HITECH as a Security Plan Catalyst

Planning, training more important than ever
HITECH as a Security Plan Catalyst
Editor's Note: This four-part series analyzes how to comply with the data security and privacy provisions of the HITECH Act.
Part #1 outlines how the Act encourages broader use of encryption.
Part #2 spells out the need to conduct a risk analysis and prepare a data security plan.
Part #3 describes compliance with new data security breach notification requirements.
Part #4 outlines the tough new data security enforcement provisions.

(Part two)

The HITECH Act provides strong new incentives for healthcare organizations to create comprehensive data security plans and train their staffs on how to keep personal health information secure.

That's because the regulation requires organizations to report data breaches to all affected patients. And the best way to avoid such a potentially embarrassing--and costly--report is to take steps to avoid the breaches in the first place.

Under the law, "covered entities," such as hospitals, physician group practices and insurers, must notify individuals within 60 days if protected health information is breached. They also must notify the Department of Health and Human Services and local news media if the breach involves more than 500 individuals. Please see: HITECH Provisions Story

In addition, covered entities must maintain a log of all data security breaches and annually submit it to HHS.

Time for re-training

The No. 1 step healthcare organizations must take to comply with the HITECH Act's security provisions is to re-train the entire workforce about how to ensure the security and privacy of personal health information, says Dan Rode, vice president for policy and government relations at the American Health Information Management Association, Chicago. "And the workforce includes volunteers who work in the institution, physicians who work there but may not be employed, as well as all of the employees," he says. For more insights, please see: Training Key to HITECH Prep - Interview with Dan Rode

Good Samaritan Hospital in Vincennes, Ind., is taking an aggressive approach to security training. "All of our employees are required to participate in online education, and there is a test that they will take to make sure they have competency," says CIO Charles Christian.

Training is also a top priority at Southwest Washington Medical Center in Vancouver, Wash, says Christopher Paidhrin, security compliance officer.

"You can have all the technologies in place, but if your workforce is not aware, awake, attentive and mindful of the policies, procedures and appropriate protocols, all those security tools can be undermined, circumvented and ignored," Paidhrin says. "A policy does no good if it sits in a folder or on an intranet and no one reads it. It's got to be part of everyone's everyday practice."

Risk analysis

Before creating or updating a data security plan, organizations must conduct a thorough risk analysis, pinpointing potential problem areas that need to be addressed, many experts advise.

But a recent survey by the Healthcare Information and Management Systems Society found that only 55% of hospitals conduct a risk analysis annually or more frequently.

"It should be done at least annually because a security risk analysis is the basis of HIPAA compliance," says Lisa Gallagher, senior director for privacy and security at Chicago-based HIMSS.

Too many hospitals and other healthcare organizations are focusing on acquiring security technologies rather than looking at the bigger picture, argues Kate Borten, president of the Marblehead (Mass.) Group. The security consultant says annual risk assessments are essential. "The technology alone does not make a security program."

Updates needed

At Johns Hopkins Medicine, a Baltimore-based academic medical center with four hospitals, the top annual data security priority is updating a risk assessment, says Stephanie Reel, vice president of information services. "We update it comprehensively every two years but we pay attention to it and update it in a smaller way every year," she notes. See also: Top 10 Data Security Projects at Johns Hopkins

"What goes hand-in-hand with that is our second priority, which is training, a truly continuous process," she adds.

To help ensure security, Johns Hopkins is investing in a number of technologies, including multi-factor authentication for those accessing its virtual private network remotely.

At Southwest Washington Medical Center, annual risk analyses are supplemented by a consultant's review every three years. "We contract out for an external full-spectrum assessment to make sure we're not deceiving ourselves," says Paidhrin, the security compliance officer.

Part three of the HITECH series focuses on preparing a data breach reporting plan.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.