Use Walkthroughs to Curb Security Problems

Use inspections in order to keep your security compliance plan in shape

Does your security compliance program require a checkup? If so, now the time is rife to start monitoring your staff so you can knock out compliance violations before they take place.

Read on to find out three steps that’ll help you get started:

1. Recruit Anonymous Reviewers. Pretty much like the safety audits that your office already carries out, a walkthrough can prevent violations before the Department of Health & Human Services gets involved. Irrespective of whether inspections are announced or executed without your staff’s knowledge, experts agree that they should be done at least annually for all departments and more often for high-risk areas.

“If you have figured out a problem area, then you want to do more often than once a year to get things ironed out,” according to Patricia Johnston, a consultant for Texas Health Resources in Arlington, TX.

Although not mandated by the privacy rule, third party or anonymous reviewers are often an efficient, if costly, method of probing your facility’s HIPAA compliance program. “The big thing is ensuring that nobody knows what is going to happen as you want to see what people are doing on a day-to-day basis, not what they are doing on their best behavior,” Robert Markette, an attorney with Indianapolis’ Gilliland & Caudill says.

2. Focus on your front lines. “Focus on areas with a considerable interaction with public or…patients,” advises Brian Gradle, an attorney with the D.C office of Hogan & Hartson. Waiting rooms, elevators and even fax machines are all areas where information can accidently be heard or seen by the public, he says.

Gradle claims, “Any time a privacy official is walking through, they should keep their eyes and ears open.” But experts agree that while privacy officials should carry out informal walkthroughs regularly, there must be some method to document and track violations, and there must be follow-ups. A walkthrough checklist can be priceless here. See to it that you base it on your organization’s privacy policies and procedures.

3. Be tough and enforce sanctions. You should take HIPAA violations seriously, if and when they do occur. This means you will have to outline and impose sanctions as per the gravity of the violation. Not only does failure to apply penalties mar your compliance program, it’s also against the law not to have a sanctions policy in place.


Following your sanctions policy will be to your advantage in the long run, explains Markette as it proves to your employees the importance of maintaining privacy standards, while at the same time preventing them from using past inconsistencies to excuse or eliminate their responsibility to protect health information (PHI).

Consumers urged to Contribute to ‘Meaningful use’ Definition

Do providers think consumers/patients will mess up the EHR adoption process?

As if the process were not complicated enough, the committee that advises the Office of the National Coordinator for Health Information Technology (ONC) is making that extra effort to involve patients, also known as ‘consumers’ of health care – and their families in the development of the definition of ‘meaningful use’ in regs to be issued under HITECH.

Read on to discover why consumer groups think it is the doctors who are mucking up the process.

The Health Information Technology Policy Committee (HITPC) is conducting a hearing on April 20, 2010 in Washington, DC to specifically address “the patient/family engagement domain in stages 2 and 3 of the development of the MU definition. It’s one of a series of public hearings, according to HITPC MU Workgroup, over the next few months that will focus on informing its recommendations for Stages 2 and 3 MU definitions.

Recall that CMS and ONC are developing the rules that define meaningful use in stages. The first stage was announced in December last year. In CMS’s proposed rule, several objectives were announced that the HITPC MU workgroup has taken to mean “let the people speak!”

Consumers’ timely copy of, and access to, electronic records

After-care summary for every outpatient encounter

Discharge summary for every hospital stay

Patient reminders for preventive & follow-up care

According to the Health Care Blog, the head of the MU program at ONC has been key in making the consumer such a big part of phase 1 of the meaningful use criteria, and reminds its readers that you can be assured that there’re lots of people wanting to put the brakes on any expansion of the consumer-facing meaningful use criteria.”

According to a new post on the e-patients blog, an online space developed by the Society for Participatory Medicine, its bloggers intend to attend the hearing and ask about the role of patient-generated data and how it can be integrated into EHRS and the clinicians’ workflow to boost care management. They also want to know about the ‘role of the patient in ensuring data in EHRs is spot on.”

These look like good questions. So who wants to keep consumers/patients out of this process, and why?

Perhaps physicians as they fear patients do not really understand the complications inherent in adopting EHR.

Another group that represents consumers, labor unions and employers in the EHR policy debate seem to point out that providers are the killjoys here. The Consumer Partnership for eHealth (CPeH), is busy answering the complaints of providers about things like the speedy timeframe for EHR adoption, small practices’ lack of resources, and unreimbursed time/expense for EHR adoption.

This group, interestingly, concludes its list with the argument that “the meaningful use of incentive program is voluntary” and also notes that the incentive payments are not an entitlement and there’s no need to participate.” This is true only till the year 2015, at which point the incentive money turns into a penalty if a provider is not compliant with the MU rule.

Electronic Exchange of PHI might aid Quality of Care

Are government regs stopping us from becoming ‘meaningful users’?


Share information electronically! But see to it that you protect it! According to the latest General Accounting Office study, providers are caught between two competing federal initiatives, and security concerns over protected health information (PHI) might actually be holding them back from achieving improved of quality of care.


