HIMSS Survey: Business Associates not up to speed on HITECH

Today, HIMSS released a new report, 2009 HIMSS Analytics Report: Evaluating HITECH’s Impact on Healthcare Privacy and Security.

Commissioned by ID Experts, HIMSS surveyed senior information technology (IT) executives, Chief Security Officers, Chief Medical Information Officers (CMIOs), Chief Information Security Officers and Chief Privacy Officers at hospitals throughout the United States.They also surveyed business associates about the impact of the HITECH Act, data breach and patient exposure, and what healthcare organizations are doing. A total of 150 respondents from a provider organization and 26 individuals from an organization that has a business associate relationship with provider organizations participated in this research, which was conducted in August and September of 2009. Approximately half of survey respondents work for organizations with fewer than 100 beds. Slightly less than a third work for organizations with between 100 and 299 beds. The final 14% of respondents work for a hospital with 300 or more beds.

Among the key findings:

  • “Business associates” pose the largest threat to patient data security, putting patients and privacy at risk. Business associates include those who have access to patient data and include pharmacy chains, benefits administrators, claims adjusters, firms who handle mailings to patients, and insurance companies, among others. Somewhat amazingly, over 30% of business associates surveyed did not know the HIPAA privacy and security requirements have been extended to cover their organizations.
  • Given that organizations will now be under increased mandate to disclose and notify individuals of breaches (although the interim rule introduced a “harm” standard not in the actual legislation), hospitals should be looking at the security and privacy practices of their business associates. The survey found that 85% of hospitals indicated they will take action to protect their patient data that is held by a business associate, while a full 39% of business associates admitted they did not know what actions hospitals are taking. In addition, business associates were unaware that 47% of hospitals would terminate their contracts for violations.
  • Somewhat surprisingly, non-IT respondents were more aware of data breaches than IT respondents. The survey found that non-IT respondents reported that their organization had experienced twice as many data breaches as IT respondents (41% vs. 22%).
  • While hospitals are widely providing training for their employees, they are not always monitoring that employees are complying with the organization’s policies and procedures on which they were trained. Nearly all respondents reported that they perform employee privacy and security training to protect against data breach risk. However, less than three-quarters of respondents at hospitals that conducted a risk assessment indicated that information on employee compliance is part of the risk assessment.

Read the press release here. Visit http://www.idexpertscorp.com/breach/download/?altid=b_himms_download&cid=prhimss1117 for a free copy of the HIMSS Analytics study.

Cross-posted from PHIprivacy.net

About the author: Dissent