Ten Steps for Hospitals and Healthcare Systems to Comply with HITECH
Achieving the Right balance of Security, Privacy, Compliance and Risk Management
Security and privacy are fundamental to the success of the healthcare reform initiatives included in the American Recovery and Reinvestment Act (ARRA). The goal to improve the effectiveness and efficiency of patient care depends on digitizing patient records to offer providers new ways to care for their patients and enable health information exchange across healthcare organizations. Providing consumers with a high level of trust by protecting the privacy of their personal health information and limiting its use to appropriate and understood medical purposes is a key foundation to achieving that goal .
The ARRA legislation contains a Security and Privacy component in the Health Information Technology for Economic and Clinical Health Act (HITECH), which modifies the Health Insurance Portability and Accountability Act (HIPAA) to provide additional protection for consumers and allow for tougher state and federal enforcement. Compliance with these new regulations requires a higher degree of collaboration among management as well as clinical and technical workforce members. To comply with the new regulations and position the organization to benefit from healthcare reform and the stimulus funding, here are ten areas on which to focus:
1. Organize assets according to sensitivity and importance – Proper management of a hospital's system and information assets is essential in order to be able to provide adequate oversight and protection. Assets must be classified in terms of their sensitivity and importance to business operations. For example, high priority assets may be classified as ‘Confidential' and ‘Mission Critical'. Once assets have been identified and classified, a risk analysis can be conducted to determine the level of security.
2. Mitigate security and compliance risk to an acceptable level – Managing the security and compliance risk to critical business assets which process and store protected health information (PHI) is vital for hospitals to ensure trust with their patients. Risk Analysis, a component of Risk Management, aims to determine the level of protection for these critical assets, prioritize the risk in terms of potential impact to business operations and probability of occurrence, and focus resources where they are most beneficial. A risk analysis is a key step in any organization's security management program and needs to be conducted at least annually. It is also a requirement for achieving compliance with HIPAA, HITECH, and the meaningful use criteria.
3. Update policies and procedures to reflect changes in law – Policies and procedures are essential to establish the culture of the organization and to provide the means necessary to implement these values. The importance of these messages and processes must be communicated to all personnel and followed by all personnel throughout the organization. These documents will serve as a reference point for workforce members and a starting point for audit purposes.
4. Ensure proper legal agreements are in place – Legal agreements are critical to establish the rules of the business relationship and provide protection from liability in the event of an issue. Since most issues have gray areas, these agreements speed up the resolution process and allow an organization to resume regular business operations faster. Examples of legal agreements include Business Associate Agreements (BAA), Non-disclosure agreements (NDA), and Data Use agreements. These agreements should be updated to include the new provisions from HITECH such as breach notification and accounting for disclosures.
5. Access to PHI must be tightly controlled – Security access controls are essential to ensure that only necessary individuals can access PHI and other sensitive information. HIPAA and HITECH specify a ‘Minimum Necessary' principle which stipulates that workforce members should only be given access to the information that is necessary for them to perform their job function. Access controls become especially vital as hospitals move toward electronic medical records (EMR) and health information exchange (HIE) since providing patients with a high level of trust is key to the success of healthcare reform.
6. Encryption should be used to minimize the risk of security breaches – Encryption is the recommended method for protecting confidential information at rest or in transit as stated in the HHS Breach Notification Guidance document. It is critical that devices which can easily move data outside of the hospital such as laptops, USB keys and removable media are encrypted so that the information cannot be accessed by unauthorized individuals. In addition, external connections which provide access to hospital information for business associates or remote workforce members also need to be encrypted in order to ensure that the information cannot be read. For these high risk areas, passwords do not provide adequate protection.
7. Focus on proactive security by monitoring and tracking system activity – Hospitals must be able to detect if a security incident has occurred and must be able to provide the audit trail evidence to facilitate an investigation. There are many different systems scattered across numerous departments in any hospital and these systems are managed by workforce members, business associates, consultants and others. It can be overwhelming to manage intrusion detection (IDS) and system logs and be able to sift through this abundance of data in order to obtain the critical information inside. An automated method for providing intelligent visibility into an organization will allow hospitals to receive real-time alerts on potential security issues and improve response capability. In addition, monitoring and tracking is important for state and federal breach notification laws and the new requirements for accounting for disclosures.
8. Develop procedures to properly respond to a security incident – Following the detection of a security incident, it is imperative to be able to quickly assess the impact to hospital operations and ensure that the damage is contained. Communication is a key factor as representatives from Information Technology (IT), Security, Privacy, Compliance, Risk Management, and Legal as well as members of the clinical management must be involved to ensure that the proper procedures are followed. It is important that response procedures and the chain of custody are well documented so that any potential evidence will be admissible in a court of law. A workflow which details the response steps and escalation procedures will serve as a great tool for guiding the hospital in the right direction following an incident.
9. Determine the level of risk that business associates present – Hospitals utilize the services and solutions of numerous business associates in order to provide the highest quality patient care. These business partners access, store, process, transfer and dispose of confidential patient information every day. The number of external entities with access to hospital PHI will only increase with healthcare reform initiatives. Hospitals have a duty to conduct a risk analysis to determine any vulnerabilities to the confidentiality, integrity or availability of PHI and this needs to include internal as well as external risks. Business Associate assessments can be relatively simple such as a security questionnaire or more comprehensive such as an on-site assessment.
10. Develop procedures to continue operations in the event of a downtime – Hospital operations and patient care must go on even in the event of a disaster scenario. Therefore, hospitals must conduct a thorough business impact assessment (BIA) to determine which systems and processes are critical to business operations. Collaboration between the many users of these systems and processes is important to accurately assign recovery point objective (RPO) and recovery time objective (RTO) values. Business continuity plans and downtime procedures need to be tested regularly to ensure that they will meet the constantly changing requirements of the organization.
-- By Gregory Michaels, Director of Compliance and Security Solutions