As called for by the HITECH Act, the GAO released a study on February 17, 2010 titled “Health Care Entities’ Reported Disclosure Practices and Effects on Quality of Care.”


With the objective of describing how health care entities are disclosing PHI for the purposes of treatment as well as how sharing PHI is affecting quality of care, from May 2009 until the present, the GAO studied more than 60 operational health information exchanges (HIEs) and a selection of each of the exchanges’ participating providers, as found in a GAO summary of the study.


The report addressed two main categories — disclosure practices and quality of care:


Disclosure Practices: The health information exchanges surveyed by the GAO reported that they are using HIPAA’s “Fair Information Practices” that are crafted to protect PHI:


1. Informing patients about how their information will be used and safeguarded


2. Obtaining individual consent


3. Facilitating patient access to and ability to rectify their records


4. Minimizing use and disclosure to specific purposes


5. Providing security safeguards


6. Ensuring the accuracy, timeliness, and totality of data


7. Establishing accountability for the safety of PHI


But while the 18 providers — from large hospitals to small family physician practices — surveyed said they inform their patients about how PHI will be used and protected, two-thirds of them don’t tell the patients that their PHI is being shared through the exchanges, and none of them has implemented electronic consent.


But the GAO points out, “One HIE had developed an electronic tool that its providers use to record patients’ consent preferences that are obtained by other means.


Quality of Care: The report says, “The exchanges stated that they had not conducted formal studies of the effects of electronic sharing of PHI on the quality of care their providers deliver.” However, they offered a few specific instances. Providers who use the exchanges say they are saving time and have better access to more information, which they believe has had a positive effect on the quality of care.


The GAO says, while anecdotal, the data regarding the effect of PHI sharing on quality of care shows that it is having a positive impact. More timely interventions and real-time reporting of data about disease outbreaks were provided by the exchanges as examples.

EHR Implementation

Planning for a new electronic patient record begins with a discussion about the old paper records on numerous factors. This is the innovative method for moving data from the paper record into an electronic one. One of the obvious benefits of implementing an EHR is the elimination of the paper based patient charts.


To enter the designated information into the electronic health records all the employees have to attain the clinical training and they did have prior experience on Roswell’s front desk and were therefore familiar with their paper-based patient charts. Each day they would enter the information for patients with checkups the following day according to the Critical Data Checklist. Every person in the medical practice is affected by the EHR and must be trained to do their work differently.


These days, the most talked about healthcare IT news doing the rounds would undoubtedly be electronic health records (EHR) implementation. The feds are no doubt pouring billions into the EHR implementation but majority are of the opinion that EHRs are at risk when they are in the hands of the private industry or the government. In fact, the figure of Americans who believe EHRs are not secure is 80 percent.


According to a Ponemon Institute survey found, for 71 percent of respondents, it’s okay for hospitals, clinics or physicians to tuck up their health records. Similarly, 99 percent believe a patient’s doctor should have access to her digital health records stored in a national system.


But only 38 percent are of the opinion that a federal government agency should have access to those records; while only 11 percent thought that private businesses should have access.


It may be a good idea that the US Department of health is not eager on centralizing health records in a single database. But then they will farm them out to a network of databases at hospitals, insurance companies and web portals like Google, Microsoft or General Electric.

HIPAA Compliance Regulations and Private Health Information

Simple tweet costs an administrative assistant


An administrative assistant has lost her job because of a simple tweet as the tweet has sparked HIPAA compliance and public relations mess at Mississippi’s University Medical Center.


The root of this can be traced to a tweet posted by Mississippi governor Haley Barbour on his Twitter page.


This began when Barbour posted the tweet reading: “Glad the Legislature recognizes our grim fiscal situation. Look forward to hearing their ideas on how to cut down expenses.”


Giving her suggestions, Jennifer Carter, UMC administrative assistant tweeted, “Schedule regular medical exams like everyone else instead of paying UMC employees over time to do it when clinics are usually closed.” Carter had come to know that the governor had come into UMC for a physical one Saturday three years ago, and that the little clinic had to be staffed up with 15-20 workers just for his visit.


A couple of days later, Carter found herself in UMC’s compliance office for violating HIPAAs privacy provisions. The Governor’s office had tracked her down and asked the Compliance Department to deal with her.


As a result, she was suspended without pay for three days and encouraged to resign, which she did. She wasn’t really jabbing at the governor, but that’s what people do on Twitter. The matter was being investigated by UMC, but now it’s a closed chapter as Carter has resigned.


Handling PHI while working from remote locations :


It’s not an easy job at hand when it comes to giving permission to your employees to handle patient’s private health information (PHI) while working from offsite locations.


You need to convey your privacy expectations to your employees. Whether you prohibit them from working on their personal laptops when dealing with PHI or give them remote work when it’s done for emergency reasons, you certainly need to communicate your expectations.


For more insight on this, you can go through a sample document contributed by Glenn Allen, information security director with Fairview Health Services in Minneapolis, Minn.


When you work remotely, you are exposed to increased risk of privacy and security incidents and breaches. You should take great care in protecting the privacy and security of your paper and electronic medical record systems in order to safeguard the patient data. Even remote workers need to take the same care.