Raise Your Health Care Organization’s Security and Privacy Awareness… It’s the Law

By Anna Gard, MSN, FNP-BC, ACU Health IT and Quality Consultant

Summary: Is your organization taking measures to protect patient privacy as you adopt digital and mobile health technologies? Safety-net health care organizations experience greater vulnerabilities and higher risks for privacy and security breaches than other health organizations, most often because the risks are under-appreciated. Learn the 5 steps to take to assure HIPPA/HITECH compliance and 4 helpful resources you should access today.

Anna Gard, RN, CFNP
Anna Gard, RN, CFNP

Six Hospital Employees Fired for Keeping up with Kardashian

At $1.2M, photocopy breach proves costly

Email chain mishap exposes data of 3,700 patients

These headlines capture our attention, but what about the instances in our own health care organizations of lost or stolen laptops, smartphones, and iPads with stored unencrypted patient information? The accidental (or not so accidental) text or email to a colleague or friend about the crazy patient case? Or the Facebook or Instagram photo of an identifiable patient tattoo posted without consent?

With increased adoption of electronic medical records, mobile devices, health information exchange and patient/family portals, the risk of data breach is amplified. Is your organization keeping up with the security and privacy of patient health information as you integrate technology into your practice?

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 not only requires the public reporting of security breaches but also increases penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA) safeguards for patient information. The HIPAA Privacy Rule applies to all protected health information (PHI) while the HIPAA Security Rule applies only to PHI that is maintained or transmitted electronically.

Despite attempts to secure privacy of health data, the U.S. has experienced data security breaches of over 21 million medical records in the past three years according to the Office of Civil Rights “wall of shame”.  HHS’s Office of Civil Rights identifies physical theft of patient records as the greatest cause of HIPAA violations (55%), followed by disclosure of PHI without patient consent (20%) and data lost/not accounted for (12%).

Safety-net health care organizations experience greater vulnerabilities and higher risks for privacy and security breaches than other health organizations, most often because the risks are under-appreciated. HIPAA/HITECH compliance in these practice settings is challenging and often not prioritized due to high administrative and financial demands mixed with limited financial, information technology, and personnel resources. Safety net practices are less likely to have dedicated IT/security staff, which leaves the role of security compliance to already burdened staff that may not have the expertise to negotiate the complex issues surrounding security and privacy.

Regardless of the challenges and barriers, your healthcare organization is not exempt from the HIPAA/HITECH security and privacy rules and is required to exercise the minimum necessary standards of care to keep PHI private and secure.  The 2013 HIPAA Omnibus Act has tightened the protection of PHI, updated breach notification requirements and increased enforcement with fines. All covered entities and business associates must comply with the Omnibus Rule by September 23, 2013.

Vulnerable health care organizations risk both reputation and financial loss from security and privacy breaches. The foundation of the clinician-patient relationship is based on trust. If patients fear a breach in their health privacy, they may adopt privacy protective behaviors and fail to share vital health information, which may compromise the quality of their care and health outcomes. Patients may migrate toward other health centers, hospital EDs, or stop accessing care completely, resulting in acute chronic health issues leading to ED over-utilization and hospitalization with high risk of readmissions and expanding costs. This impacts patient safety, quality and costs.

The HIPAA Omnibus rule expands business associate liability to all organizations that share PHI.  Hospitals and larger health systems and specialty practices may be at increased risk for breaches, audits, and increased utilization costs related to their connection to vulnerable health care organizations.  Your risk may impede your organization’s ability to participate in an Accountable Care Organization (ACO).

What Safety Net Practices Can Do for HIPAA/HITECH Compliance

Leadership needs to create and prioritize a culture of security and privacy awareness within the organization. Accountability and responsibility for information protection must be among the organization’s core values, which foster a culture of compliance.

  • Understand How to Identify Risk: Understand HIPAA security requirements. Track the flow of PHI through your organization to identify what the human, natural, and environmental threats are to information systems that contain PHI.
  • Learn How to Conduct a Security Risk Analysis: Determine approach, personnel, and tools needed to perform risk analysis and required documentation.  This will also help meet the CMS EHR Meaningful Use Core Requirement #15
  • Develop a Risk Management Strategy: Develop and implement policies, procedures, standards, and continuous monitoring guidelines.
  • Staff Training: As human error is the biggest cause of security and privacy breaches, resources should be allocated to developing and implementing a robust  training program. The time and commitment to personnel training must be integral to the organization’s culture.
  • Educate your patients on their rights and responsibilities to safeguard their PHI with simple, nontechnical culturally sensitive language of preference.

 HIPAA/HITECH Security and Privacy Resources

Here are 4 resources to guide you in meeting HIPPA/HITECH Standards for Compliance: