huge role in how the healthcare industry treats their digital environment.

However, there are other regulations worth knowing about as well. While the two we just mentioned have probably had the biggest impact on how your company functions, the ones we’re about to cover are still important to know about.

The Affordable Care Act and IT Security

The Patient Protection and Affordable Care Act doesn’t actually mandate anything in terms of IT regulations. We’ll cover the FDASIA Health IT report below, which will include something closer to actual regulations put forth by the government. This isn’t something the Patient Protection and Affordable Care Act really gets into, though.

That being said, this historic legislation does have an impact on the world cyber-security, so it’s definitely worth bringing up here. As you may recall, a big part of this legislation was its call for online marketplaces that people could go to for securing health care coverage. Each state actually has its own, but insurance companies could also create versions to help people who wanted to learn more about their potential coverage.

By mandating these online marketplaces, this act automatically puts any covered entities that participate in the crosshairs of the Department of Health and Human Services. This is the department tasked with enforcing the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The sole purpose of this second act was to set standards for how PHI (protected health information) would be stored and transferred in digital environments. Participating in an online marketplace means you’re going to be doing just that.

Therefore, if your company is involved with one of these online marketplaces, you better have a plan in place for receiving PHI, securely storing it and transferring it as necessary. Even if all you do is help facilitate credit card transactions, you’re potentially liable for the results of a successful attack.

Keep in mind, too, that this is different than just sending PHI across the Internet from one company to the next. Now you’re actually processing it through a website that is available to anyone – not just secured parties.

Obviously, this means you need to encrypt everything. This should be something you’re already doing where any sensitive information is concerned, but given the magnitude of what could go wrong when you’re working with these online marketplaces, it’s still worth reiterating the importance of this type of security here.

Furthermore, you’ll need to apply HITECH Act demands to this new online presence. Amongst other things, this may mean introducing new training protocols to make sure your people know how to deal with this PHI. If you’re creating a new site that will work with these marketplaces, any developers you use will become business associates and will therefore need to sign a business associate agreement.

One last point worth bringing up where the Patient Protection and Affordable Care Act is concerned is the sheer volume of PHI. Although the legislation has been enacted for years now, the marketplace has proven inconsistent. Dozens of insurance companies have dropped out of the marketplace since its inception; in some rural communities, there is now only one provider.

What this means is that may health insurance companies will be seeing more customers than ever before. If you find yourself in this position – or expect you will in the near future – it would be wise to prepare accordingly. Now is the time to make sure you’re following HIPAA and HITECH Act demands to a “T.” If you’re going to need to hire new staff to cover this rise in demand, assess the system you have in place for training these people in these laws and ensuring they have just enough access to PHI to do their jobs.

FDASIA and IT Security

Another very important piece of legislation that must be discussed in relation to IT regulations is the Food and Drug Administration Safety and Innovation Act (FDASIA). Obviously, right from the name, you can tell that this is going to affect how your organization handles PHI. Again, we’re going to discuss the FDASIA Health IT report in a moment, but before we do, it’s important that you understand this act and its impact on your security efforts.

The FDASIA was signed into law on July 9, 2012. It granted the Food and Drug Administration new authority where the health care industry was concerned. Specifically, it strengthened the agency’s ability to protect public health by:

  • Collecting “User Fees” –The FDA now assesses fees from the industry which will be used to fund reviews of innovative new drugs, generic drugs, medical devices and biosimilar biological products.
  • Increasing Stakeholder Involvement – Stakeholders will be supported in taking a greater interest in FDA processes.
  • Promoting Innovation – Greater focus will be placed on getting innovative new products into the hands of the patients who need them, as long as they prove effective and safe.
  • Improving the Safety of the Drug Supply Chain – The supply chain will be fortified and enhanced to protect against threats like diversion, counterfeiting, theft, and substitution of unregulated drugs.

In order to implement these four elements, the FDA followed a three-year plan. It was during this time that the FDASIA Health IT report was released. This is pertinent to healthcare IT regulations because it was the result of the FDASIA, Section 618, which requires that the FDA work with the Office of the National Coordinator for Health Information Technology (ONC) and the Federal Communications Commission (FCC) on coming up with a strategy for regulating health IT to ensure foreseeable risks are avoided (amongst other things).

The entire FDASIA Health IT report was available to the public back in July of 2014 and people could even submit comments. The entire document was just 32 pages long. The report came up with four areas in which it recommended improvement of healthcare IT regulations.

These are:

  • Promoting a quality system approach and other quality management principles
  • Identifying, developing and adopting standards and best practices for the industry. This would include bolstering the following elements related to IT:
    • Quality management systems
    • Risk management
    • Interoperability
    • Usability
    • Maintenance
    • Local implementation
    • Customization
  • Leveraging tools focused on conformity assessment tools. These would include:
    • Accreditation
    • Certification
    • Product testing
  • Fostering an environment for continual learning and improvement that entails transparent reporting, collection and analysis of any safety issues

The FDASIA Health IT report also went on to recommend that a Health IT Safety Center be created. This would be a public-private entity designed to bring health IT stakeholders together with the goal of creating an integrated, sustainable health IT learning system that leverages existing and ongoing efforts without duplicating any current regulations. Putting this together would be the job of the Agency for Healthcare Research and Quality (AHRQ), the FDA, the FCC, and various other federal agencies.

