Related Links

As demand heats up for analyzing and sharing health data, many health I.T. professionals feel understandable apprehension about preserving the privacy of their organizations’ patients and staying within the demands of HIPAA. They may want to see a doctor about it: specifically, William Braithwaite, M.D., who oversaw the development of the HIPAA regulations in the 1990s while working as senior advisor on health information policy to the Secretary of Health and Human Services.

HIMSS attendees can pick the brain of Braithwaite, now an independent consultant, and Michael Nelson, vice president for strategy and business development at Equifax, during a roundtable discussion that will focus on how to exchange patient data securely while still using it to the fullest to improve care.

Achieving the promise of health information technology means making sure that everyone involved—patients and providers both—trusts in the privacy, security, and integrity of the data, Braithwaite says. “We need to know that the person sending the data is who they say they are, and that it’s being sent to the person it’s intended for, and only to that person.” Identifying that the person is indeed the correct John Smith or Juanita Suarez is yet a third challenge.

At the same time, Braithwaite will advise attendees on how to get the security they need without overdoing it to the point where it’s cost prohibitive. “There’s a phrase that occurs about 75 times in the HIPAA regulations: ‘reasonable and appropriate,’” he says. “People go to their lawyers and ask what they have to do, and the lawyers are telling them that to be safe, they should do the most conservative and expensive thing possible, and that’s not the right answer.” He’ll discuss how providers can implement multifactor authentication—a combination of a password and a physical identifier--without imposing undue burdens on users or investing in expensive equipment.

Braithwaite says health information breaches are on the rise partly because financial institutions, the original target of identity thieves, have gotten so much smarter about security. With relatively simple data flows and a few large organizations dominating the industry, finance has found it easier to build its defenses.

The other factor is that identity thieves can use the personal information in medical records to perpetrate all sorts of financial fraud, just as easily as if they’d hacked a financial institution, and with even greater potential losses. “If someone gets into a bank account, the only loss is money, and the financial institution can replace it,” Braithwaite says. “If you lose your privacy, there’s no way to get it back.”

Roundtable discussion #301, “Improving Patient Outcomes through Secure Data Exchanges,” is scheduled for March 4 at 11 a.m.