Funding a HITECH Risk AssessmentHow a Rural Hospital Got Help
In an interview, David Conejo, CEO at 25-bed Red River Regional Hospital, a critical access facility in Bonham, Texas, describes his strategy for complying with the privacy and security provisions of the HITECH Act, which toughened the HIPAA standards. HIPAA requires hospitals to conduct a risk assessment and then use appropriate technologies to assess those risks.
Conejo discusses how his hospital:
- Obtained a grant so it could hire a consulting firm to conduct a risk assessment and identify priority projects;
- Discovered that, in many cases, it had the necessary security procedures in place but needed to document them better;
- Determined it needed to make wider use of encryption and develop procedures for notifying patients and federal authorities in the event of a breach;
- Used the risk assessment to identify additional training that the hospital's IT director needed;
- Planned a telemedicine project.
Conejo has been CEO of the hospital since 2005. He previously served as CEO for five other hospital organizations, regional operations manager for Province Healthcare Corp, and as an independent consultant.
HOWARD ANDERSON: For starters, tell us a little bit about your hospital. I understand that it is the only one in your county and that it recently became independently owned, is that right?
DAVID CONEJO: We serve an area of about 30,000 people in Fannin County, Texas. We are about an hour and 15 minutes north of Dallas, and the closest hospitals anywhere around us are about 35 miles away. ... We put together a group of local physicians and local community members and acquired the hospital so it is locally owned.
ANDERSON: I understand you recently launched your first risk assessment process to help your organization comply with HIPAA and the HITECH Act as you shift to electronic records. As CEO, what were your top security concerns that prompted conducting that risk assessment now?
CONEJO: Moving to a freestanding organization, we now bore the responsibility for meeting all of the guidelines. When you are part of a corporate structure, usually the corporation will have IT personnel and they will set up standards for all the hospitals that are under them. Suddenly we were faced with having to become familiar with and know intimately all of the requirements.
So we were trying to find out, first of all, what is it that we don't know? We get a lot of information through the Texas Organization of Rural Community Hospitals and the Texas Hospital Association. ... But the risk assessment provided us the opportunity to find out where we met the HITECH standards and where we needed to improve.
ANDERSON: So did you decide to get outside help with the assessment because of relatively limited internal resources?
CONEJO: That's another big problem for small hospitals. You know, if you are trying to do this on your own, along with any number of other things, it becomes cost-prohibitive. But being able to do it with grant funding, we were able to bring it within our financial budget constraints and so that was extremely helpful.
ANDERSON: Who did you get the grant from and who did you rely on to give you help with the assessment?
CONEJO: Originally we went through the Texas Organization of Rural Community Hospitals, which is partnering with the Texas Department of Rural Affairs. They notified all of the hospitals that grant monies were available. We contacted them immediately and said we are really interested, and they said we certainly would qualify as a critical access hospital. So we submitted our work to them and then they linked us up with CynergisTek, which is the company that has been helping us with that.
ANDERSON: So how long did the assessment take, what were the major risks that were pinpointed and how are you addressing those risks now?
CONEJO: Well they came onsite and spent about three days looking over the information, and then they came back with what some might call a "to do list." So they showed us all of our areas of compliance and we were probably at about 47 percent compliant. Along with that there were a number of things that were already in place, but we needed to have a policy in place stating that that was our practice. Just by putting that policy in place, we would immediately jump up to about 74 percent compliant.
So we were pleased with that. ... But then they were able to pinpoint some other issues that we would not ordinarily have been familiar with -- things that we had to put into place to make sure that our communication of information was protected, that we had safety procedures in place to assure that records or information that went out was encrypted and also that we had procedures in place that if there were any shortcomings (breaches) that we would immediately notify all of the parties involved.
ANDERSON: Can you tell us a little bit about specific technologies or strategies you have adopted as a result? It sounds like perhaps one of those is making wider use of encryption? Is that right?
CONEJO: That was one of them. Also, we have an IT manager, and the consultants went over specifically with him all of the additional education and training that he needed to have as the person in charge. So they identified each of the areas and where he might not have specific knowledge about certain procedures and what had to be done and they either provided the training or told him where he could obtain that training.
So it was helpful to us ... to have somebody come in, conduct an assessment and review it at length with the IT manager and with the senior management and then pinpoint what had to be done and what training he needed to have.
ANDERSON: So once he has that additional training, are there specific technologies that you are going to be implementing?
CONEJO: Well as we mentioned encryption is one of them. But we are looking at doing telemedicine, and we presently have the capabilities to do some of that. And immediately you say, "Well wait a minute, when you are now transmitting this information, who is able to pick that up? How do you protect that? What do we need to be able to do to our computer systems to protect that information so no one else can read it except the recipient?"
And while it might seem that certain radiology systems would automatically do that, in many cases, when you switch over to another mode, such as telemedicine, you are not automatically protected. And you now have to set up another whole system of encryption in order to make sure that that information is protected. ...
ANDERSON: Are you eventually going to offer physicians the opportunity to access clinical systems remotely and if so, what security will you use there?
CONEJO: We are looking at a company called Net.Orange. ... We are looking at the modes where everybody can be on a different system in their own office but can access ours through the (Net.Orange) operating system and that is where the control structures will be set up.
ANDERSON: So what advice would you give to other small hospitals with limited IT budgets on how best to address security issues and how to do a meaningful risk assessment?
CONEJO: I would suggest for small hospitals to go ahead and contact their rural community hospital organizations or the National Rural Hospital Association or their state organization, such as the Texas Department of Rural Affairs. Find out what monies are available and what programs are available for those assessments. You may find that (with their help) you can have somebody guide you through the assessment process.