Securing Health Records (HIPAA and HITECH Compliance): A Discussion for Healthcare Executives

“Speaking frankly, I really don’t care all that much about records security – but I know that I have to do it.”  - Charge Nurse at an Ambulatory Surgery Center

And in a nutshell, that is the game.

While not a fun subject on which to spend time, paying diligent attention to medical records security and patient privacy has become a necessary part of the jobs of healthcare executives.  Whether a CEO, VP of Nursing or Chief Compliance Officer, the people who manage health operations need to be aware of multiple areas of concern.  With the nationwide push toward digital health records, an effort must be made to ensure that records are kept in the hands of those who are authorized to see and use them, and away from those who are not.  The price of a mistake is too steep.

The game is simple – in a sense.  It is a struggle along a continuum between zero access for anyone and full access to everything for everyone.  Of course, neither is going to happen.  The game is really a jigsaw puzzle with a number of moving parts.  It is not enough to have a Privacy Officer in HR and a Security Officer in IT – some areas of responsibility cross over and are really parts of a whole.  A breach is a breach, no matter how it occurs.  But how it occurs must be assessed and corrected in detail; because as we’ve all heard, that’s where the devil lies.

Case in point: When our team engages in a Privacy and/or Security project, we look not only at the nuts and bolts (the written Policies and Procedures, the EHR logon protocols, etc.), we also closely observe what we call the C & A – the Culture and Awareness – of the client’s workforce.  In a recent Security audit, we found a sharp, highly competent IT staff running a well-founded and maintained data center, good encryption technology, and a can-do attitude.  We also found a clinical and business staff that was trained to be super-friendly and helpful to visitors.  The result was that our team was able to walk into the facility and roam around far too freely.  We were able to view patient records and gain access to computer systems on which we had no user rights, and in multiple areas of the facility.  The C & A of the client’s IT staff was high – and so was the C & A of the rest of the staff, but in the wrong areas for preservation of patient privacy.

A recent survey by the Ponemon Institute indicated that over 2.3 million Americans are victims of medical identity theft.  Average cost estimates to resolve vary, but a recent estimate put the average cost to resolve a case of medical identity theft at exceeding $150,000.  It is clear that a records breach can be a serious blow financially.  And it can also require the expenditure of considerable resources -- and therefore money -- to recover from reputational damage.

A CEO cannot, and should not, spend his or her time thinking about the minutiae – but he or she should be involved enough to understand the broader elements of protecting the enterprise.   

Some things to think about:

   Security – the technical and physical measures taken to safeguard Protected Health Information (PHI).  If you have a Security Officer, he or she should know about audit logs, how to properly monitor and use the results, how to encrypt data at rest and data in transit, and how to ensure that the encryption keys are also separately secured.  The Security Officer should also know how to detect and report an unauthorized viewing or use of PHI, and how to detect and report a data breach.  Physical safeguards include making sure that unauthorized people do not get to see computers containing PHI, or walk into the facility’s data center without having business there.  The Security Officer should go to regular training, and pass that training up and down the chain of command.  He or she should also be aware of, and have written policies concerning, such things as access to, and disposal of, hardware – not only servers and computers, but also copiers, which now contain hard drives or may be connected to central servers and may contain surprising amounts of PHI – and of external media such as backup drives and USB devices.

   Offsite – Does your enterprise have specific policies and procedures for taking or sending records out of “the building”?  There have been numerous instances of staff removing electronic and/or paper records without authorization, and/or in contravention of written policy.  There have been others where this was done with proper authorization, but the records were lost or stolen, either from the vehicle carrying the records or from the repository where the records were stored.  You should completely evaluate all steps in this process, and should also audit the business associates involved on a regular basis.  Storage businesses should be thoroughly secured, and fully compliant with all relevant regulations.  And keep in mind that businesses may change ownership or management, which can affect quality of service.  It is best to have a means to verify that they keep their compliance status current.

   Privacy Practices – all of the IT security in the world will not prevent a violation of patient privacy standards if institutional C&A is not right and if staff members are not trained and monitored.  Staff members are complex human beings with the potential to fail badly if they are not told what is expected of them.  Their behaviors are among the most critical factors in privacy compliance.   Your Privacy Officer must not only be a policy writer; he or she must be a close observer and listener, and also a teacher and sometimes a policeman.  He or she, and their subordinates, and their auditing contractors should be your eyes and ears in the hallways, exam rooms, and cubicles of your facility.  Have thorough, regular reviews conducted on privacy practices across the board.  Ask the Privacy Team if visitors are vetted, logged and badged.  Are vendors required to check in at the Materials Management/Purchasing office?  Are they sanctioned for failing to comply?  Do staff members take off for a coffee break, leaving computers logged on, unattended (this is one of those areas of crossover mentioned above)? 

This is the sort of thing that can lead to:

   Breaches and Breach Protocols – A newer area of regulation under HITECH, breach notification rules have come to the fore.  Do you and your staff know what to do and what not to do in detecting and reporting records breaches?  Do you and they know, for example, what to do if a breach of 500 or more records occurs?  Is all of this information written down and trained to?  Does staff know where this information is kept and how to access it rapidly?  Do you know if there are differences between the Federal regulations and those within the State where you work, and if so, what they are? If the answer to any one of these questions is no, you have work to do.  Most importantly, if there is a breach, do not try to minimize by keeping things quiet – that will do more harm than good.  Notification trumps all.

