HIPAA Privacy and Security in the Age of Meaningful Use

What does the Jefferson Memorial have in common with Privacy and Security in the Age of Meaningful Use?

David Finn, Health IT Officer at Symantec
LinkedIn Profile

At the Jefferson Memorial you find a lot of Jefferson’s writings – – as opposed to Lincoln’s, for example (one thing that makes sense in Washington, DC). One of them says this: “I am not an advocate for frequent changes in laws and constitutions, but laws and institutions must go hand in hand with the progress of the human mind.”

One of my very first IT assignments was to write the coding standards for a major university – – we did all our own development at that time and were about to completely re-do all major systems (billing, collections, records and registration, scheduling, grading – – everything). My writing experience had previously been journalistic or for the theatre. So, I started asking people who had more experience. First stop was a very senior manager who pointed to two shelves full of three inch, three ring binders on his bookshelf. “Here’s a good example,” he said, “of how NOT to write programming standards.” It was his first project at a major aerospace manufacturer. “It needs to be less than 50 pages or it will never be read or used.” The human mind, complex as it is, likes to keep things simple and clear. Complexity muddies the waters, if you will, and tends to lead to people to ignore the complexity.

Some years later I found myself the “HIPAA guy” and had to develop the policies and procedures related to privacy and security in a modern ID. I went to the organization’s keeper of all things “P & P”. I was advised that I should write policy, procedures (I added technical standards) and that policy should very rarely change but that procedures will likely change as processes, people, technology, laws and clinical and business practice change. The technical standards would have to change as technology changes both at the IDS and in the broader world changed. Policy was vision, strategy – – it needed to be flexible enough to withstand “routine” change but strong enough to make clear what our direction and intentions were – – even as other things changed.

Here’s where I answer the question in the title. Our laws have changed, our institutions (hospitals in this case) have not and the human mind is not progressing in terms of the changes in the world and the laws. I’m guessing that every provider has a Privacy Policy by now – – that shouldn’t change. It is still about saying you are going to protect the privacy of patients and employees. I’m also guessing that when the Privacy Policy was written there was no social media or BYOD, PHRs or patient portals. There should be a Security Policy (or several) that talk about the need to secure certain kinds of data – – they should be identified and defined. Have the procedures kept up? – – did you have cloud and mobility, were you encrypting then, did you have DLP tools to help find and define data?

“The fundamentals of cyber security – I call it the physics of security – don’t change over time,” National Institute of Standards and Technology Senior Fellow Ron Ross says. “How we apply those controls … is a little bit different, but the same fundamentals.”

The need to protect data hasn’t changed but what we protect it from has – – and where it lives, how it is accessed, and who can get to it. And the requirements to protect it come with real penalties now. The biggest change we need to make though is in the human mind. This isn’t about IT anymore; this is about an age where personal data is an Internet commodity, where Facebook is linked directly to Smartphone -cameras. This is about a critical (and legal) need to share clinical data and laws that require you keep it out of the wrong hands.

Yes, we need to update procedures, we need new and more training, we need new tools to track, manage, protect data in new ways and places and we need leadership – above IT – to understand. Or the next person to go to jail won’t be some poor clerk faxing face sheets to a plaintiff’s attorney but the CEO of a major system that wouldn’t fund hard drive encryption.