According to a recent industry survey, fewer than half of large healthcare organizations reported that they conduct annual risk assessments, which are required under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and for both Stage 1 and 2 requirements for meaningful use. Jared Rhoads, senior research analyst of the Waltham, Mass.-based Global Institute for Emerging Healthcare Practices at the Falls Church, Va.-based CSC Corporation, and discusses the ten major privacy and security topics that are currently under agency or committee review in a new report, “Achieving Comprehensive Health IT Privacy and Security”.
Rhoads dives in-depth into three areas: accounting of disclosures; encryption; and two-factor authentication, all of which have received considerable new attention from the Department of Health and Human Services (HHS), the HIT Policy Committee, and other stakeholders. All of these privacy and security final rules are expected to be issued together by the end of 2011, with the exception of the final rule on accounting of disclosures, which is undergoing a separate rulemaking process. Recently, Rhoads shared with Associate Editor Jennifer Prestigiacomo some key recommendations for meaningful use risk assessments and tackling these privacy and security requirements.
1. The accounting of disclosures’ new two-rights model to allow patients a choice of an accounting of disclosures or a much easier to produce access report is a mixed bag, according to Rhoads. In making things easier for organizations, it has actually made it harder for IT departments. “When the government gives multiple options, when they give an ‘and/or option,’ it actually turns out to be an ‘and option’ for IT vendors and provider organizations because now they have to do both,” he says. Rhoads thinks that the rules for disclosure accounting are too burdensome, and since there were lots of public comments Rhoads suspects some elements of this rule might be rolled back later this year.
2. As it stands today, after an assessment, an entity may determine that encryption is not reasonable and appropriate in addressing a particular risk, but if it does, then it must document that and implement equivalent alternative safeguards. However, Rhoads says there isn’t a whole lot that would be justifiable to not require encryption, so organizations should start investing in this now. To begin prioritizing, assess your organization’s resources. Many organizations might not be able to encrypt every server, so start with the ones that have the highest traffic, or the ones that are furthest on the organization’s periphery, or the ones with the highest risk. “Most of the things like encryption are things that you ought to be doing because it’s the right thing, it’s good for your patients,” says Rhoads. “It may sound daunting but it’s within reach.”
3. Start planning your organization’s approach to two-factor authentication, Rhoads says. It most likely won’t be required in final Stage 2 measures, but will likely be a consideration a couple of years from now.
4. Organizations are responsible for the security of their business associates and even the subcontractors of those business associates. To ensure compliance beyond putting that specific language in your vendor contracts, set up a regular review of their practices and be an active participant in how they carry out their business, Rhoads says.
5. As the CSC report states, end users are still unfortunately the greatest source of security breakdowns. To help avoid this, make sure training materials are relevant to each user’s roles. Have different role-specific coaching for technicians, nurses, physicians, etc., which allows the user to hone their judgment based on specific use cases relevant to their job.
6. When performing a risk assessment, start with most valuable data and move forward. Later this year, the Office for Civil Rights will begin its much-anticipated HIPAA compliance audit program. Up to 20 test audits will soon be conducted, with a final audit program to be launched either late this year or in early 2012. “Stay ahead of the curve is a good way to deliver on what your patients expect and to give yourself a little breathing room so you’re not always on the edge of what’s compliant,” says Rhoads.
7. To maintain security on a day-to-day level, while keeping up with new requirements and threats, an organization should invest in human resources like a chief security and/or privacy officer. “You can’t just buy a technology vendor and expect to be secure,” says Rhoads. “It’s enterprise-wide where you need the processes in place and constant refreshing of the training materials and reminders to people.