EHR Incentive Winners: Lessons LearnedUpdated Risk Assessments, Continual Training Are Key
Texas Health Resources, which already has earned almost $20 million from the HITECH Act's EHR incentive program for 11 of its hospitals, conducts quarterly as well as annual risk assessments for all its applications, said Ron Mehring, director of information security. So it was easy for the large provider organization to meet the only explicit security-related requirement in the meaningful use criteria for stage one of the federal EHR incentive program: Conduct a risk analysis and take action to mitigate any risks identified.
If a hospital or a clinic "understands the risks involved in handling healthcare information and develops a program to manage that risk," meeting the EHR incentive program's risk analysis requirement will be a snap, Mehring said.
We have a robust training program that's role-based across the enterprise.
Similarly, Fallon Clinic in Massachusetts has been conducting frequent risk assessments for years to comply with HIPAA as well as tough state regulations, so it simply documented its actions for the incentive program, said Paul Nichols, director of IT infrastructure. So far, the clinic has received $400,000 worth of incentive payments; it expects to eventually earn $10 million (see: EHR Incentive Winner Tackles Security).
In addition to conducting internal risk assessments, the clinic annually hires a consulting firm to conduct reviews. "We actually use different vendors each time," Nichols said. That way, the clinic can benefit from the different skill sets and perspectives of the outside experts, he explained.
Importance of TrainingExecutives at Texas Health Resources and Fallon Clinic also emphasized the need for extensive staff training on privacy and security issues. "We have a robust training program that's role-based across the enterprise," said Texas Health Resources' Mehring.
At Fallon Clinic, trainers recently visited every site to review state and HIPAA regulations and explain the clinic's policies. The face-to-face training helps "build a rapport so that they're comfortable calling us with questions," said Cyndy Hatch, manager of IT security.
The idea behind the training, Nichols said, is "to help staff understand what we're doing" so they don't just perceive security as "getting in the way of them doing business."
So if your organization is considering expanding its use of EHRs and hoping to earn federal incentive dollars, carefully consider these important lessons from these two EHR trailblazers. Update your risk assessments again and again. And continually train your staff on how to comply with your privacy and security policies.