What is on the holiday wish list for privacy and security officers?
A recent Ponemon Institute study on data security, it's more staff, more time, and more resources to protect patient privacy.
Of the 65 hospitals surveyed, most in the 100- to 600-bed range, 71% said they have inadequate resources to prevent and quickly detect patient data loss. We caught up with some privacy and security officers ourselves to see what they're hoping for this holiday season:
1. No breaches. "[I want] to have no breach incidents so I don't have to face an OCR audit," says Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer at St. Dominic Jackson Memorial Hospital in Jackson, MS.
Too bad wishes aren't retroactive. 2010 saw a few data breach whoppers. In September, Lucile Salter Packard Children's Hospital at Stanford University was fined $250,000 by California health officials for failing to report within five days a breach of 532 patient medical records in connection with the apparent theft of a hospital computer by an employee.
In October, a computer flash drive containing the names, addresses, and personal health information of 280,000 people is missing - one of the largest recent security breaches of personal health data in the nation.
And in November the Connecticut Insurance Commission announced a settlement with Health Net in which the insurer agreed to pay the state $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties.
2. More time. "I wish for more time to study the regulations in depth so that I am at my 'knowledgeable best' when discussing and training [on HIPAA issues],"says Boggan.
3. More staff. Boggan says she would like more staff, which she hopes would translate to fewer work hours. "An elf to help me magically finish all of my work in a goodly timeframe would be a Christmas miracle!" says Brandon Ho, CIPP, HIPAA compliance specialist for the Pacific Regional Medical Command based at Tripler Medical Center in Honolulu.
4. Employees who follow the HIPAA rules. Boggan says she wishes for employees to access only that information they need to do their jobs. "It's a no-brainer, but you'd be amazed at what hits the audit reports," she says. She hopes to never receive another e-mail notification stating that a user has triggered an exception in the hospital's auditing system.
A former UCLA Healthcare System employee who admitted to illegally reading private and confidential medical records, mostly from celebrities and other high-profile patients, was sentenced to prison in April.
Debra A. Mikels, OTR/L, says she wishes for the day when safeguarding confidential information becomes embedded in staff members' daily work and is not something that is thought of as something "extra."
And how to make that happen? Mikels, corporate manager, confidentiality, at Partners HealthCare, the Boston-area healthcare system, is also wishing for the continued promotion of best practices and lessons learned with respect to safeguarding that confidential information.
5. A smooth road to reach the era of the total EHR. "I wish that the meaningful use journey to total EHR becomes less cumbersome as time goes on," says Boggan.
Nancy Davis, MS, RHIA, director of privacy/security officer at Ministry Health Care in Sturgeon Bay, WI, says technology can provide better patient access to their medical records. She wishes for patient portals interfaced with patient personal health records (PHR), giving patients access to the information they need to manage their health.
6. Full-proof encryption processes. "I wish we would just go ahead and effectively implement a data encryption program that meets the HITECH Act criteria," says Frank Ruelas, director of compliance and risk management at Maryvale Hospital in Phoenix and principal, HIPAA College, in Casa Grande, AZ.
That would eliminate worries for privacy and security officers about seeing their facility's name on the OCR website for breaches, on the front page of the local paper, or as a lead story on the local television news report, he says.
Encrypted portable devices would also save headaches, says Davis, "so when they are lost or stolen there is no threat of PHI disclosure."
7. Safe use of social networking websites. "I wish all social networking sites were equipped with tools that prevented anyone from posting any patient-related information," says Ruelas. That would help mitigate people being surprised by "stuff" that originates from these sites, he says.
8. More safeguards to protect PHI. "I hope that technology continues to be enhanced to support patient privacy," says Mikels. "This should be meaningful and non-burdensome to the user, and should support patient care and safety."
Ruelas says he would deactivate any and all USB port functions which allow data to be downloaded and subsequently taken offsite in an unauthorized manner.
"These handy little devices, with all their storage capability, can create big issues," Ruelas says.
Ponemon's "Benchmark Study on Patient Privacy and Data Security" may be viewed here.
Dom Nicastro is a contributing writer. He edits the Medical Records Briefings newsletter and manages the HIPAA Update Blog.