HIMSS Offers Crash Course on HITECH ActExperts to Provide Tips on Data Security Compliance
The pre-conference ARRA Privacy and Security Workshop will be held 8 a.m. to 4 p.m. on Sunday, Feb. 28. The annual conference of Chicago-based HIMSS, an association of healthcare I.T. professionals, will be held March 1-4 at the Georgia World Congress Center in Atlanta.
Title XIII of ARRA, also known as the HITECH Act, spells out tougher privacy and security standards for healthcare organizations and their business associates than those included in the original rules under the Health Insurance Portability and Accountability Act. The workshop will offer a detailed guide to the provisions, which some are calling HIPAA II, along with practical advice on compliance, says Tom Walsh, president of Tom Walsh Consulting LLC, Overland Park, Kan. Walsh is one of the featured speakers.
Nuts and bolts
"We'll give you a high-level overview, then offer the nuts and bolts a step-by-step guide to what you'll need to have in place," Walsh says.
For example, the HITECH Act spells out when healthcare organizations or their business associates must report a data security breach of electronic health records (EHRs) or other personal healthcare information. But if the data is properly encrypted, reporting of breaches isn't necessary, Walsh stresses. "Encryption is like a 'get out of jail free' card."
Data encryption, however, must meet the NIST Federal Information Processing Standard 140-2, Walsh warns. And, unfortunately, many healthcare software companies that sell clinical applications do not yet routinely offer encryption of their databases, he contends. "So it's a huge issue." At the workshop, Dave Wiseman, information system security manager at St. Luke's Health System in Kansas City, Mo., will outline his experiences during a security audit conducted by the Office of the Inspector General. The provider organization was audited in 2007 when federal officials were checking how well the HIPAA security and privacy rules were being enforced.
Preparing for audits
As a result of funding provided under the HITECH Act, the Department of Health and Human Services is hiring more auditors to check on healthcare organization's security policies, Walsh notes. Workshop attendees will get tips from Wiseman on how to prepare for government audits, which soon will become more common, the consultant adds.
"In the security audits conducted so far, auditors have asked for things like the latest results of a network vulnerability scan or a network penetration test," Walsh says. "There's nothing in HIPAA that requires these, but the auditors have an expectation that covered entities, like hospitals, can present evidence that they are doing these scans and tests."
Also speaking at the workshop are:
- Lisa Gallagher, HIMSS' senior director of privacy and security, who will outline the security and privacy provisions of the HITECH Act; and
- Joy Jacobsen, privacy and compliance officer for CareEntrust, which offers a personal health record to employers in the Kansas City market. As a result, the company is a "business associate" that's preparing to comply with the HITECH Act.
More information on the workshop, and the entire HIMSS Conference, is available at www.himssconference.org.