The state of healthcare privacy in the U.S.

FairWarning commissioned a national survey of healthcare providers. The majority of survey respondents were compliance, privacy or risk personnel, followed by IT management and executive management.

The survey was designed to elicit answers regarding opinion and insights on new healthcare privacy regulations (specifically ARRA HITECH), patient safety, privacy and auditing budgets and information technology risk management.

In the survey of more than 200 unique hospitals from across the US, nearly half of healthcare organizations believe their organization is already compliant with federal privacy laws such as ARRA HITECH and HIPAA and is audit ready. However, nearly one-third of survey respondents stated they will not be compliant with ARRA HITECH requirements by the set deadlines.

The survey reveals that organizations are concerned with the challenges of monitoring dozens of healthcare applications, as well as deploying key technologies that will meet “accounting of disclosure,” user privacy monitoring and patient and user privacy monitoring requirements.

When asked questions specific to ARRA HITECH, respondents were most concerned about breach notification to the media, patient and the government. Survey respondents’ top three concerns surrounding non-compliance with any of the federal privacy laws, were 1) reputational impact of a failed audit or major privacy breach, 2) financial penalties for non-compliance and 3) media exposure.

The survey also reveals that challenges remain for healthcare organizations. Compliance solutions require organizations to demonstrate effective use of solutions and technologies that permeate all business units, correspond with business processes and seamlessly integrate with the business functions of the organization. The survey revealed that healthcare organizations are beginning this process. Just 7 percent of respondents have demonstrated that they have both processes and automated systems in place which incorporate cornerstone technologies designed to eliminate security and privacy vulnerabilities.

“It is highly unlikely that an organization can fully comply with its obligations under HIPAA and the ARRA HITECH without implementing automated systems for patient and user privacy auditing, managing and aggregating accounting of disclosures and identity management,” stated John Houston, Vice President of Privacy and Information Security and Assistant Counsel at the University of Pittsburgh Medical Center. “While respondents felt that their level of compliance was high, their implementation of necessary technologies was much lower.”

The complete survey findings further reveal healthcare organizations are:

• Familiar with new healthcare privacy and security regulations, specifically ARRA HITECH
• Concerned with the reputational impact associated with a breach and breach notification requirements
• Mobilizing to meet compliance requirements and deploying critical technologies to plug security gaps and meet compliance requirements
• Allocating budget to meeting new privacy and security requirements
• Beginning to believe that enforcement of these laws is a government priority and,
• In need of further education to align spending and technology deployments to government expectations.

The complete report is available here.