Hayes Review: June 2010

Security and Privacy Compliance in 2010

By Robert Drewniak and Kevin Fletcher

As clinicians know, easy access to accurate and complete patient health information (PHI) improves clinical care. As patient information increasingly crosses facility boundaries, the need to secure this data becomes more urgent. The American Recovery and Reinvestment Act of 2009 (ARRA) contains monetary incentives designed to increase the use of electronic medical records and the exchange of health information.  However, to be able to qualify for these incentives, healthcare organizations and their business associates must also comply with strengthened privacy and security rules regarding PHI.

One such rule is the Health Breach Notification Rule. Enforced by the Department of Health and Human Services (HHS), this requires HIPAA-covered entities and their business associates to provide notification of a breach of unsecured PHI.  There are also state-specific rules. In Massachusetts for example, any entity that stores or transmits personal information will be required to encrypt data when transmitted via the internet or stored on portable devices.

Electronic medical record vendors and their third-party providers are also affected by the new breach rule, but compliance is enforced by the Federal Trade Commission (FTC) rather than HHS. The requirements for compliance under the FTC are similar to those from HHS. However, vendor breaches are reported directly to the FTC.

The penalties associated with data breaches are multifold.  Each data breach brings not only heavy fines, but also causes a public relations nightmare, negatively affecting the organization’s reputation, and potentially its revenue. The Massachusetts law includes fines of up to $5,000 per violation, payment of litigation and investigation costs, as well as payments to victims of security breaches. Fines, notification costs, and civil lawsuits have the potential to cause heavy financial damage to an organization.

To comply with these new rules and to be sure that PHI is well protected, organizations need to develop and implement different and stricter security and privacy policies. Policies must dovetail with the new regulations. For example, the table below summarizes the notifications that must be sent out per the Health Breach Notification Rule:

To comply, healthcare organizations need to develop a process to send out these notices to the right contacts within the specified timeline.  

Large organizations are more vulnerable

A breach occurs when either an external hacker or an unauthorized internal user accesses an EMR database. Each occurrence is considered a security incident, and will thus have to be reported to the appropriate authorities and affected individuals.  A recent HIMMS survey noted that 52% of large hospitals experienced a data breach at their organization within the last 12 months, compared to 33% medium and 25% small hospitals. Larger organizations are thus at a greater risk for future security incidents.

Perform a risk assessment

The first step to developing a strong security plan is to perform a risk assessment of security and privacy. Upon identifying security and privacy risks, new policies and procedures will need to be enacted to decrease your organization’s risk of a security incident. Your organization’s policies and procedures should involve a combination of strong communication, employee orientation and education.

To facilitate the communication process and enforce new policies and procedures, a security officer should be identified to coordinate your organization’s security plan.

Develop an incident response program

An important component of a security plan is an incident response program. Your security officer should work jointly with the risk management team to develop this program. The incident response program is based on root cause analysis. Instead of simply reacting to the immediate data breach, the incident response program is designed to be investigatory and find the root cause of the security incident.  The affected area is confined to minimize impact and the root cause is eradicated.  Most importantly, an incident response plan includes the development of new or improved processes to prevent a similar occurrence in the future.

The framework of the program is of utmost importance. The roles and responsibilities assigned within the program should allow the most suitable resources to handle security incidents. This will enable a swift escalation process when security incidents occur, which is essential for timely response. The individuals managing the program should use a combination of threat prediction and situational awareness to maintain and update response protocols as needed.

A best-practice incident response program will include the components in the following diagram:

The escalation and communications process enables quick contact with the appropriate leadership of your organization on an ongoing basis during an incident response. Meanwhile, staff will proactively handle the data breach by identifying the incident and performing a thorough root cause analysis to ensure the breach is contained. Once the incident is addressed, the recovery process will be initiated to restore normal operations. Follow-up will help to prevent re-occurrence. Ongoing feedback activities continue with or without the presence of a security incident. Monthly or quarterly meetings should be used to update staff on previous security incidents as well as new or updated processes.

Evaluate core security processes

In addition to developing and maintaining an Incident Response program, organizations should also evaluate other core security processes to mitigate the risk of a future incident. From monitoring and logging, forensics and investigations, to crisis management and business continuity, each process should be carefully evaluated to ensure that security threats are minimized.

Medical identity theft is on the rise, increasing the risk of data breaches for healthcare organizations. Both federal and state governments are enacting tougher security and privacy regulations to protect individuals. Healthcare organizations can’t afford to wait when it comes to security and privacy. If you haven’t enacted a strong security plan, you should start today. Beginning with a risk assessment and the development of an incident response program, your organization will be on its way to being in compliance with patient security and privacy in 2010 - and staying out of the headlines.

	Robert Drewniak is a Principal Consultant at Hayes Management Consulting, with prior leadership and executive roles in business and clinical operations, technology, risk management and support.
	Kevin Fletcher is a certified EpicCare Ambulatory consultant at Hayes, with previous IT implementation and support experience in both hospital and ambulatory settings.

Click here to request a copy of our webinar, HIPAA 2010 Compliance – Meeting the ARRA Challenge