Editor's note: This is the second of a three-part series this week focusing on expert advice on complying with HIPAA and preparing for HITECH regulations. The HITECH compliance date for business associates to comply with the security rule is Wednesday, February 17. Part I of the series.
Don't leave all this HITECH and HIPAA stuff to the "tech folks." Hospital leaders should know by now the threat of a public relations nightmare because of a breach of unsecure personal health information (PHI)—just ask CVS.
It's a good time for the C-Suite to be involved in HIPAA compliance.
"'Security' often suggests 'techie stuff' passed off to the IT department," says Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, CPHIE, FHIMSS, of Margret\A Consulting, LLC, in Schaumburg, IL. "I believe attending to privacy and security protections should start with the CEO and trickle down to everyone, including all members of the medical staff. It needs to be an extension of the Hippocratic Oath: Do no harm and keep your mouth shut."
One good way to start is to learn from those who have not complied.
For instance, Providence Health & Services in Seattle in July 2008 reached a $100,000 resolution agreement for PHI breaches and had to implement a corrective action plan to ensure its security program.
Your organization must avoid similar problems, such as:
- Unencrypted ePHI not otherwise safeguarded lost or stolen
- Backup tapes, optical disks, and laptops—all containing unencrypted ePHI—removed and left unattended
- Exposure of ePHI for patients (386,000 in Providence's case)
- Management permitting employees to take home media containing ePHI despite a policy to the contrary
- Lack of policy and procedure enforcement, including encryption policies
So how can you avoid those messes?
Kate Borten, CISSP, CISM, president of The Marblehead Group in Marblehead, MA, and John Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, offered some tips during their HCPro, Inc., audio conference after Providence got dinged:
- Have a strong termination policy. When an employee is terminated or leaves your facility, completely suspend his or her access privileges.
- Create a policy and procedure. "Lawyers would say having a policy and looking the other way is worse than not having a policy at all," Borten said.
- Encrypt all information on the Internet. If it isn't encrypted, the information has the potential to be exposed, Borten said.
- Always be prepared. "You really have to be on your toes and make sure you constantly are audit-ready," Parmigiani said. Conduct internal audits to keep on top of potential risks.
- Keep your training programs active. Beef up training, especially for remote access employees, many of whom use mobile devices. "Make sure people understand there are rules of engagement," said Parmigiani. Update your training process frequently based on regulatory changes and offer your training via various methods. Don't just stick to classroom settings or online training; mix it up and make it ongoing, he added.
- Act fast. Make sure you have an excellent detection and incident response program in the event a violation occurs.
- Know your players. HIPAA security auditors will no doubt ask who is responsible for what at your facility. Everyone should be able to explain what they do and why, Parmigiani said.
- Document compliance. "Lawyers will say if it's not documented, it did not happen," Borten said. "If it's not in the record, I don't have any evidence that it happened." To be audit-ready, thoroughly document your efforts to remain compliant.
- Prepare for auditors, even if you're small. Smaller hospital systems are not impervious to an audit, Borten and Parmigiani agreed.
To find out more, go to the Briefings on HIPAA newsletter.