Training Key to HITECH PrepAHIMA's Dan Rode offers compliance tips
In an interview, Rode also advises hospitals preparing for HITECH compliance to develop a detailed plan for reporting data security breaches and make sure that their business associates have similar plans in place. And he makes a strong case for greatly expanded use of encryption of electronic health records and other clinical information.
Rode, vice president for policy and government relations, is a leader in the standards arena. He was among those who drafted the data standards that ultimately were incorporated in the Health Insurance Portability and Accountability Act.
HOWARD ANDERSON: This is Howard Anderson, Managing Editor at Information Security Media Group. We are talking today with Dan Rode, vice president for policy and government relations at the American Health Information Management Association. Thanks for joining us today Dan.
DAN RODE: Thank you Howard.
ANDERSON: Please briefly describe AHIMA's mission.
RODE: AHIMA is a non-profit, professional health association. We have about 54,000 to 55,000 members across the United States working in various provider settings, insurance and health plans, government agencies, just about any area where there is health information.
Essentially the mission is to advance best practices and standards in health information management, and the association itself wishes to be a trusted source for education, research and professional credentialing.
ANDERSON: And your role with the association is primarily what?
RODE: As vice president of policy and government relations, I work with federal agencies, the United States Congress, and with some of the standards bodies, especially standards bodies associated with classifications and terminology.
ANDERSON: What advice would you give hospitals on how to prepare for complying with the new data breach notification rule, which the federal government will begin to enforce in February? What are few things that should be on everyone's checklist?
RODE: One of them is obvious; there has to be a retraining of the workforce associated with these organizations. Workforce includes volunteers that work in the institution, physicians who work there but may not be employed by the organization, as well as all of the employees.
Now there is supposed to be an ongoing training process under HIPAA, but we know that that has not been as active (as it should be) in some organizations...over the last few years. This is the time to bring folks back together not only to reiterate the HIPAA changes that have come about...in the HITECH legislation, but also then to review specifically the breach notification requirements.
If we can prevent these breaches then the notification is a moot point. So it is important to do that as well as to have a plan in place that employees understand will go into effect if a breach should occur so that there is no question that the organization has taken care of any mishap that may have happened. Associated with that is actually putting that plan into place--who will be involved in any breach notification situation, what kind of an approach will the institution take to doing an analysis or risk assessment of the particular incident and then what steps will be taken within the organization and with any business associates that may be involved in a particular situation to resolve the issue and make sure that consumers are protected and that the letter of the law is (followed). There is also, of course, the need to reiterate with business associates what the expectations are... so that there is no misunderstanding of what is to happen and when it is to happen. We have posted a number of (tips) on our web site, www.ahima.org. We have also included a template for a letter that could be used for a breach notification if necessary.
ANDERSON: Do you think that most business associates of hospitals are aware of these new breach notification requirements and are preparing to comply?
RODE: I have my doubts. I have seen a few surveys that would suggest that the answer is no they haven't, and I expect that those that have most likely are working with the institutionsï¿½hospitals and clinics--that have taken the steps I just mentioned and have gone to them and said, "OK, what are your plans and what are you going to do?" There has been...really mixed publicity or education about this. There certainly was a lot when the regulations came out in August and some in September as the implementation dates were met, but there really hasn't been, from my observation, a lot of ongoing stories or information going out to these business associates. We know in talking with our members that many hospitals have 50, 60, 70 different business associate agreements. If the hospital hasn't taken the steps to notify those business associates, then I expect that they may not be on the ball. Many of them, of course, may have gotten something from the hospital back when the original business associate agreements came into place in the mid-decade, but since that time, they have probably not had much of an experience with it.
ANDERSON: Under the breach notification rule, organizations that encrypt patient data don't have to report a breach because the data is assumed to be secure and unreadable. So is AHIMA encouraging its members to take a closer look at encryption?
RODE: Absolutely. We think that it is a simple way to approach it. We think that more education needs to be done in this area. It sounds like a very difficult task, and yet many of the software applications utilized by healthcare providers and payers have the capability of encryption. It is just that people don't know how to use it.
