Over 90 Total Lots Up For Auction at One Location - WA 04/08

5 things you can do now to increase patient data security

September 19, 2013
From the September 2013 issue of HealthCare Business News magazine

2) Create or strengthen your organization’s policies and procedures around data security.
Under current HIPAA regulations, your organization must have policies and procedures in place around electronic data security. In fact, if you were audited, the very first thing the auditor would ask for is your policies and procedures document. You may currently have these, but are they being followed? Are new employees trained in these policies? More importantly, is executive management trained in these policies? Make sure everyone understands their responsibility when it comes to data security, and the potential consequences of their neglect. The only thing worse than having no policy is having a policy you don’t follow.

When crafting or updating your security and privacy policies, it’s important to consider “addressable” vs. “required” specifications, meaning those requiring appropriate assessment and safeguards, and mandatory implementations as stated in the HIPAA Security Rule, respectively. Despite all the talk about encryption recently, it’s not the silver bullet for preventing breaches. Encryption is an “addressable” standard, meaning each hospital should address its applicability to them, taking into account factors like size, possibility of a breach and value of risk associated with a breach. Then decide whether it should be addressed by your hospital. You may have heard of different levels of encryption: 256-bit vs. 128-bit vs. 64-bit (the higher the number, the harder it is to break the code). Some hospitals write 256-bit encryption into their privacy policies when the HIPAA statutes may require far less. Don’t impose impossibly strict self regulation when your privacy policies are adequate at a lower level. If a breach occurs, HIPAA officials may judge your institution based on your own policies if they’re stricter than federal requirements.

3) Know what information is stored in your hospital, and be able to access it.
Back in the day, hospitals had a room (or rooms) full of patient charts. It was easy to identify where the records should be, where they could have moved to, how they were kept secure (usually by locking a door!) and who touched them. Now with most large health systems moving toward electronic medical records (EMRs), keeping patient records secure is a little trickier. A HIPAA auditor would want to see all of your various systems and devices that store electronic protected health information (ePHI), including patients’ EMRs and anyone who has access to them. The HIPAA Security Rule states that any new system entering the building with patient information must be itemized, and the same goes for any equipment leaving the building. You may keep track on a database, or in a spreadsheet — it really doesn’t matter as long as it’s auditable.

You Must Be Logged In To Post A Comment