6 Ways Health Organizations Can Improve Data Privacy and Security

In the past, organizations protected assets by maintaining a centralized architecture. However, as data warehouses and repositories grow, there is increasing pressure to transition to shared architectures and cloud-based models for performance, integration and analytical purposes.

The stakes are higher

Patient trust is the linchpin of the next generation of care delivery. Little progress can be made with electronic health records (EHRs), health information exchanges (HIEs), electronic prescribing (eRx) or advanced analytics if patients do not feel comfortable that their personal information is being protected.

Without systemwide trust and consent, the next generation of care — which relies so heavily on patient engagement, shared accountability and data exchange — will suffer from lack of patient and provider participation and will ultimately fail.

Protecting data is not just the right thing to do; increasingly, it is also a legal and regulatory requirement. Although the U.S. Department of Health and Human Services (HHS) has not followed through with the existing HIPAA requirement to perform regular audits of covered entities, enforcement is rising.

Next-gen enforcement

In 2014, patients harmed by a data breach will be able to collect a portion of the penalty award as damages. The HITECH Act also requires HHS to establish a periodic auditing system to ensure that covered entities and businesses comply with HIPAA rules.

As the industry awaits the release of the Office of Management and Budget’s final rule, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules,” here are six items health delivery organization should consider:

1. Establish a chief privacy officer (CPO). The CPO would be responsible for monitoring information systems, establishing and revising policies and procedures, providing training, and advising on privacy matters with business associates.

2. Conduct a security risk assessment. Look at every system and process, and document every decision you make. Under the new HIPAA audit program, organizations are required to produce documents within 15 days of OCR’s initial request.

3. Make risk identification and mitigation common. Software patches and updates should be applied on a regular basis. Update and refine physical, technical and administrative safeguards and plan for the future.

4. Communicate with employees. Customized, role-based training is more effective than requiring employees to sit through generic presentations. Make sure employees realize that privacy and security is everyone’s responsibility.

5. Communicate with patients. Under HIPAA, covered entities are required to obtain authorization from individuals before using their protected health information (PHI). Give patients confidence by communicating openly with them about how their information will be used.

6. Scope-in mobile devices and social media. Do not assume employees know how to apply privacy and security rules to new devices and media. Follow advice from the Office of the National Coordinator for Health Information Technology and OCR for best practices.

Jared Rhoads is a senior research specialist with CSC’s Global Institute for Emerging Healthcare Practices.