Creating a Security Game Plan
Attorneys Offer Practical Tips for Hospitals, ClinicsSpeaking at the American Health Information Management Association's 2010 Legal EHR Summit in Chicago, Jack Rovner and Kathryn Roe, principals at The Health Law Consultancy, Chicago, offered a security game plan. Their suggested strategies will help organizations as they implement electronic health records in hopes of earning incentive payments from Medicare and Medicaid under the HITECH Act. They'll also help them prepare for compliance with the HITECH breach notification rule.
Key steps, the attorneys say, include:
Review and update records management policies and procedures. This includes:
- Determining what protected health information the organization has and where it is kept.
- Controlling where the information can be stored and restricting when it can be transferred to portable devices and media. "Be out in front on this issue so that an employee can't say, 'well it wasn't prohibited so I thought it was OK,'" Roe says.
- Retaining information for the appropriate time period to minimize the risk of a breach of old data. Information should be retained only as long as required by state law, by contract or by business needs, Roe adds.
- Destroying or de-identifying information no longer needed.
- Considering encryption of data stored on computers or transmitted to others.
Create a plan for responding to a breach. Hospitals and clinics should create and then frequently update breach notice policies and procedures that include "checklists to guide the response if and when a breach happens," Rovner says.
Educate the workforce and executives about data security issues. This should include:
- Training about safeguards, policies and procedures as well as checklists for breach responses.
- Sanctions for non-compliance.
- A clear-cut policy of non-retaliation for reporting a breach within a department.
"Even those in charge of throwing out the trash need to be trained on what to do if they discover protected health information," Rovner says.
Check your insurance. Make sure your organization has sufficient insurance to cover all the costs involved in the aftermath of a breach, Roe stresses. Also, be sure that business associates and their subcontractors are adequately insured as well, she adds.
Review business associate contracts. This includes:
- Making sure the vendors, and their subcontractors, comply with the HIPAA security rule.
- Reviewing the companies' track records for breaches and whether they can demonstrate they have learned from any incidents and adjusted their policies.
- Confirming business associates have detailed compliance programs in place.
Make security part of managers' evaluations. "Institute a performance evaluation factor that measures if the head of a business unit is implementing information protection policies," Rovner suggests.
Implementing a sound information security strategy can create a competitive advantage, Rovner stresses. "Let the public know the steps you have taken. It can build your reputation as customer-caring."
(See also: Interview with Kathryn Roe.)