Creating a Security Game Plan

Attorneys Offer Practical Tips for Hospitals, Clinics
Creating a Security Game Plan
Hospitals and clinics should be taking many steps, including reviewing policies and educating staff, to help ensure the security of electronic health records and prepare for reporting breaches, two attorneys advise.

Speaking at the American Health Information Management Association's 2010 Legal EHR Summit in Chicago, Jack Rovner and Kathryn Roe, principals at The Health Law Consultancy, Chicago, offered a security game plan. Their suggested strategies will help organizations as they implement electronic health records in hopes of earning incentive payments from Medicare and Medicaid under the HITECH Act. They'll also help them prepare for compliance with the HITECH breach notification rule.

Key steps, the attorneys say, include:

Review and update records management policies and procedures. This includes:

  • Determining what protected health information the organization has and where it is kept.
  • Controlling where the information can be stored and restricting when it can be transferred to portable devices and media. "Be out in front on this issue so that an employee can't say, 'well it wasn't prohibited so I thought it was OK,'" Roe says.
  • Retaining information for the appropriate time period to minimize the risk of a breach of old data. Information should be retained only as long as required by state law, by contract or by business needs, Roe adds.
  • Destroying or de-identifying information no longer needed.
  • Considering encryption of data stored on computers or transmitted to others.

Create a plan for responding to a breach. Hospitals and clinics should create and then frequently update breach notice policies and procedures that include "checklists to guide the response if and when a breach happens," Rovner says.

Educate the workforce and executives about data security issues. This should include:

  • Training about safeguards, policies and procedures as well as checklists for breach responses.
  • Sanctions for non-compliance.
  • A clear-cut policy of non-retaliation for reporting a breach within a department.

"Even those in charge of throwing out the trash need to be trained on what to do if they discover protected health information," Rovner says.

Check your insurance. Make sure your organization has sufficient insurance to cover all the costs involved in the aftermath of a breach, Roe stresses. Also, be sure that business associates and their subcontractors are adequately insured as well, she adds.

Review business associate contracts. This includes:

  • Making sure the vendors, and their subcontractors, comply with the HIPAA security rule.
  • Reviewing the companies' track records for breaches and whether they can demonstrate they have learned from any incidents and adjusted their policies.
  • Confirming business associates have detailed compliance programs in place.

Make security part of managers' evaluations. "Institute a performance evaluation factor that measures if the head of a business unit is implementing information protection policies," Rovner suggests.

Implementing a sound information security strategy can create a competitive advantage, Rovner stresses. "Let the public know the steps you have taken. It can build your reputation as customer-caring."

(See also: Interview with Kathryn Roe.)

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.