BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
CHICAGO -- Health care providers need to improve their mobile device security and ride their EHR vendors for training and tech support when it comes to utilizing data security features. For many, those are weak spots in HIPAA compliance, said Joy Pritts, chief privacy officer for the Office of the National Coordinator of Health IT (ONC).
More mobile health and meaningful use news
Read the final meaningful use stage 2 criteria.
Expert Q&A: Integrating mobile health with meaningful use.
Some vendors don't make HIPAA compliance and security a top priority, said Pritts, speaking as keynote at the first day of the 2012 American Health Information Management Association Conference and Exhibit (AHIMA). Or if it is, documenting the features so that providers use them for HIPAA compliance isn't always that straightforward or detailed.
"Vendors vary greatly in the amount of training and documentation they provide for their various features," said Pritts, who encouraged providers to demand the training they need when vendors don't make it clear. She also specifically encouraged the health records managers in attendance at AHIMA 2012 to ask their IT departments and vendors about their EHR patient data audit trail features -- and who has access to them. "They should be providing support in these areas because every product's slightly different, in spite of attempts to harmonize some of the features."
Pritts spoke of making privacy and security "a priority, not a barrier" for health care. She offered tips for providers at AHIMA 2012 who currently are updating their HIPAA compliance programs as two broad trends -- the bring-your-own-device (BYOD) movement and meaningful use stage 2 compliance -- gather steam in health care environments.
Together the programs promote more health data sharing, but they can create potential security vulnerabilities in the course of upgrading ONC-certified software systems.
- Consider measuring and reviewing compliance with privacy policies, and making it a part of individual employees' performance evaluation, an idea some forward-thinking hospitals are currently testing.
- Hold interdepartmental competitions on who has the best aggregate score complying with the HIPAA policy.
- Get hospital leadership on board with HIPAA compliance and meaningful use mandates, and spreading the word. When the message comes down from the top that sharing protected health information (PHI) is good for patients, and good for business, it helps boost compliance.
- Solicit, and answer, employee questions regarding HIPAA and the facility's policy. Not only will this help clear up misconceptions that could potentially lead to data breaches, but you'll also learn about new issues (i.e., using iPads or smartphones for clinical work whether or not they're permitted). In your asking for questions, take pains to make it clear to employees that they won't be made to feel dumb for asking -- and that it will bring more scrutiny upon them.
- Educate patients on health data dos and don'ts (i.e. "here are the consequences for posting your health data on public websites") for their own protection.
- While many health care providers initially train employees well on privacy policies, the follow-up isn't always there. Build regular refreshers into your facility's training regimen, especially when implementing upgrades to software -- of which there will be many as meaningful use stage 2 certified versions work their way into hospital networks.
Pritts also warned AHIMA 2012 attendees about not paying enough attention to mobile device security. BYOD is happening, whether CIOs want it or not. She cited a recent study that indicated about three-quarters of health care providers are planning to use mobile devices, but about half didn't have any security plan in place.
"As our budgets are all tightening, this is a particularly important thing to keep in mind because my experience over the years has been that privacy and particularly security is often one of the first things to go," Pritts said. "But that's a very short-sighted approach, because in the long run, the cost of not having adequate security can be much higher."