HITECH a Wake-Up Call for PracticesConsultant: Doctors' offices need to step up security
For example, staff members at some practices talk too casually about patients' conditions in front of other patients, Nelson says. "What happens in a lot of practices is that the staff becomes like family to some of the patients, and so the staff forgets that sharing health information is very important business," she adds.
Shut the door
Nelson also offers the story of a recent visit to a small group practice where she discovered an open door to the closet where a server was stored. "When I asked why the door was open, they said the server would get too hot if the door was closed," she says. "But the door should be locked with access controlled."
Far too many practices, she laments, also pay inadequate attention to how they back up data, failing to make sure the information is encrypted and "not left in the back seat of a car."
Seek out advice
The consultant advises practice administrators to seek out advice from area hospitals, independent physician associations, county medical societies and other local organizations on how to prepare for compliance with the HITECH Act, which includes toughened federal data security requirements. She says such organizations could, for example, provide guidance on how to prepare a data breach notification plan.
Many practices are pondering whether to apply for incentive payments from Medicare and Medicaid under the American Recovery and Reinvestment Act to help pay for the cost of electronic health records. In a proposed rule released Dec. 30, federal regulators provided more details on "meaningful use" criteria that will be used to judge whether a practice or hospital is making adequate use of EHRs to qualify for the payments. The detailed criteria call on practices and hospitals to "conduct or review a security risk analysis of certified EHR technology."
To comply with that clause, Nelson suggests that group practices will need to carefully review whether they are using all appropriate security measures within their records software, including encryption, access control and frequent changing of passwords.
An interim final rule proposed Dec. 30 for certifying electronic health records software to confirm it's eligible for the incentive program states that the software must offer encryption. "My sense is that most of this software offers encryption, but some users don't take advantage of it," Nelson says.
The proposed EHR certification regulations also require that the software offer some sort of access control mechanism, but they stop short of spelling out a standard. Nelson says most records software offers role-based access control, which enables a practice to, for example, give a nurse broader access to patient information than a front desk receptionist. The consultant laments, however, that some practices "just give everyone the same role-based access," defeating the purpose of access control.