How to Build a Culture of PrivacyAHIMA CEO: Breach Prevention, Security Training, Sanctions Are Vital
To ensure privacy, healthcare organizations must take adequate steps to restrict access to sensitive patient information based on a "need to know" standard, Dowling says.
In an interview (transcript below), the head of AHIMA, which has 60,000 members, says:
- Winning public trust in electronic health records and health information exchanges will require several steps, including aggressive enforcement of federal and state privacy and security regulations and strong sanctions for those who violate those regulations, as well as for those who violate an organization's policies.
- Those shopping for their first electronic health records system in hopes of winning incentives under the HITECH Act should thoroughly investigate the vendor's track record for offering good security controls and measure the company's commitment to offering ongoing privacy and security support.
- The HITECH Act breach notification rule should be clarified, but without removing the controversial "harm standard," which enables organizations to conduct a risk assessment to determine if an incident represents a significant risk of harm that merits reporting it.
In addition to serving as AHIMA's CEO, Dowling is an adjunct professor at Case Western Reserve University, where he teaches graduate courses in health information systems and models of health systems. He previously served as an assistant professor at the schools of medicine and management at Case Western Reserve University, adjunct professor at Georgetown University and health services administrator and director of medical systems at a governmental academic medical center. He holds a PhD in healthcare management and management information systems from Massachusetts Institute of Technology.
HOWARD ANDERSON: For starters, why don't you tell us a little bit about AHIMA's mission and its membership.
ALAN DOWLING: AHIMA's mission is to participate in the leadership of health informatics and information management throughout the world to advance professional practice and standards. We have 60,000 members, and they work in numerous healthcare settings promoting the advancement and ethical use of health information and ensuring that health information is used appropriately in care and research and health management, and that the information is valid, accurate, complete, trustworthy and timely. Our members work in a wide variety of organizations, from healthcare delivery to research organizations, in the private sector and the government sector.
Now what we find is, first and foremost, organizations are seeking privacy and security solutions that balance their organizational business needs against the mandate for workable privacy and security safeguards. ... HIM professionals have the knowledge and expertise to guide their organizations' implementation of the appropriate security measures necessary to respond to the threats identified through a formal risk assessment, and they participate in those risk assessments.
Culture of PrivacyANDERSON: So how can the members of AHIMA help their organizations develop a culture that values privacy and security?
DOWLING: ... If we recognize that the people components and process components and technology components must work together to produce an outcome, then the culture of the people actually is a critical part. Otherwise the technologies and the processes are not going to have an effect.
So the roles and responsibilities that staff members have probably should be divided so that a single end-user can't subvert an entire critical process. Separation of duties assures that checks and balances are in place, so they tend to be very important. You could argue that with computer-based systems, there is not that much difference from manual environments if one wanted to corrupt the data or use it inappropriately. But I argue that with information systems, we can do more damage faster if, in fact, we are not careful. Hence the dividing of roles and responsibilities is a little bit different than in the old manual days.
We know that functions should be restricted according to the person who is accessing the information and their requirements for the use of that information -- the military would call this a "need to know." We know that when we partition access to information, we provide protections such that no one individual, if they have mal-intent, can actually misuse the information entirely. So this breaks down into the areas of management controls. These are the issues and activities that must be addressed by management in the organization's formal information security program. These issues focus on the management of the information, the rights of access to the information, how we assure limited access to the information and the other types of activities dealing with policies and procedures and plans that incorporate not only the institution's intent, but also all relevant state and federal regulations and laws.
Then you have the operational controls; these deal with how we execute policies. They are implemented and executed by staff at all levels of the organization. Operational controls would include contingency planning; awareness and training; physical environmental protections and segregations, with computer support and operations being part of this; and the management of security breaches.
So what we want to do is create an environment for preventing a breach or security malpractice from occurring. But then we also want to identify a breach and limit it if, in fact, it has occurred, and rapidly respond to it. The technical controls are fairly sophisticated these days, but it seems that people enjoy trying to find ways of corrupting them anyhow.
Security ControlsTechnical controls include ... authentication, security of the underlying technologies, access control, audit trails and cryptology. They also include probabilistic analysis of breaches, so that if we know a certain data class has a certain characteristic, then if we screen information and find out that there is now an abnormal instance of something we can react to that.
So for example, if we know that there is a particular disease process that requires certain prescription medication, and we are doing 1,000 cases of this a month on average, but suddenly this spikes to 5,000 cases and there is no epidemiological underpinning for that, then we may suspect that there is some kind of breach involved - the use of information for inappropriate purposes. Now to properly secure information in any organization we have got to train our staff members. This gets back to ... what their responsibilities are based on their job specifications and positions. We have got to develop a process for evaluating that training effectiveness and its reliability and its validity. This should include provisions for updating the trainers, updating the staff's training periodically. And I feel that it also should include testing of the staff.
