Security and the new HITECH ACT regulations: Is your registry ready?

BACKGROUND: The Health Information Technology for Economic and Clinical Health (HITECH) Act of the American Recovery and Reinvestment Act of 2009 (ARRA) greatly expands the scope of HIPAA privacy and security protections, increases potential legal liability for non-compliance and provides for more enforcement. It also introduces the first federally-mandated data breach notification. PURPOSE: To share information regarding security provisions included in ARRA legislation; discuss implications for central cancer registry (CCR) operations and public health reporting; and describe necessary changes in operations, policies and procedures. METHODS: We reviewed HITECH security provisions, data transfer agreements and recent literature and compared the new HIPAA security requirements with existing security controls. We assessed implications for CCR systems and how changes could be implemented effectively. We focused on modifications to software applications and programs, liaised with the CDC Registry Plus development team and implemented necessary changes. RESULTS: We developed an action plan and key recommendations for integration of enhanced patient privacy protection and data security into operations and strategic planning. Registries should: 1) Identify a breach team and a detailed plan for data breach response; 2) Add encryption to daily routines for data storage and data transmission; 3) Restructure and refine routines compliant with new security requirements. Subsequently, we adapted applications, developed educational materials, conducted training sessions for CCR staff and made resources available to reporting facilities (see http://mcr.umh.edu). DISCUSSION: As an established data repository, CCRs play an increasingly important role in supporting population-based cancer research and Comparative Evaluation Research (CER). CCRs have proven to be efficient and effective comprehensive data sources for a wide range of public health research priorities such as reducing disparities in cancer detection, prevention and treatment. Data security must continue to be top priority if CCRs are to continue to maintain public trust and confidence in the evolving eHealth environment.