   Education – Staff behaviors being so critical, education should be a centerpiece of your compliance effort.  Training should be master-planned well in advance, and it should be a continuing activity set.  It should be planned to cover not only policies and procedures and the items apparent in the regulations, but should also contain updates pertaining to current events – breaches, news, case law, and pending legislation.  All training should be documented, and any staff members missing out due to vacation or illness should be trained upon return.  Staff should be required to attest in writing that they have received training, and these records should be kept up to date and easily retrievable.  Training should impart the C&A factors critical to rapidly identifying and containing threats to the enterprise; staff should be taught to not make assumptions, to ask questions, and to be curious and aware.  Healthcare staff members are very often simply unaware of their responsibilities, being trained primarily for their jobs as clinicians and business people.  If you do not have a professional on staff capable of managing this piece, you should consider acquiring outside resources – a specialized healthcare law firm, consultants with proven track records (ask for references), and you might look into a specialized software package designed to keep education up to date. 

Regarding this last item, you should not try to find the least-expensive cookie-cutter product on the market; you will get what you pay for, so choose wisely.  Find a package that is regularly updated, and that comprehensively covers all of the various areas in this complex area of operations.

   Employee Sanctions – never a pleasant thing to think about, but necessary.  As you reward excellence, so should you – and must you – have teeth in your policy.  Employees must be trained and communicated with so they know what’s expected.  As part of that, they should know that by going “off the reservation” in contravention of policy, they risk penalties, up to and including termination and potential legal action.

   Business Associates (BA) – another HITECH “upgrade,” Business Associates are now held to account in much the same was as healthcare providers (Covered Entities, or CEs).  They must be highly secure, trained, and up to date on breach notification protocols.  If they hold PHI, and a breach occurs, they must notify immediately, just as providers must do.  And they may be subject to severe penalties for not following the regulations, just as providers are.  BAs are vendors, contractors, attorneys, any allied business entity that interacts with the healthcare enterprise, any of whom might come into contact with PHI and all of whom should have executed up to date Business Associate Agreements (BAA) with the enterprise.  In addition, there are sections in HIPAA requiring parties in a BA relationship to cross-notify if either becomes aware of non-compliance on the part of the other, for the notified party to cure the gap, and if not cured, for the notifying party to sever the relationship.  Ask your compliance experts about these relationships and how they have been managed since the implementation of HITECH.  Have all BAs been listed, examined, notified of new policies and requirements, and asked to sign updated BAAs?  Have each of them been queried as to their compliance activities and status?  Is each of them required to periodically sign documents attesting to their compliance?  Are these periodic checks documented?  If the answer to any of these questions is no, you have some work to do.

   Audits and assessments – depending upon the audience, these terms may have the same, or different, meanings.  For some “assessment” means a low-granularity look at things (from a walk-through to perhaps a survey tool designed to track activities and look for trends in any area of operations), while “audit” means a high-granularity deep-dive.  For some IT staff, the word “audit” means a software program running in the background, designed to record all user activity on a given system.  This last piece, while a critical part of IT security, is only a small piece of the overall need to audit the entire compliance effort.  Auditing should be a paramount function in the management of privacy and security.  It should run continuously via staff observations and reports, which lead to identification and correction of gaps – this is part of the regular QA process.  It should also consist of periodic sweeps through various elements of the enterprise, such as a weekly look at IT audit logs to determine if any anomalies have occurred.  And it should include full audits of all areas, minimally on an annual basis.  And as painful as it may be to consider, an outside expert entity should be involved in these annual audits.  Just as any responsible financial institution is regularly audited by an independent accounting firm, so should your enterprise conduct contract for independent audits.  It is indisputable that you don’t know what you don’t know – you need an unbiased opinion.  And in the event of any questions from regulatory bodies, a large amount of credibility stands to be gained by having conducted an outside audit.  The deliverables of any such audit will include a comprehensive Gap and Risk report with remediation recommendations, and perhaps suggestions on where to go for solutions (vendors, products etc.).  Your compliance staff should report on what steps are being taken to remediate, and of course everything needs to be documented.  If you are subsequently audited by a regulator, they will ask for all of this information, so having it ready to go will minimize cost and effort.

   Write it down, measure it, adjust and write in down again, measure again… - It is never, ever enough to assume anything - about anything - when it comes to HIPAA and HITECH compliance.  You should have written plans to cover all points that concern your enterprise, and you should have metrical systems to analyze and measure what your staff knows and doesn’t know, and what they are doing and not doing.  The plans and metrics, and their usage need continual, scheduled attention and implementation.  Any time a gap is detected it should be noted in writing, analyzed, with corrective action noted and implemented.  That action should be documented, and adherence to the new corrective measures should be monitored and documented as well.  It will never end – but if done properly, a regulatory audit will not harm you.

The information above is far from being a comprehensive list – it is intended rather to provoke attention and thought in what is becoming a critical success factor for executives and managers in healthcare.  Having to pay six-or seven-figure monetary penalties, or having the local TV news van in your parking lot because of a breach could severely damage the enterprise and its people, as well as your reputation and possibly your job.  Like the CEO at the beginning of this article, you may not like the subject matter, nor care about it, but you have little choice in the matter – the price of doing nothing is far too high.