HITECH a Wake-Up Call for Practices

Consultant: Doctors' offices need to step up security
HITECH a Wake-Up Call for Practices
The HITECH Act should be a wake-up call to physician group practices of all sizes regarding the need to take data security seriously, a consultant who advises practices stresses. And that means following the right procedures as well as using the right technologies, says Rosemarie Nelson, principal at MGMA Consulting Group, Englewood, Colo.

For example, staff members at some practices talk too casually about patients' conditions in front of other patients, Nelson says. "What happens in a lot of practices is that the staff becomes like family to some of the patients, and so the staff forgets that sharing health information is very important business," she adds.

Shut the door

Nelson also offers the story of a recent visit to a small group practice where she discovered an open door to the closet where a server was stored. "When I asked why the door was open, they said the server would get too hot if the door was closed," she says. "But the door should be locked with access controlled."

Far too many practices, she laments, also pay inadequate attention to how they back up data, failing to make sure the information is encrypted and "not left in the back seat of a car."

Seek out advice

The consultant advises practice administrators to seek out advice from area hospitals, independent physician associations, county medical societies and other local organizations on how to prepare for compliance with the HITECH Act, which includes toughened federal data security requirements. She says such organizations could, for example, provide guidance on how to prepare a data breach notification plan.

"Meaningful use"

Many practices are pondering whether to apply for incentive payments from Medicare and Medicaid under the American Recovery and Reinvestment Act to help pay for the cost of electronic health records. In a proposed rule released Dec. 30, federal regulators provided more details on "meaningful use" criteria that will be used to judge whether a practice or hospital is making adequate use of EHRs to qualify for the payments. The detailed criteria call on practices and hospitals to "conduct or review a security risk analysis of certified EHR technology."

To comply with that clause, Nelson suggests that group practices will need to carefully review whether they are using all appropriate security measures within their records software, including encryption, access control and frequent changing of passwords.


An interim final rule proposed Dec. 30 for certifying electronic health records software to confirm it's eligible for the incentive program states that the software must offer encryption. "My sense is that most of this software offers encryption, but some users don't take advantage of it," Nelson says.

Access control

The proposed EHR certification regulations also require that the software offer some sort of access control mechanism, but they stop short of spelling out a standard. Nelson says most records software offers role-based access control, which enables a practice to, for example, give a nurse broader access to patient information than a front desk receptionist. The consultant laments, however, that some practices "just give everyone the same role-based access," defeating the purpose of access control.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.