|
Reprints
Herzig is also closely watching the new rules around business associates being covered by HIPAA. “We still go into meetings with some vendors who haven't read the HITECH Act,” he says. “We are negotiating contracts and we tell them they have to go back and read it. And they and their subcontractors are really unaware that they will have to comply.”
Herzig says he has a strong seven-person HIPAA compliance team, and is lucky to have his CIO, Joan Hicks, also serving as UAB's privacy officer. “That is unusual,” he says. “She is a busy person, but if a situation comes up, she is right on it.”
Strong documentation is a key to compliance, he says. UAB uses an intranet site to document policies, procedures, and internal controls, including metrics around each one. “It is critical to have that documentation,” Herzig says. “That is the tool you are going to use to communicate in the case that you are audited.”
ID Experts' Arevalo agrees that software with a dashboard view is valuable. “Without one, providers are terrified they are going to miss something. They have spreadsheets and stacks of paper piling up on their desks,” she says, adding that a holistic approach should start with doing an inventory of where protected health information resides across all applications.
ID Experts works closely with hospital incident response teams and privacy offices, Arevalo says. Some have HIPAA compliance offices and even HITECH compliance offices, while others are still struggling with too few resources, and are far less prepared. “Our clients are a little terrified about random audits,” she admits. “People are wondering how OCR will split its resources between random audits and responses to data breaches. Where will the real focus be?”
EHR DISCLOSURE ACCOUNTING
OCR recently proposed a rule for the accounting of disclosures from electronic records. The proposal would establish guidelines for providing an “access report” to patients indicating who has accessed data in a designated record set. One problem hospitals face is that compiling that log data from multiple systems for reporting is a complex task. For instance, at 711-bed Maimonides Medical Center in the New York City borough of Brooklyn, 99 different applications hold patient records. “We needed to capture meaningful information about data in transit for two main types of reports,” says Gabriel Sandu, Maimonides' senior director of technical services. The first is to find out who accessed a certain patient's record over the three days they were in the hospital. The second is looking at the data a specific employee accessed over a certain period of time. “Imagine how hard it is to narrow it down by looking into all those logs, and literally millions of records,” Sandu says.
Four Questions for Susan McAndrew, deputy director for health information privacy, HHS Office for Civil Rights
The HHS Office for Civil Rights has taken on a much higher profile in recent years. That's in part because in 2009 HHS transferred authority for the enforcement of HIPAA security provisions to OCR from the Centers for Medicare & Medicaid Services.
As deputy director for health information privacy, Susan McAndrew has responsibility for implementing and enforcing the Privacy Rule. Healthcare Informatics asked her to describe some of the challenges her office is facing.
Healthcare Informatics: A final rule that will strengthen HIPAA privacy and security safeguards is due out before the end of the year. Is there any one aspect that has been the most difficult for OCR to develop? For instance, the rules around data breach notifications?
Susan McAndrew: The HITECH Act was specific in laying out what needed to be accomplished in the different components intended to strengthen the HIPAA Privacy and Security Rules. Careful attention has been paid to finding the right balance between strengthening the HIPAA Privacy and Security Rules and maintaining the workability of the requirements so that covered entities of all sizes can smoothly adapt to the changes.
It has always been understood that these changes would have a great impact on covered entities' behavior, which can be seen in what has already been happening with the breach notification rule. Breach incidents, particularly those breaches affecting 500 or more individuals, have received an immense amount of publicity, which should act as motivation for covered entities to take proactive measures to prevent similar breaches in the future. Furthermore, business associates will be accountable in the same ways covered entities have been accountable for their obligations under the HITECH Act. The growing adoption of electronic health records means there are an increased number of intermediaries involved in a person's protected health information, so it is important that all of these parties are held accountable in similar ways.
