The transformation of HIPAA from a toothless herbivore into a fierce meat-eater began with a few high-profile prosecutions that concluded in significant fines. Since that time, the government has been working to add ever more claws to this growing beast. The most recent of those has been an accounting of disclosures NPRM, which seeks to define exactly what type of information a patient is entitled to regarding access to their EHR after their hospital stay. The NPRM created a firestorm of response, largely critical, due to the onus it would place on IT and compliance departments. But more than this one rule, healthcare organizations can see the writing on the wall, with CIOs understanding that security needs to be shored up, quickly and efficiently. To gauge what others are doing with respect to staff education on the dos and don’ts of security, Albany Medical Center EVP/CIO Buddy Hickman issued a survey to his fellow CHIMErs. To learn more about his motivation for issuing the survey, the results, and how he plans to turn lessons-learned into policies, healthsystemCIO.com caught up with the New York-based CIO.
(Click Here To Download The Survey Results)
Chapter 1
- Origins and goals of the survey
- Breaking down breach scenarios
- CHIME’s position on the accounting of disclosures NPRM
Podcast: Play in new window | Download (13.8MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
I think the position that we’re now starting to move toward is how do we set up our own proactive compliance algorithms so we know our behaviors are where they need to be and that folks aren’t going where they shouldn’t go.
And what about the data itself that has to be included in the report? Well, we would like to see it be the data that’s available from the electronic health records and from its logging capability. We don’t want to have to implement a third party tool on top of that additional cost and additional effort to have that tool do all those captures if EHR can’t do it itself.
if someone leaves paper records behind, that’s a privacy issue; if someone leaves a hard drive behind which is not appropriately encrypted, that’s an IT security issue because there are measures that we can take on the technical security side to assure these assets.
Guerra: Good morning Buddy. Thanks for joining me to talk about your CHIME survey on HIPAA and IT security, and a whole bunch of other things.
Hickman: Good morning Anthony, it’s always a pleasure. Thanks for having me.
Guerra: You got it. Let’s start off by taking about the origins of the survey, the challenges you were facing, and the things you were looking at.
Hickman: Okay, well I’ll say that often when I’m wondering what to do, I’ll post a CHIME member to member survey to see what our colleagues are doing. In this case, we’ve had a bit of conversation inside of Albany Med about what to do with IT security educational awareness. We clearly understand that the HIPAA HITECH security regs have lifted the bar. We want to ensure that our workforce understands what’s happening with that, not only because of HITECH but frankly because it’s just the right thing to do.
And as we contemplated how we might rethink some of our own approaches to education as an IT security oversight committee in this case — which is quite an interesting group as well — we decided to reach out to see what some colleagues and other organizations are doing.
So I just mentioned the IT security oversight committee which is co-chaired by our compliance officer and myself. It’s populated with constituents that include the chief operating officers of our business units, meaning the hospitals, the college and so on. We have the senior human resources executive, one of our legal counsel, the IT security officer, the risk management director and some other members at large that have some stake in what we do, such as electronic health record systems. And we also have a physician at large on the committee.
So you can see this group is broad reaching in the sense of how it’s looking at the workforce, especially how we ensure that the workforce is educated and aware of what’s happening with security.
Guerra: What kind of security breaches are you on watch for?
Hickman: The range is broad. Certainly, we have no shortage of events that we can read about in the media that describe intentional and unintentional breaches that occur in various health provider organizations across the U.S. In fact, we track those. In one of the most poignant meetings of the oversight group we had recently, we discussed an event that occurred in the Boston area this year whereby, as I recall, an individual left behind protected health information media on a subway and a number of records were breached in that act. And then result to the organization was a substantial fine. It could have been an even greater fine but they negotiated it down — it was still a seven-digit number.
We also understand that under the new HIPAA security regs, organizations have a more limited time to do notification reporting, so if you don’t act quickly, the fine moves up once you cross a certain number of days. I think it’s a 60-day threshold. And that’s what happened in the case of that organization, so they went to a higher fine level just because of the time lapse that occurred. So, one of the awareness issues here is if you have an employee, workforce member or physician who has a breach or has created a breach — again, even unintentionally — they need to notify us of that breach so we can act quickly and move to the notification process. Speed has a direct consequence on the penalty. So, that kind of thing gets our attention for sure.
