HITECH as a Security Plan CatalystPlanning, training more important than ever
The HITECH Act provides strong new incentives for healthcare organizations to create comprehensive data security plans and train their staffs on how to keep personal health information secure.
That's because the regulation requires organizations to report data breaches to all affected patients. And the best way to avoid such a potentially embarrassing--and costly--report is to take steps to avoid the breaches in the first place.
Under the law, "covered entities," such as hospitals, physician group practices and insurers, must notify individuals within 60 days if protected health information is breached. They also must notify the Department of Health and Human Services and local news media if the breach involves more than 500 individuals. Please see: HITECH Provisions Story
In addition, covered entities must maintain a log of all data security breaches and annually submit it to HHS.
Time for re-training
The No. 1 step healthcare organizations must take to comply with the HITECH Act's security provisions is to re-train the entire workforce about how to ensure the security and privacy of personal health information, says Dan Rode, vice president for policy and government relations at the American Health Information Management Association, Chicago. "And the workforce includes volunteers who work in the institution, physicians who work there but may not be employed, as well as all of the employees," he says. For more insights, please see: Training Key to HITECH Prep - Interview with Dan Rode
Good Samaritan Hospital in Vincennes, Ind., is taking an aggressive approach to security training. "All of our employees are required to participate in online education, and there is a test that they will take to make sure they have competency," says CIO Charles Christian.
Training is also a top priority at Southwest Washington Medical Center in Vancouver, Wash, says Christopher Paidhrin, security compliance officer.
"You can have all the technologies in place, but if your workforce is not aware, awake, attentive and mindful of the policies, procedures and appropriate protocols, all those security tools can be undermined, circumvented and ignored," Paidhrin says. "A policy does no good if it sits in a folder or on an intranet and no one reads it. It's got to be part of everyone's everyday practice."
Before creating or updating a data security plan, organizations must conduct a thorough risk analysis, pinpointing potential problem areas that need to be addressed, many experts advise.
But a recent survey by the Healthcare Information and Management Systems Society found that only 55% of hospitals conduct a risk analysis annually or more frequently.
"It should be done at least annually because a security risk analysis is the basis of HIPAA compliance," says Lisa Gallagher, senior director for privacy and security at Chicago-based HIMSS.
Too many hospitals and other healthcare organizations are focusing on acquiring security technologies rather than looking at the bigger picture, argues Kate Borten, president of the Marblehead (Mass.) Group. The security consultant says annual risk assessments are essential. "The technology alone does not make a security program."
At Johns Hopkins Medicine, a Baltimore-based academic medical center with four hospitals, the top annual data security priority is updating a risk assessment, says Stephanie Reel, vice president of information services. "We update it comprehensively every two years but we pay attention to it and update it in a smaller way every year," she notes. See also: Top 10 Data Security Projects at Johns Hopkins
"What goes hand-in-hand with that is our second priority, which is training, a truly continuous process," she adds.
To help ensure security, Johns Hopkins is investing in a number of technologies, including multi-factor authentication for those accessing its virtual private network remotely.
At Southwest Washington Medical Center, annual risk analyses are supplemented by a consultant's review every three years. "We contract out for an external full-spectrum assessment to make sure we're not deceiving ourselves," says Paidhrin, the security compliance officer.
Part three of the HITECH series focuses on preparing a data breach reporting plan.