It’s time to beef up your information security
It’s time to beef up your information security
Congress has a deadline, and so do you
Congress is facing an August deadline for enacting legislative protections to guarantee the privacy of medical records. And while this issue may not be exactly at the top of Congress’ priority list this year, it should be at the top of yours.
That’s because even if Congress fails to meet the deadline, the Clinton administration has the power to implement new standards by regulation. In his State of the Union address in January, President Clinton stated, "We will protect the privacy of medical records, and we will do it this year."
One way or another, health care facilities will be facing new information security standards. If you’re not already in line, you may be one of a number of facilities around the country in a panic to comply, say officials at the American Health Information Management Association (AHIMA) in Chicago.
"A lot of people will have to move quickly to get up to speed. There’s going to be a huge learning curve," says Harry Rhodes, MBA, RRA, professional practice manager for AHIMA. "Some people have the attitude that they don’t want to do anything until they’re directed to because they might be going down the wrong path. But the proposed rules are already out there. They won’t change much in the final draft. Get a copy and get started."
Donna Shalala, U.S. secretary of health and human services, last August proposed the standards that likely will be adopted this year.1 The standards were designed to protect all electronic health information from improper access or alteration and to protect against loss of records. They were mandated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
All health plans, health care providers, and health care clearinghouses that maintain or transmit health information electronically will be required to establish and maintain safeguards to ensure the integrity and confidentiality of the information, according to HIPAA. Such safeguards include developing a security plan, providing training for employees, and securing physical access to records. Digital signatures that verify the identity of the person signing must be used when an electronic signature is required for one of the standard transactions specified in the law.
"A good percentage of hospitals already realize the problem, but there’s still a lot of work to be done," Rhodes says. "There are a lot of misconceptions. People think because it’s on the computer, it’s pretty secure, and that’s not true. As the general population becomes more computer literate, it’ll be easier to get into most systems."
AHIMA offers a flowchart of patient information both inside and outside the health care industry, which shows myriad opportunities for information to escape. (See flowchart, p. 32.)
"We’ve gone from paper records that were hard to get a hold of to automated records that take only seconds to make a database. We’ve done that without the proper controls in place," Rhodes says. "It’s so easy to create databases and capture information. There’s information about you blowing all around. The more people you let in on the secret, the harder it is to keep the secret."
With the proliferation of databases — Rhodes says he gets calls daily about new ones being created — comes even more potential for mistakes. It is likely that state databases, for example, would be managed by people with no health care background and who probably would not be thinking about protecting confidentiality. All it takes is for a few providers to forget to scrub out the identifying information on the claims they submit to the database, and you have thousands of records out in public. "We can create, disseminate, and share information faster than we can write policies and procedures and figure out the ethical ways to deal with it," Rhodes says. "The technology has evolved faster than our ability to cope with it."
Some hospitals haven’t taken the extra steps because it can be a huge administrative burden and because staff sometimes complain, Rhodes says. "If Dr. Jones is only able to view Dr. Jones’ records in the system, he may have to get clearance when he gets a new patient. So, hospitals say all doctors can look at all records — until one of the doctors looks at his estranged wife’s records."
But a few staff complaints are probably better than a lawsuit. Therefore, Rhodes says bite the bullet and incorporate security measures, especially audit trails, in your system. Paper audit trails done after the fact don’t help; what you need is a system that sends an alarm to the information security officer when someone tries to access something they shouldn’t. "You can catch it right away if you deal with it in real time," Rhodes says. "You can’t close the corral gate after the horses get out."
Jayne Lawson, RRA, information security manager at Hartford (CT) Hospital, says improving information security is good practice whether the legislation is enacted or not. Hartford has been beefing up its information security in recent months through a multidisciplinary team charged with addressing information needs and educating staff.
"It’s important for everyone in the organization to know they’re responsible for information, even if they don’t work on a computer all day," Lawson says. "Even the janitor may run across information that should be confidential. And we’re trying to enforce information security across the board. Employee and financial information are just as important as patient records."
Last summer, the hospital added an information security awareness segment to its employee orientation program with a video featuring an introduction from the hospital’s president. The team also developed a yearly educational program for existing staff that covers the topic in-depth, giving information such as confidential ways to send e-mail. A new section on security was added to the employee handbook, and articles on the topic appear periodically in the hospital’s internal newspaper. Staff are asked to sign confidentiality agreements when they’re hired and at their annual review.
"We’re reinforcing some common sense ideas, like don’t give out your password," Lawson says. "If you’re using a PC in a public area, sign off before you walk away. And only look for information that you need in your role. We want people to know that just because they work here, it doesn’t mean they can have access to any and all information they may want."
[For more information, contact Harry Rhodes, professional practice manager at AHIMA, 919 N. Michigan Ave., Suite 1400, Chicago IL 60611. Telephone: (312) 573-8586. Web address: www.ahima.org. Or contact Jayne Lawson, information security manager at Hartford Hospital, 80 Seymour St., Hartford, CT 06102-5037. Telephone: (860) 545-5118. You can find the proposals at www.hcfa.gov under the laws and regulations section.]
Reference
1. 63 Federal Register 43,241-43,280 (Aug. 12, 1998).
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.