ANDERSON: On December 30, the federal government issued proposed initial standards, implementation specifications and certification criteria for electronic health records as part of the EHR incentive effort under the economic stimulus program. To get federal incentive payments, hospitals and physicians must use certified records software. The proposed certification criteria for that software require EHRs to meet the existing HIPAA security rules. But the criteria also specifically require that certified EHR software must include specific encryption capability. Do you have a feel for whether most electronic record applications on the market include encryption now?
RODE: I am going to say "mixed" on that one...Certainly the criteria and the evaluations that have been done by the CCHIT have had a security requirement for at least a couple of years now...but there is a lot of software out there that has yet to be reviewed by CCHIT. And, of course, I expect that as soon as vendors feel comfortable moving forward based on the notice of proposed rule making on certification that you mentioned, we will start to see more of those products (EHRs with encryption) available. Hopefully that will mean that providers that don't have (an EHR with encryption capability) will move up to a new version that does.
But again, I think part of this is an education piece. The question may be are vendors taking the time to work with providers to show them how to use encryption or how they might be able to meet the HIPAA requirements. One of the issues that I know we have been very concerned with in the whole implementation of electronic health records is providing the hands-on implementation assistance to individual practitioners in organizations on implementing their EHRs properly. It is really something that we are glad to see has received some attention in the HITECH Act, but a lot more needs to be done so that folks are not just buying the technology, taking it out of the box, but not utilizing it correctly. The whole term "meaningful use" doesn't get down to the nitty-gritty of "are you using your encryption software correctly," but, quite frankly, that really needs to be something that practitioners and organizations need to take on.
ANDERSON: Also on December 30, the government issued proposed "meaningful use" criteria describing how hospitals and physicians can qualify for incentive payments from Medicare and Medicaid for actually using electronic health records. The proposal states that to qualify for Stage One, or the first round, of incentive payments, hospitals and physicians need to "conduct or review a security risk analysis of certified EHR technology." Can you please help explain what you think that means?
RODE: Well my interpretation, subject to changes between the proposed rule and the final rule, would be (once) I have purchased technology that has been certified through whatever that process will be, which is a third rule that is supposed to be coming out in the next several weeks, I then do a risk assessment of that technology against my privacy and my security activities that I should have been doing under HIPAA.
If you recall, the HIPAA security rule really requires that an ongoing or periodic security analysis or risk assessment be done at an organization. So in bringing in this new technology or an improved version of this technology, an organization really has to then look at how that fits into the risk assessment and the other work that is being done, which gets back to the question of whether, especially in smaller organizations or in physician practices, the expertise is there to do that.
ANDERSON: A recent HIMSS survey showed most hospitals spend less than 3 percent of their IT budget on data security. Do you think hospitals in general will be spending more on data security in the years ahead as they automate more clinical information?
RODE: Well I think they will want to. Hospitals are spending a smaller percentage of dollars on information technology than comparable organizations do in other industries. So we are way far behind in everything we are doing...Part of that has to do with our reimbursement systems and some financial issues that are certainly beyond the control of HIM managers and HIT managers at this stage of the game. So the desire may be there, but I think it is really going to be subject to whether they have the resources.
Now that said, one of the other things that I think we have to watch will be how these resources will be forthcoming and whether, with essentially the new market that is being set up under this incentive program, some of these products become more available, maybe cheaper, maybe easier to use. If that is the case, maybe there would be some shift in that direction....You may want to implement security as best you can, but you only can do that within the resources you have.
ANDERSON: Finally, AHIMA represents health information managers, including those that work at medical records departments at hospitals. Over time, do you expect health information managers eventually will be devoting more and more of their time to data privacy and security issues?
On top of that, we will have the health information exchange component, which also is going to (involve) both providing and requesting information in and out of an organization. So there is also going to be a need there for security. And beyond security, beyond the protection of the information, we also have to remember that security includes data integrity. One of our real concerns is in this movement of data in this collection/storage/release of information, in moving data from the primary source of the health record to various secondary uses, that the data integrity is maintained.
ANDERSON: Well thanks very much Dan. We have been talking with Dan Rode, vice president of the American Health Information Management Association. This is Howard Anderson at Information Security Media Group.