The Office of the National Coordinator for Health Information Technology (ONC) has thrown down the gauntlet on HIPAA, challenging medical practices to select a privacy and security officer. The ONC recommendation comes as part of a report outlining a 10-step plan to protect patient data.
While the advice it offers might be helpful to a range of providers, the report is largely focused on medical practices which are adopting EHRs and don’t have trained IT staffers to manage privacy protection and security, said Daniel Berger, president and CEO of Redspin Inc. in an interview with InformationWeek. As practices shift from paper notes to digital records, there’s countless opportunities to slip up and have a data breach.
The problem may get worse as practices move up to Meaningful Use Stage 2, as this level of compliance will force practices to exchange data between providers. Securing their own health data is hard enough; HIEs poses greater risks yet.
To make sure their data stays secure, a privacy officer is important but not sufficient. Other suggestions include:
* Do a privacy/security risk analysis, and create an action plan to address problems found during the analysis
* Develop written policies and procedures for protecting electronic protected health information
* Educate and train employees thoroughly
* Make sure business associate agreements meet HIPAA standards and HITECH breach notification requirements
Though the ONC is trying to be helpful, I suspect that few medical practices are ready to follow these suggestions. While practices certainly understand that HIPAA is a serious proposition, I’ll submit that few are ready to do a risk analysis. (After all, many medical practices haven’t had their EMR that long and are pretty overwhelmed just making it work for them.)
On the other hand, if practices name a privacy and security officer, train them and get them going now on risk analysis, it could result in a process of learning where knowledge diffuses out into the practice. Yup, I think that step will go along way on its own.
Great post! As with most things, the technology is evolving much faster than their associated policies and procedures. Hiring a privacy and security officer makes sense, but I imagine that would be difficult, esp. for smaller practices, considering they may need to hire more IT/systems administrator support for a new EHR.