You mentioned thumb drives. We’re doing thumb drive encryption. We do all sorts of things to harden our end-user devices so we don’t have PHI breaches if a laptop or a wireless device on wheels disappear, and so on. So you know, I think we’re doing the right things. In this case, the survey was really directed as something very tactical, which is workforce education.
Guerra: I’m thinking of two kinds of breaches – the first might happen in areas like Los Angeles where you have a lot of celebrities … so you get employees doing some snooping — but I don’t know how many celebrities you have at Albany (laughing) no offense …
Hickman: (Laughs) I know where you are down by New York City you get a bit more exposure to that than we do.
Guerra: But there’s also the issue of employees looking up a patient’s record and accessing the wrong one, purely by accident — perhaps the name was identical or something like that. Can you take me through those scenarios?
Hickman: All right, so let me take on the idea of folks looking inside of a record. So, to address that item, there has been some rule making that’s proposed around HIPAA privacy called the HIPAA privacy rule accounting for disclosures, for those who have access to the electronic record and the associated access reports. CHIME recently — and by recently I mean inside the last month — published a position paper where about we have reviewed those regulations and taken a position we think is reasonable. This is a situation where whether there’s cause or when the patient just wants to know who has seen their record, they walk in and say “I’d like to see a log of who has accessed my electronic health record while I was there.”
You know, one view is that certainly the patient is entitled to that. The other view asks once you produce that log what happens to it and how labor intensive is it to create such a log?
As a general rule, if you had a patient stay of five to six day, it is not uncommon for the patient to have something in the neighborhood of 150 individuals — healthcare workers, non salary workers, etc — access their electronic health record at some point in time.
So, you can imagine then if you were asked to produce a report of that and show why each one gained access, it would take some time to assure they all were all correctly engage in care. Because of all the people involved, it becomes a very deliberate, intensive exercise to see that all the way through. Imagine the overhead costs of coming back then and investigating to assure every single one of those happened where they’re supposed to.
I think the position that we’re now starting to move toward is how do we set up our own proactive compliance algorithms so we know our behaviors are where they need to be and that folks aren’t going where they shouldn’t go.
Now, while I offer that, I’ll mention a couple more things about this accounting of disclosures rule, because there’s also some questions around how long a patient should be able to request such a report after their stay. And I think our position is three years is probably fair from a statue to timing standpoint.
And what about the data itself that has to be included in the report? Well, we would like to see it be the data that’s available from the electronic health records and from its logging capability. We don’t want to have to implement a third party tool on top of that additional cost and additional effort to have that tool do all those captures if EHR can’t do it itself. In other words, let’s see what the EHR can render us. And if you want to see the EHR doing more of this work, Meaningful Use should include that in certification, so we don’t have to go out and buy additional tools. We know this is where the industry is going, so have tried to be very reasonable with our approach.
Now, on the other part of your question, I think we, as an industry, by anecdote, understand that the most common breaches aren’t hackers getting into systems to pour through an individual’s electronic health record. In fact, I don’t think the most common incident is the fact a celebrity showed up in a hospital and five employees decide to peek at a record, then sell information to one of the tabloids. What we believe the most common thing that happen are usually instances where there’s just an inappropriate curiosity by an individual who has access, for example, with a lover’s triangle — where someone wants to go in and see what’s going on with the care of an individual. Well, the professional standard for behavior in our healthcare industry is to have no tolerance for that, and I certainly can say at Albany Med, that’s been the behavior of management. There is no tolerance for an employee taking a peek when they’re not supposed to. And I’m hoping that that’s the way most healthcare organizations feel that. And those incidents certainly expose much less data than major breaches such as when a lot of data is lost and shared. Again, on the matter of the (lost data on a) subway ride, if someone leaves paper records behind, that’s a privacy issue; if someone leaves a hard drive behind which is not appropriately encrypted, that’s an IT security issue because there are measures that we can take on the technical security side to assure these assets.
Share Your Thoughts
You must be logged in to post a comment.