- Home
- » e-Newsletters
Take extra precautions to protect EHR security and confidentiality
HIPAA Training Advisor, December 13, 2007
Feeling insecure about your health data security? If so, it is no wonder, considering the frequent security breach headlines and the eHealth Vulnerability Reporting Program's declaration in September that many electronic health record (EHR) systems are at risk for security threats. How worried should providers be, and what should they do to bolster security against would-be hackers?
"There is a risk of exposure of the medical record," says Norm Martel, president of Medical Technology Research Corp. in East Kingston, NH. Hackers traditionally pursue money by targeting financial information that's available through entities such as financial companies, banks, and retailers. Because EHRs don't currently offer direct financial links, the risk of hacker break-in is probably low. However, that risk certainly does exist, Martel says, and keepers of EHRs should take preventive steps to avoid a security breach. Be sure your HIPAA compliance efforts include the following:
1. Creating a security plan. Organizations should create a security plan and perform a gap analysis to see where their current security efforts are weak. "Put some value and some costs on the gaps that are there, and then take whatever action fits your budget and needs," Martel says.
Some small facilities might feel that certain security measures are not worth the cost or trouble, Martel says. They can achieve a basic level of protection by taking minimal steps, such as locating their server behind a locked door or in the back of the office. They can also position receptionists behind a low wall or a window that opens and closes, secure equipment using cables, and use clinician laptops that do not contain any sensitive information and only serve as conduits.
2. Understanding security, privacy, and the law to ensure compliance. Although security and privacy laws vary over time and from state to state, healthcare organizations can take steps to help ensure compliance with legal requirements, says Helen Oscislawski, Esq., healthcare attorney at Fox Rothschild, LLP, in Princeton, NJ.
Start by reviewing HIPAA's privacy and security rules, which provide the minimum privacy and security requirements that healthcare organizations must meet. Once you've reviewed the federal government requirements for privacy and security regarding healthcare records, move on to the state level. Some of what your state requires might overlap with the federal privacy rule and security rule, and some of it might be more stringent and specific than the federal standards.
3. Determining where patient information resides and what employees are doing with it. Identify all of the places where your organization stores and transmits health information. Don't forget to take portable devices-such as a BlackBerry® or laptop that a physician or other healthcare provider may take outside the healthcare facility-into account. Conduct interviews and a risk assessment to determine how employees handle patient information.
"A lot of organizations may not realize what their employees are doing with the information," Oscislawski says. For example, employees who take work home are putting information at risk because their car could get stolen with the patient records inside. "Your healthcare providers should not be taking home those records in their car," Oscislawski says. "The policy really should be that nothing leaves the facility without adequate safeguards to protect that information."
4. Drafting tight policies and procedures. Considering what the law requires and keeping your facility's handling of patient information in mind, create and enforce specific policies and procedures related to security and privacy.
5. Following through with policies and demand accountability. If employees do something inappropriate with information and break the law, they should face appropriate sanctions. "In order to have accountability, you have to have very clear sanction policies in place," says Oscislawski. Some providers have implemented zero-tolerance policies, firing any employee who does something egregiously wrong-even for a first-time offense. ot all organizations go to that extreme, but they should create, communicate, and enforce clear and appropriate sanctioning policies.
Seek help when appropriate
"Four years after HIPAA, there is still so much confusion," Oscislawski says. "There is truly a lack of accurate understanding across the states on what can and cannot be done and when under the law." Many people err on the side of not sharing information, which can be harmful.
"Take the time to hire a consultant or an attorney or somebody who truly understands HIPAA and how HIPAA interacts with your state laws," Oscislawski says. This individual should also be well versed in the laws that apply to you as a particular type of provider, as well as your type of organization. For example, he or she should be familiar with the laws as they relate to nurses, doctors, or psychiatrists in a hospital, clinic, or mental health facility. "Get that understanding, and get your policies and procedures right," she says.
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- What does case-mix index mean to you?
- Capturing all necessary codes for IUD insertion and removal can be challenging
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- HIPAA Q&A: Level of encryption needed for email
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- Q&A tackles coding questions about injections and infusions
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- Searched