Creating EHR Privacy, Security StrategiesHITECH Act Incentive Program Compliance Tips
- Stresses the importance of conducting an annual risk assessment;
- Points out that privacy and security officers should have a strategic focus and collaborate with others in the region;
- Calls for comprehensive, responsibility-based training on privacy, and security issues, starting with senior leaders;
- Describes a detailed matrix, based on the Malcolm Baldridge National Quality Program's process measures, for carrying out privacy and security strategies to comply with the EHR incentive programs' requirements.
Patrick formed AP Health Care Compliance Group earlier this year. The company offers guidance on compliance, privacy and security. She formerly worked at several healthcare organizations, most recently as compliance and privacy officer for Greenwich Hospital. Among her many other roles, she was the first information security officer at Mount Sinai Medical Center.
Patrick is a member of the board of examiners for the Malcolm Baldridge National Quality Program and has served as an examiner since 2007. She is certified in health care administration, FACHE, and health care compliance, CHC. She was a founding member of the Greater New York Hospital Association's security workgroup and a contributing member of its compliance workgroup. She is a member of the auditing and monitoring tools editorial board for the Health Care Compliance Association.
HOWARD ANDERSON: For starters, why don't you tell us a little bit about your company and how you got involved as the co-author of this new white paper on the privacy and security implications of meaningful use for the North Carolina Healthcare Information and Communication Alliance.
PHYLLIS PATRICK: The AP Healthcare Compliance Group was formed earlier this year. We provide compliance, privacy, and security advisory services to the healthcare industry. I've been attending the NCHICA Privacy and Security Conferences for several years. The alliance is a tremendously valuable information source for people who work in privacy and security. So along with my co-author, Wayne Martin, we were asked to facilitate a pre-conference workshop for this year's conference, and the topic we were given was the privacy and security implications of meaningful use for academic medical centers. We had approximately 20 people representing various consultants and vendors, and our charge was to develop guidance for providers on how they could achieve meaningful use of EHRs in the context of their privacy and security programs.
Protecting EHRsANDERSON: Many hospitals and clinics are hoping to qualify as meaningful users of electronic health records so they can earn financial incentives from Medicare or Medicaid under the HITECH Act. So what is the single most important action they need to take to ensure electronic records are secure?
PATRICK: Well, in my opinion, if they have not already done so or if they have not conducted a risk assessment for more than a year, they should plan to conduct a full risk assessment, including an evaluation of their privacy and security programs. These are really the foundation not only for the implementation of electronic health records but also for meeting the criteria of meaningful use. In fact, CMS (Centers for Medicare & Medicaid Services) established five major goals for meaningful use, including ensuring privacy and security protection for personal health information.
I think that a lot of providers may have given a bit of short shrift to their security programs when they implemented them. Resources are always tight, but there was a sense, perhaps, that after complying with the HIPAA privacy rule, the HIPAA security rule was not seen by many as requiring the same type of implementation. The standards on the implementation specifications for the security rule have been there for several years, and many organizations are now sort of waking up to the fact that ... they'd better be doing a risk assessment. It really does provide the foundation for their programs.
Privacy, Security ReadinessANDERSON: The white paper offers a very detailed matrix to help healthcare organizations measure their privacy and security readiness as they qualify for the EHR incentive program. Please explain how the matrix was developed and offer a few examples of how an organization might put it to use.
PATRICK: We were trying to determine what we could provide as a tool organizations could use to create a snapshot of where they are with respect to meaningful use. How could they assess their organization's capability and maturity in achieving their implementation of their electronic health records and meeting the meaningful use criteria?
In the matrix there are two slightly different forms. One is aimed at determining the organization's capability to meet the meaningful use requirements, and the other one is to access where the key stakeholders are. ... You really need to start by identifying the key stakeholders in your organization.
So this matrix can be modified to fit the organization, but start with the key stakeholders. They might vary by organization, but we thought it was important to start with senior leaders. ... If you go across the matrix you'll see we've defined four categories of approaches: systematic approach, learning, alignment and integration. The definitions for these are included in the paper just preceding the matrix. We have borrowed from the Malcolm Baldridge quality criteria to define process measures. We thought that this would be a way to provide a snapshot and have the organizations use this to prompt discussion. Each organization has to assess its own readiness and its own approach, so it's not only a tool but it does provide a basis for holding these important conversations with the key stakeholders.
Privacy, Security OfficersANDERSON: In your white paper, you call on healthcare organizations to elevate the positions of privacy and security officers to key senior leaders with enhanced responsibilities for strategic planning. Why is that important? How should those roles be handled at smaller organizations that have more limited resources?
PATRICK: It's tough in any organization these days. I talk to a lot of privacy and security officers. Everyone is struggling, but again I will refer everybody back to the CMS goals. The goals that are set out for healthcare reform basically talk about improving quality, safety and efficiency; improving care coordination; improving public health; and engaging patients and families. Inherent in these goals are the concepts of the health information exchange. Regional, state and multi-state, organizations that have been formed. In fact, every state now has at least one HIE. ... So all of these things are happening, which really provides a mechanism for privacy and security officers to get involved.
A lot of these officers have been more inward focused, dealing with issues internal to the organization, but they need to be at the table in terms of being outward focused and being strategic so we don't reinvent the wheel, especially with the regional initiatives. We don't need to have different consent forms and different privacy policies for HIEs. ... That should be something that is looked at across the board, with input from the privacy and the security officers and the people with not only technological knowledge but good judgment and experience in this area. At smaller organizations ... I know some people are wearing three and four hats. It's not uncommon to see somebody who is IT director also serving as security officer. ... But the smaller organizations can get help from ... regional hospital associations ... on privacy and security. ...
Privacy, Security TrainingANDERSON: The white paper also emphasizes the importance of privacy and security training for management, board members and staff. What are the essential elements of a good training program?
PATRICK: First I would say that we tend to give the same training to everybody across the board and it tends to be the basic awareness training. But I have found, from my own experience in organizations where I have been in privacy and security, that it is best to start with the trustees with the senior leaders in terms of making sure that they understand what their role is and what their responsibilities are. Then, on an ongoing basis, you certainly need training that is comprehensive and you need to make sure everyone receives the training. There should be role-based and responsibility-based training that's continually refreshed, is based on scenarios and real life cases and is entertaining. It shouldn't be just simply the same online module every year. ... Organizations have begun integrating quality and safety into their cultures, and I think privacy and security specialists can probably borrow from some of their colleagues in those areas and break down some of the silos. Because a lot of the processes, outcomes the results are very similar, whether you're talking about privacy, security, safety, quality, risk, etc.
Staying InformedANDERSON: Finally, what are some of the other key steps that hospitals and clinics need to take to ensure the privacy and security of electronic health records?
PATRICK: It's very, very important to pay attention to what's happening nationally. I advise people to try to stay current by looking at the websites for the Office of the National Coordinator for Health IT and also the HHS Office for Civil Rights because that is where a lot of the guidance is coming from. ... Vendors who are business associates now have the same responsibilities as covered entities do under HITECH for protecting that information. So it's important to revitalize those relationships. ... And again, I would say break down the silos. If your organization is looking at safety and quality, why not look at privacy and security in the same way? It's really not that different. After all, it's really about protecting not only our own personal health information and that of our colleagues, but also that of our patients, our physicians, and others who come to our facilities.