Tip

Policy, technology foster HIPAA compliance and data breach prevention

After compiling and publishing data for the Ponemon Institute LLC's Third Annual Benchmark Study on Patient Privacy & Data Security, the researchers realized in addition to the growing awareness of data breaches, health care organizations could use help building best practices for preventing breaches and securing information.

Toward that end, based on the responses of the more than 400 respondents spanning 80 different health care organizations detailing how they approach privacy and security in health IT -- or, in some cases, don't approach it -- Larry Ponemon, Ponemon Institute founder, and study sponsor Rick Kam, president and cofounder of health IT security consultancy ID Experts, developed advice for building compliance with the Health Information Portability and Accountability Act (HIPAA) in general and addressing patient data breach prevention specifically.

  1. Increase compliance and IT security budgets, and change your organization's outlook today. Three out of five health care organizations don't have the budget to operationalize data breach prevention. Breaches are perceived as occasional disasters instead of daily incidents that can be stopped through prevention-minded vigilance implemented through policy, training and technology to support them. Increasing the emphasis can effect change from the top leadership levels.
  2. Understand and take strides to correct medical identity theft. The study defined it

    Requires Free Membership to View

  1. as "the theft of a patient’s health credential to obtain medical treatment, services and products (devices)." It happened 1.85 million times in the U.S. in 2012, according to Kam. Unlike financial data theft, medical identity theft can affect a person's health and safety when incorrect data is intermingled with actual clinical data -- and by definition, every medical identity theft begins with a data breach. Offer some sort of monitoring and protection for patients who fall victim to it. Of the organizations surveyed, 75% do not offer protection, although most were aware medical identity theft happens.
  2. Emphasize pre-breach prevention as well as post-breach response. Such a mindset among employees will be reinforced by developing metrics to measure how well patient information is being protected, and reporting to the board of directors on progress toward improving it, with one board member accountable for privacy and security. Doing so will make privacy and security compliance top-of-mind for employees instead of buried somewhere in a host of other compliance or IT initiatives.
  3. Make privacy assessments and data security risk assessments separate annual events. In the HITECH Act era, during which health care organizations are bringing new applications online and using new business associates for IT support (such as cloud vendors), it's not only a good idea, it's the law.
  4. Update policies and procedures to include mobile devices, health information exchange and cloud usage. Ponemon's study revealed that in the absence of strong policy, employees will use potentially unsecured, free Web services to share patient data and make it accessible on their mobile devices. They're convenient, yes, but unlikely to be HIPAA-compliant.
  5. Keep incident response plans up-to-date. That means testing them, too, on a regular basis.
  6. Conduct a mock HIPAA compliance audit. That way you'll be ready if your organization is audited in the federal program piloted in 2012 and set to go live in 2013. Not only will it serve as a dress rehearsal for when the auditors show up unannounced, Kam said, but "more importantly, it will force a lot of the right questions to be asked of the management team so they can focus their efforts on where to spend [their energies] on risk mitigation strategies." A former auditor himself Ponemon concurred, adding audit programs in general force a higher level of accountability that might not already be present in organizations, because it creates real consequences for policy noncompliance.

Read the full report here.

Let us know what you think about the story; email Don Fluckinger, Features Writer or contact @DonFluckinger on Twitter.

This was first published in December 2012

Join the conversation Comment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.