The ever-increasing role of technology in healthcare will bring security and privacy challenges into the forefront for physician practices in 2009. Consider the following expert predictions.
Disaster recovery planning. Disaster recovery planning has always been a challenge, but it will pick up steam in 2009 because of the continued automation of healthcare records in the industry, says William M. Miaoulis, CISA, CISM, manager of HIPAA Security Services at Phoenix Health Systems in Montgomery, AL. To know whether your current disaster plan is up to par, Miaoulis says providers must first ask themselves these important questions:
- If your computer systems went down, would you have access to medication history and lab results?
- What would be the effect to your current patients?
- Would the way you deliver care be affected?
Minimum necessary standard. The minimum necessary standard, a key protection of the HIPAA privacy rule, requires covered entities to make reasonable efforts to limit protected health information (PHI) to the minimum necessary.
The challenge is defining what is "reasonably necessary" and determining how you will manage these uses, disclosures, and requests.
The minimum standard doesn't apply when information is:
- Requested by a provider for treatment
- Authorized by the patient
- Needed by the Department of Health and Human Services or the Office for Civil Rights for a complaint investigation or compliance review
- Required by law
- Required for HIPAA compliance
Security audits. The Office of Inspector General (OIG) released a report October 27, 2008, regarding how well CMS is enforcing the security rule.
Although the OIG's report did not specifically state whether the OIG has scheduled another performance review, it is highly likely it will revisit CMS' progress and activity in carrying out its HIPAA enforcement responsibilities, which should signal a red flag for organizations, says John Parmigiani, MS, BES, president of John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and chair of the team that created the HIPAA security rule.
Organizations need to be aware that CMS and the OIG are continuing to audit for HIPAA security compliance. Health information technology initiatives, increased consumer awareness of data losses, and a new administration are additional drivers for increased compliance with healthcare privacy and security safeguards enforcement. Organizations may need to increase the money and internal resources they set aside for security compliance, says Parmigiani.
Medical identity theft. Healthcare organizations should also be aware of the Federal Trade Commission's Identity Theft Red Flags rule under the Fair and Accurate Credit Transactions Act of 2003 (FACTA), says Miaoulis, adding that the regulation requires many healthcare organizations to implement programs to prevent and detect identity theft by May 1.
To mitigate the risk of identity theft, Miaoulis says organizations should take the following steps:
1. Research the FACTA Identity Theft Red Flags rule.
2. Implement the HIPAA minimum necessary standards to include demographic information. "Specifically, organizations should inventory which systems maintain the Social Security numbers and patients' birth dates," Miaoulis says.
3. Determine who has access to information and whether access is appropriate. For roles that require the use of patients' Social Security numbers, determine whether limiting access to the last four or five digits of the number would be sufficient. Organizations could also consider limiting the use of patients' birth dates, Miaoulis says, noting that it may not compromise patient care to see someone was born in May 1970 versus May 15, 1970.
Editor's note: This article was adapted from one that originally appeared in the January issue of Briefings on HIPAA, a publication from HCPro, Inc.