I have been in situations in which we were able to demonstrate that an individual proved through testing that they knew what to do and how, and when they breached information, they couldn't claim that they didn't know either the policy or the procedures. So it tends to be very useful not to just react and punish an individual. ... If people know in advance that we take privacy and security seriously, then they are less likely to engage in the risky behavior of corrupting the information or using it inappropriately. So employee sanctions for violations of privacy have got to be established, fairly administrated and, quite frankly, well known. The staff really needs to understand that we are serious about this and we are going to enforce it. ...
HITECH EHR IncentivesANDERSON: As many hospitals and clinics prepare to apply for HITECH Act incentive payments for using electronic health records, they are taking steps to make sure those records remain private and secure. So what advice would you have for those organizations that are implementing their very first EHRs or expanding their use of electronic records about how to protect those records?
DOWLING: One could argue that implementing an EHR for the first time gives you the opportunity to do things right from the beginning. Sometimes it is actually easier to do that than trying to retread a technical environment that is well-entrenched but not overly supportive. ... Acquiring software from a reputable vendor that has a track record of providing software support and security controls is an essential piece of the selection and contracting process.
I would also advise organizations to take a look at what the vendor is intending to do about privacy and security support within their software so that the organization that is selling the software knows that the client, the new adopter, is very serious about this and wants the vendor to stay apace of the federal and local requirements for that capability. They must go ahead and assess and create a policy as to what their stands on privacy and security are going to be.
... Organizations need to think through how they need to change security and privacy policies in advance of the new software coming in so that they have time to implement those changes in a manual environment and then make sure that they are supported in a computer-based environment. ...
HITECH Breach Notification RuleANDERSON: Some members of Congress and consumer advocates have called for removal of the so-called "harm standard" in the pending final version of the HITECH Act breach notification rule. That standard enables organizations to conduct a risk assessment to determine if a security incident represents a significant risk of harm to individuals and thus need to be reported to federal authorities and the individuals affected. So would your association like to see the "harm standard" removed or see other modifications in the final version of the rule that is still pending?
DOWLING: Well AHIMA has been in favor of keeping the "harm standard." However, we do feel that a more defined structure and definition as to what constitutes harm is indicated. There is a danger that by reporting every possible breach of any possible severity, we may, in fact, numb the public from reacting when a real breach, or an important breach, or a significant breach, actually occurs.
We also know that the operational impact, the economic impact and the impact to healthcare delivery of a requirement to report all breaches, versus just important or serious breaches, is significant. ... Federal authorities, working with the healthcare community and consumer groups, need to better define this rule. ... The fact that we have state breach rules with varying requirements in addition to the federal rules makes the entire process sometimes confusing for healthcare delivery organizations or others handling health information, muchless consumers. So harmonization of these laws and standards probably would be in everyone's best interest. Now I know that that gets into the issue of ... state versus federal rights. But if we are all working on the same side of this and trying to do the right thing, harmonization, I believe, is possible. It is helpful to see government take action on situations where neglect has caused a breach. In other words, it is appropriate for government to put in place standards, expectations and reactions to help assure the policy (national policy or state policy) is enforced so the public does have some level of trust in the protection of their information. That trust is essential, not only to the patient but to the provider, the insurer, the government and virtually everyone involved in the health industry.
EHRs, HIEs and PrivacyANDERSON: Finally, if the HITECH incentive program succeeds in promoting the widespread use of electronic health records, as well as the sharing of records via health information exchanges, what will be the key to winning the public's trust that their information is adequately protected?
DOWLING: We have seen communities react to the potential of a health information exchange coming into their environment when the reaction is very significantly based on "Can I trust it or not?" ...
It is going to be important for adoption at the personal level, which is going to be essential, for that trust to exist. So the issue is, what can we do about that? The public really needs to know laws and regulations do exist and they are taken seriously and that they are going to be enforced. In other words, the privacy of the information is sacrosanct and government will, in fact, recognize that and support that. That means identifying and, if necessary, punishing inappropriate use of information. That ranges from personal gain all the way through the other end of it -- discrimination based on this information. ...
We need to make sure that all of our staff and our institutions are trained appropriately and tested, and that retention in their positions is based, in part, on assuring the compliance with the privacy and security policy -- that there are very significant repercussions for misuse of information.
We need to make sure that people know that we have active security processes in place; that we are proactively preventing breaches to the greatest degree possible. ... So the education of patients and caregivers is, quite frankly, equally important. We need to let people know that we do have this public commitment to the protection of the information. If we assure that information and HIEs are safeguarded ... that will help.
So, for example, one community decided that they would participate in a health information exchange, but if an only if there were a specially designed non-profit organization whose sole purpose was to be there to protect that information and provide the service to the others who needed the information. That community decided they did not want a for-profit organization that could be sold to another entity and the privacy assurances might be changed under the sale. We obviously need to be able to react publicly and immediately to breaches to reinforce the trust. And we need to make sure that our organizations really do know the laws, do have the policies and are going to react appropriately.
If we do all of those things, then we may well get to a situation in which there is sufficient trust so that people will be more readily involved in very important things like health information exchanges and personal health records and so forth. Without it, we may be in a situation in which trust is not there and we have very significant adoption problems.