Top HIPAA Lessons for Hospital Leaders
Editor's note: This is the second of a three-part series this week focusing on expert advice on complying with HIPAA and preparing for HITECH regulations. The HITECH compliance date for business associates to comply with the security rule is Wednesday, February 17. Part I of the series.
Don't leave all this HITECH and HIPAA stuff to the "tech folks." Hospital leaders should know by now the threat of a public relations nightmare because of a breach of unsecure personal health information (PHI)—just ask CVS.
It's a good time for the C-Suite to be involved in HIPAA compliance.
"'Security' often suggests 'techie stuff' passed off to the IT department," says Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, of Margret\A Consulting, LLC, in Schaumburg, IL. "I believe attending to privacy and security protections should start with the CEO and trickle down to everyone, including all members of the medical staff. It needs to be an extension of the Hippocratic Oath: Do no harm and keep your mouth shut."
One good way to start is to learn from those who have not complied.
For instance, Providence Health & Services in Seattle in July 2008 reached a $100,000 resolution agreement for PHI breaches and had to implement a corrective action plan to ensure its security program.
Your organization must avoid similar problems, such as:
- Unencrypted ePHI not otherwise safeguarded lost or stolen
- Backup tapes, optical disks, and laptops—all containing unencrypted ePHI—removed and left unattended
- Exposure of ePHI for patients (386,000 in Providence's case)
- Management permitting employees to take home media containing ePHI despite a policy to the contrary
- Lack of policy and procedure enforcement, including encryption policies
- CMS Mulls Income-Adjusting MA Stars
- Providers Prep for New Payment Models as Population Health Grows
- As Retail Clinics Surge, Quality Metrics MIA
- Providers' Push to Consolidate Roils Payers
- 3 Ways to Rev Employee Development Programs
- Transforming Decision Support and Reporting
- Aligning Executive Compensation with Provider Mission
- Nurse Ethics Comes to a Head at Guantanamo Bay
- 6 Not-So-Good Reasons for Avoiding Population Health
- Former NQF Co-Chair Linked to Conflicts of Interest in Journal Probe