Slow Adoption of HITECH and HIPAA Needs to Be Tackled by Tech Companies as Well As Health Care Providers
Data security and protecting consumer privacy are important issues, but nowhere are they more important than in healthcare. The Healthcare Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) are intimidating documents that outline requirements and penalties for the protection of patient health records. But even though HIPAA will be 20 years old, and HITECH is more than 5 years old, adoption of these important security practices is by no means universal.
In fact, when HITECH was first enacted, healthcare providers were offered financial incentives for adopting electronic health record (EHR) systems and their supporting technology and demonstrating their “meaningful use” until 2015. After this point, penalties were to be levied for non-compliance.
However, the catch was that the roll-out was supposed to happen in three stages, and healthcare providers had to demonstrate at least two years in a stage before they could be moved to the next one. Because too few providers reached stage 2 adoption before the deadline, implementation of stage 3 has been pushed back to 2017. While it’s good that many practices are adopting these measures, the lack of enthusiasm suggests that the case being made for compliance is not as compelling as we would hope.
Why Is Adoption So Slow?
From a purely technological perspective, implementing electronic health record systems is a large, but manageable task. However, the problem is that health records are not currently maintained by people with IT expertise. Most health practices have to bring in outside risk analysis, hire a third-party EHR provider, and, most significantly, educate and train their staff on a myriad of new technologies and security procedures.
Given that the penalties for breaching patient confidentiality are so severe, it’s not surprising that there is so much pushback from the people on the ground.
Myths and Misinformation Abound
For an Act that’s been in place for 20 years, there’s still a surprising amount of misinformation about HIPAA, both by the general public and by healthcare providers. Of course, for consumers to be misinformed is not so surprising, but the healthcare professionals are so repeatedly trained in it that something seems very wrong. It may be that the penalties for breaking HIPAA are so career-ending that it leads to a sense, rightly or wrongly, that even reasonable actions may ruin your life. With so much on the line, it’s no wonder that health professionals don’t want to learn an entirely new set expertise in order to do the same job they’ve already been doing for years. It makes for a very risk-averse environment to stimulate adoption in.
What Should Be Done?
In the end, the only thing that makes people comfortable with technology is exposure to that technology. The problem with directives like “patient information shared in email should be encrypted” is that the average user has no idea what it means to encrypt data (is there a radio button to click in settings?) and no understanding that a 4 digit PIN on a tablet does not mean the device is secure (what else are they supposed to do to secure it?) It is also a fact that time spent wrestling with technology can put patient lives at risk. Close attention must be paid to ensure that the interface with such technology is as streamlined as possible, which takes time, attention to detail, and long period of refining procedures and subsequently retraining staff.
In short, it’s a process that requires more time, yes, but also more resources. Ideally, the tech companies will see this opportunity to decrease friction around the process and health practices will welcome the support. Let’s hope we see more of this in 2016.