HIMSS Offers Crash Course on HITECH Act

Experts to Provide Tips on Data Security Compliance
HIMSS Offers Crash Course on HITECH Act
Complying with all of the privacy and security provisions of the American Recovery and Reinvestment Act is a complex task. The Healthcare Information and Management Systems Society will lend a helping hand with a day-long crash course on the subject to help kick off its annual convention.

The pre-conference ARRA Privacy and Security Workshop will be held 8 a.m. to 4 p.m. on Sunday, Feb. 28. The annual conference of Chicago-based HIMSS, an association of healthcare I.T. professionals, will be held March 1-4 at the Georgia World Congress Center in Atlanta.

Title XIII of ARRA, also known as the HITECH Act, spells out tougher privacy and security standards for healthcare organizations and their business associates than those included in the original rules under the Health Insurance Portability and Accountability Act. The workshop will offer a detailed guide to the provisions, which some are calling HIPAA II, along with practical advice on compliance, says Tom Walsh, president of Tom Walsh Consulting LLC, Overland Park, Kan. Walsh is one of the featured speakers.

Nuts and bolts

"We'll give you a high-level overview, then offer the nuts and bolts a step-by-step guide to what you'll need to have in place," Walsh says.

For example, the HITECH Act spells out when healthcare organizations or their business associates must report a data security breach of electronic health records (EHRs) or other personal healthcare information. But if the data is properly encrypted, reporting of breaches isn't necessary, Walsh stresses. "Encryption is like a 'get out of jail free' card."

Data encryption, however, must meet the NIST Federal Information Processing Standard 140-2, Walsh warns. And, unfortunately, many healthcare software companies that sell clinical applications do not yet routinely offer encryption of their databases, he contends. "So it's a huge issue." At the workshop, Dave Wiseman, information system security manager at St. Luke's Health System in Kansas City, Mo., will outline his experiences during a security audit conducted by the Office of the Inspector General. The provider organization was audited in 2007 when federal officials were checking how well the HIPAA security and privacy rules were being enforced.

Preparing for audits

As a result of funding provided under the HITECH Act, the Department of Health and Human Services is hiring more auditors to check on healthcare organization's security policies, Walsh notes. Workshop attendees will get tips from Wiseman on how to prepare for government audits, which soon will become more common, the consultant adds.

"In the security audits conducted so far, auditors have asked for things like the latest results of a network vulnerability scan or a network penetration test," Walsh says. "There's nothing in HIPAA that requires these, but the auditors have an expectation that covered entities, like hospitals, can present evidence that they are doing these scans and tests."

Also speaking at the workshop are:

  • Lisa Gallagher, HIMSS' senior director of privacy and security, who will outline the security and privacy provisions of the HITECH Act; and
  • Joy Jacobsen, privacy and compliance officer for CareEntrust, which offers a personal health record to employers in the Kansas City market. As a result, the company is a "business associate" that's preparing to comply with the HITECH Act.

More information on the workshop, and the entire HIMSS Conference, is available at www.himssconference.org.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.