Prognostications always dominate the headlines as we turn the page to a new year. While we tend to see lots of “Top 10” lists for project priorities or technology purchases, there have been fewer articles on what we might expect to see on the healthcare security policy front in 2012. An election year always makes for interesting policy discussions and debates, but we believe that this is just one of the top 4 factors that will (or should) influence healthcare security and privacy policy in 2012.

The policy discussion is almost guaranteed to be dominated by four factors.

  1.  The impact of the 2012 elections and the lack of desire on the part of both politicians and the Administration to address controversial healthcare issues.
  2.  The ever expanding impact of privacy and security legislation and outside influences on healthcare.
  3.  The expansion of negative influencers such as breach notification and the rising tide of litigation.
  4.  The very real need to embrace better security models to support important clinical technical initiatives such as Health Information Exchange, decision support, mobility, telemedicine, cloud computing, etc.

Healthcare, because of its almost universal applicability and expanding regulatory impact, is likely to become the focal point for the privacy and security policy discussion. As a result healthcare could find itself shaping this debate in 2012.

Politics and the elections this year could very likely impact the privacy and security discussion for several different reasons. Running for office (or trying to get reelected) is not a trivial process and this Administration and Congress are both expected to be distracted with the election campaign. On top of this distraction, there is the almost certain trend of “avoidance” that seems to take over incumbents with respect to controversial issues. Healthcare reform, of which privacy and security policy is part, is a lightening rod subject for certain in this election. Therefore, no one should hold their breath waiting for movement in these policy areas. That said, privacy and security issues are not going to go away nor will the public’s growing displeasure with the industry’s performance to date. Privacy and security tend to be bipartisan issues where common ground can be found. It will be interesting to see if the Senate Judiciary Committee hearings, chaired by Senator Al Franken last fall as a result of the spike in privacy breaches in healthcare, carry any momentum into 2012 or spur more interest in the debate on broader privacy legislation.

Congressional debate on a broader privacy law, one that would impact all industries, has been ongoing since the 1990s. However, 2012 might be the year that helps focus this discussion. Why? Because now, more than ever, it affects more people and more organizations and is receiving much more attention. HITECH will serve as the catalyst for transforming this discussion because of two important and interrelated policy changes. HITECH expands HIPAA accountability to business associates and all downstream subcontractors. This changes the reach of HIPAA from several thousand covered entities to hundreds of thousands of entities. This means that a broader representation of this already enormous industry will try to get involved and shape this debate. Further, businesses that are already under pressure from other regulatory drivers and global business initiatives to embrace the EU privacy model mandates will also likely find their way to the table. These new players could create new and greater external influences on the privacy and security requirements for healthcare.

The public’s growing awareness of breaches in healthcare and potential traction of recent high profile class action litigation are almost certain to be factors in 2012. Closely related will be the outcomes from HHS’s random compliance audits launched in December, 2011. The number of breaches last year got everyone’s attention. The disastrous month of October, in particular, led to hearings and dominated the media until the end of the year. The question is whether this will further fuel the Congressional debate for broader privacy protections, and ultimately, a Federal statute that applies to all. Regardless of what happens on the legislative front, the legal front will definitely bear watching.

Breaches continue to lead to lawsuits which is nothing new. What is new, however, is the nature of those lawsuits today. In the past, lawsuits stemming from breaches alleging harm were rejected by the courts unless specific and identifiable damages could be substantiated. Recent lawsuits have alleged negligence, breach of contract, and in the Sutter Health case in California, they are suing for statutory damages obviating the need to show harm. If successful the number of lawsuits could grow significantly. Whether this happens or not, organizations sued still have to deal with damage to their reputation and defense costs at a minimum.

The cost of compliance has also gone up. In 2011 HHS received tens of thousands of complaints and nearly 20 new major breach investigations were initiated every month. These investigations have led to Resolution Agreements, Compliance Action Plans and, on rare occasion, fines. Recently HHS added to its oversight of HIPAA by initiating the random compliance audits called for under HITECH. It is still too early to tell how the “First 20” will fair, but HHS does intend to use them to inform the process going forward. Breach notification, lawsuits and HHS enforcement activities are sure to keep a bright light on healthcare and compliance.

Healthcare also has internal drivers that are applying pressure for better privacy and security measures. Increased reliance on electronic medical records, decision support systems, business analytics, and other systems that support care services will demand absolute integrity. Health Information Exchanges will need better authentication and identity solutions and specific governance structures. Mobile devices will continue to proliferate and introduce risk. Smarter approaches that place more emphasis on data management and device standards will be needed as end point strategies alone fail or become difficult to manage. New strategies such as telemedicine and cloud computing will need privacy and security solutions. The evolution in technology and the need to address new privacy and security challenges will see no abatement in 2012.

Healthcare will be a dominant topic in 2012 and there is a good chance that privacy and security will factor significantly because the data matters. The data that is being generated by the industry is the holy grail that drives all transformation – clinical and financial. Therefore, the safeguards around that data become more important than ever. And because healthcare is not the only industry where data is tantamount to transformation, the developments in healthcare could have a tremendous impact on privacy and security in general. Political action, regulatory changes, adverse events and operational advancements will shape the privacy and security agenda. Those who ignore privacy and security will do so at the risk of unwanted consequences.