EHR Incentive Winner Tackles SecurityRisk Assessments, Encryption, Authentication and More
Of the 220 eligible physicians at the Worcester, Mass.-based clinic, all but two have completed the process of attesting that they qualify for the EHR incentive program, and 160 attestations have been formally submitted to federal authorities. Already, the clinic has received a total of almost $400,000 in incentive payments for 21 physicians. And the clinic expects to ultimately earn $10 million in Medicare and Medicaid incentives over the life of the HITECH program, says Larry Garber, M.D., medical director for informatics.
The incentive program was designed to spur more hospitals and physicians to adopt EHRs in hopes of cutting the cost and improving the quality of care. But Fallon Clinic already was well on its way down the path toward automating records long before the federal incentive program came along. And it's been implementing security measures every step of the way. Those measures include:
- Frequently updated risk assessments, both internal and external;
- Use of encryption for data on mobile devices as well as information transmitted over the Internet;
- Two-factor authentication for remote access to EHRs;
- Extensive privacy and security training for all staff, from the CEO to the administrative assistants.
A 'Necessary Evil'Garber acknowledges that for physicians, security provisions amount to a "necessary evil" because they inevitably slow down access to information. "But it's so valuable to access data securely, that it's worth the extra effort," he stresses.
So what's the secret to overcoming physician resistance to security measures because of concerns about the impact on productivity? One key factor, says Paul Nichols, director of IT infrastructure, is strong leadership from senior executives. "The organization must take security seriously, from the top down," he says. "It won't work, even if you have a talented security team, if they're constantly swimming upstream."
And Fallon Clinic has a message for those who wonder if the incentive payments will cover most of the startup costs for EHRs: That's unlikely. Garber estimates its initial cost of implementing the EHR system from Epic Systems Corp. was $24 million, including security expenses, with "several million" more spent annually on various EHR-related expenses. The multi-specialty clinic completed its rollout of the EHR system in 2007; it no longer uses paper records.
Risk AssessmentThe only explicit security-related requirement in the meaningful use criteria for stage one of the federal EHR incentive program is to conduct a risk analysis and take action to mitigate any risks identified.
For Fallon Clinic, demonstrating compliance with that requirement was easy. That's because it's been conducting frequent risk assessments for years to comply with HIPAA as well as tough state regulations, so it simply documented its actions for the incentive program.
In addition to conducting internal risk assessments, the clinic annually hires a consulting firm to conduct reviews. "We actually use different vendors each time," Nichols says. That way, the clinic can benefit from the different skill sets and perspectives of the outside experts, he explains.
EncryptionMassachusetts' tough health privacy law goes beyond HIPAA's requirements and mandates the use of encryption for portable devices. So all the clinic's laptops are encrypted, as well as any thumb drives used to store protected health information. Plus, the clinic uses encryption when enabling staff to access e-mail from their cell phones.
All of the clinic's desktop devices are thin clients that cannot store information, with patient data residing only on servers at its central data center. "It's easier to do patching and upgrades at the data center than at 3,000 desktops," Nichols says.
AuthenticationTo access the EHR system from any of the clinic's 20 locations, clinicians must enter a user name and password for their domain accounts plus a different user name and password for the EHR, Nichols explains. To gain remote access to the EHR, physicians must use two-factor authentication. Doctors use a hardware token to generate a PIN that they must enter as an extra step. Data accessed remotely is encrypted in transit.
The clinic is investigating eventually using biometrics, perhaps paired with single sign-on, to streamline the authentication process, Nichols says.
Security, Privacy TrainingIn addition to receiving training on privacy and security when they're hired, all staff members must take annual refresher courses.
Trainers recently visited every clinic site to review state and HIPAA regulations and explain the clinic's policies, says Cyndy Hatch. She serves as manager of IT security as well as manager of the business office. The face-to-face training helps "build a rapport so that they're comfortable calling us with questions," Hatch adds.
The idea behind the training, Nichols adds, is "to help staff understand what we're doing" so they don't just perceive security as "getting in the way of them doing business."
Auditing AccessTo help guard against records snooping and other unauthorized access to EHRs, the clinic is aggregating log information from the Epic system, as well as other clinical systems that house protected health information, in a home-grown central repository to support custom audit reports. The clinic takes this approach "so we can run extensive reporting without slowing down production," Nichols says.
The clinic uses the access log repository to conduct random monthly audits of employee access to patient information. "We identified some individuals accessing family members' records," says Hatch. The clinic reminded these staff members that only clinicians treating a patient can routinely access records.
Health Information ExchangeIn addition to its ambitious EHR efforts, Fallon Clinic helped create a health information exchange, SAFEHealth, that enables it to share information with HealthAlliance Hospital in Leominster, Mass. The HIE accommodates the encrypted exchange of data to and from the hospital and clinic EHR systems, Garber explains.
Unlike most HIEs, which only give patients the opportunity to opt out of having their data exchanged, SafeHealth requires that patients opt in to offer their consent before any data is exchanged, Garber says. For example, if one of the clinic's patients arrives in the hospital's emergency department, the SafeHealth system checks for a record of the opt-in consent. If one is lacking, it automatically prints out a consent form for the registration clerk to give to the patient.