Amongst other things, this proposed center would put on programs that would:

  • Cultivate a broad membership and leadership foundation
  • Put the focus on high-value issues that affect the protection and innovation of patient safety in health IT environments
  • Continue adding to the evidence-based center of health IT safety by looking at relevant data
  • Create or add to health IT safety priority goals that complement patient safety goals and initiatives
  • Provide education about health IT safety that includes best practices regarding:
    • Mitigation strategies
    • Risks
    • Other methods for improving the commitment and capabilities of participating organizations

Again, all of this would be done for the sake of improving education about health IT safety, but also measuring the effect of such efforts. The overall aim would be to improve the entire industry, though there is an emphasis on bolstering security.

Still, as you can see, the FDASIA Health IT report was quite expansive in its aims. It continues to be a document that is added to and revised, but obviously it’s going to have an effect on how your company handles healthcare IT.

For the moment, no laws are in place, but that’s no reason not to prepare for what the FDASIA Health IT report might eventually become. A standardized quality management framework was definitely given a lot of time in the report, so it would be wise to start there. Obviously, you should already have quality controls in place, but take some time to revise or improve them wherever you can.

Also, the report makes it clear that lawmakers take ongoing education very seriously. Once again, you should already have policies in place in your company to make sure that employees are trained to handle PHI correctly and that they are reminded of this regularly. Nonetheless, keep these policies at the forefront of that quality management framework we just mentioned.

Fortunately, the major take-away from the FDASIA Health IT report is that HIPAA and the HITECH Act seem to be doing their jobs and the industry as a whole has been following these laws. In fact, health care companies seem to be doing such a good job that this report is anticipating new laws meant to help the industry become even more dynamic and innovative, with policymakers looking to ensure they are not becoming a burden.

International Association for Healthcare Security and Safety

If you work in the health care industry – especially if you work in IT – then you probably already know about the International Association for Healthcare Security and Safety. The IAHSS is the sole organization in the entire world dedicated solely to professionals who manage and direct security and safety programs in health care facilities.

More than 2,000 people are members of the IAHSS, which has been around for almost 50 years. The organization provides these members with exclusive resources for ensuring they can continue to keep PHI and their digital infrastructures safe.

Because they’re not a government organization, though, the IAHSS really has no power to enforce any kinds of regulations. That being said, if you wish to join the organization and become certified under them, there are definitely some rules you will need to follow – most find that it’s worth it.

Patient Privacy and Substance Abuse Treatment Records

Even though the federal statute that governs the confidentiality of substance abuse treatment data was originally passed back in 1987, it’s relevant to bring up in light of a discussion on how to properly handle healthcare information in the digital age.

In short, this statute says that any federally-assisted program can release a patient’s identifying information only with their consent and as it relates to the program’s goals. This isn’t so different from how HIPAA requires PHI to be treated.

The Department of Health and Human Services published suggested revisions to this law in February of 2016 because of the many changes that have occurred to the health care industry since these regulations were first passed. At the moment, these proposed revisions are still a long way from becoming law, but the above advice applies here, too.

The reason these suggestions were published is that HSS sees flaws in how this PHI is currently handled. It might be a good idea to audit how your company’s current flow for this information works. While you’re hopefully not exposing it to unnecessary risk, we’d recommend looking to tighten up the process even more in anticipation of what may eventually happen with this law.

The world of healthcare IT continues to be one of massive interest to our government and for good reason. PHI needs to be kept safe, but it’s also important that it can be transferred efficiently. While HIPAA and the HITECH Act continue to be the regulations that most dominate this field, the above also deserve consideration to ensure that your business doesn’t incur legal troubles.

Sources

http://www.reuters.com/article/net-us-usa-healthcare-security-idUSBRE9AI0NR20131119

http://www.ncbi.nlm.nih.gov/pmc/articles/PMC4516335/

http://www.techinsurance.com/blog/computer-programmers/obamacare-and-cyber-security-for-programmers/

http://www.healthcareitnews.com/news/feds-release-fdasia-workgroup-report-health-it-governance

http://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm

https://www.healthit.gov/sites/default/files/fdasia_healthitreport_final.pdf

http://www.foleyhoag.com/publications/alerts-and-updates/2014/april/the-fdasia-health-it-report

https://www.healthit.gov/policy-researchers-implementers/health-it-legislation-and-regulations

http://www.samhsa.gov/health-information-technology/laws-regulations-guidelines

http://www.healthaffairs.org/healthpolicybriefs/brief.php?brief_id=26

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ryan
Fahey

View more articles from Ryan