5 Steps to Achieving HIPAA Compliance
The following discussion is intended to spur you in the right direction toward privacy and security policies that will help your organization achieve HIPAA compliance. Many see dollar signs when they think about HIPAA compliance and believe a hefty investment is required. The choice is obvious: Make an upfront investment of time and resources to become compliant, or eventually pay the costs to recover from a violation of the standards. You'll find in this discussion that most steps are not expensive, but do require an investment of time and human capital.
1. Complete a risk assessment. As you work toward greater patient data security and HIPAA compliance, knowing where to start can be overwhelming. To simplify this task, let's answer this question: If being investigated by HIPAA enforcement officials, what is the first question they would ask? "Did you complete a risk assessment?" As a HIPAA Security Rule requirement, a risk assessment equips your facility with an accurate blueprint of where you stand with regard to HIPAA compliance so you can make wise decisions about next steps and the risk level that's acceptable to you. A risk assessment also reveals steps you can take toward compliance — these may be as simple as tweaking your password policy, turning a computer monitor away from public view or even locking a door.
Many healthcare facilities mistakenly think they've done a risk assessment, when in fact they haven't. A proper assessment must include all devices that generate, store, maintain or transmit ePHI. Often overlooked are devices not on the facility's network. For example, respiratory therapy devices generate patient data and put out reports, even though they are often not connected to the network. Same goes for portable X-ray and ultrasound machines — they're plugged in during patient testing, and then taken to another room. Just because a device isn't network connected, it is not exempt from HIPAA privacy and security rules or the threat of a breach.
To illustrate this point, one healthcare facility recently handed our organization a list of about 400 medical devices, from CT scanners to pulse oximeters, which stored or transmitted patient data through their IT network. When we conducted a risk assessment, we found nearly 1,300 devices — 900 more than they knew about. What blind spots may be threatening ePHI security at your facility?
An often ignored or underutilized document that can help you understand the risks of a medical device that maintains or transmits electronic Protected Health Information is the Manufacturer's Data Statement for Medical Device Security. This form, developed by the HIMSS Medical Device Security Group, is designed to be completed by the device manufacturer and provide the reader with device specific elements of the information needed to start the risk assessment of the covered medical device. The shortcoming of this form is the fact that its completion by the manufacturer is only voluntary so we suggested requesting it during the device-analysis phase of your purchase decision.
It's important to note that if your risk assessment finds potential security or privacy issues, you don't have to fix them all at once to be HIPAA compliant. In our experience, if you can answer "yes" to the assessment question posed above, it's all right if you haven't plugged all the holes exposed by that assessment, as long as you have a plan in place to address them as resources become available.
2. Collaborate with stakeholders. This is the single most overlooked component to affecting change in a given facility. Collaboration among decision-makers is essential for successful and lasting alterations to privacy and security policies, since buy-in is more likely when people have an opportunity to contribute opinions and ideas. Giving a voice to people across different departments also safeguards against inadequate or unrealistic policies, especially those affecting patient care. Your stakeholders and constituents have all seen different parts of the problem, so get them all in a room and examine the whole picture. If they understand the entire problem, they'll be willing to explore a solution and spend the time and money to get it right.
With decisions regarding medical devices, you may have experienced the gap that often exists between the clinical engineering and IT departments. When a computer is attached to a medical device, CE may get uncomfortable, as the network falls outside of their expertise. Likewise, the IT department isn't equipped to tinker with FDA-regulated, medical devices. Most hospitals recognize this gap, and in an effort to fix it, have assigned medical device security and privacy, even medical device selection, to one of the two departments. This approach fails to address the real issue: Who is operating the medical device, and what is their input? What about the radiologist (or other physician) and their manager or director? Risk management employees are often ignored, but can help provide input on security-related aspects like passwords and writing exceptions to your HIPAA policy. (We'll discuss exceptions a bit later.) Supply chain employees can help you evaluate purchasing options, operating efficiencies and total cost of ownership. Facilities and infrastructure employees can help you uncover issues related to shielding, cabling, physical security, infrastructure and such. Each department provides valuable input to choosing the right device for your organization and revealing all the risks that can exist with the data being shared by these devices.
As you can see, choosing medical devices that meet HIPAA standards is not the responsibility of just one department. Bringing all departments together enables better decisions — sooner — that will result in HIPAA compliance for the long-term. It also brings an "accountability factor" into play. If patient records are compromised through a breach, departments are less likely to point fingers when all have been consulted regarding security and privacy precautions.
3. Craft policies that reflect what you want to accomplish. When discussing policies related to HIPAA compliance, they must be system wide, not department specific. To that end, input from diverse departments is critical to ensuring system-wide policies are sufficiently encompassing. Just as we discussed collaboration among decision-makers above, policy development and implementation must also be a joint effort across many hospital departments. Physical therapy is different than radiology, which is different than cardiology, which is different than obstetrics, and so on.
Together with other hospital departments, write a blanket, hospital-wide policy that meets everyone's needs, but note — you can include exceptions. Consider exceptions an extra level of protection for your hospital with regard to HIPAA compliance. For example, you may write a policy that states, "All computer screens with patient information displayed will not be viewable by the general public." In the lab, this works just fine. But what about in radiology? Who is the general public? Does it include a patient that came into the diagnostic area for a specific test, or a patient who happens to walk past the room? To address these concerns, you may write an exception that would specify that the patient not be brought into the room until their unique information is up on the screen, or perhaps you may add a "screen block" that would make the computer screen not viewable from the patient’s vantage point.
Or consider this example: Let's say your hospital policy states that every user must log into a computer or medical device with a unique user name and password. But you have an older-model X-ray machine that only allows two different user names and passwords. You can write an exception stating that the device is known not to comply with the hospital policy, and will be maintained in a secure area, used only by the radiologist assigned that day — and never left unattended in public areas.
When crafting hospital security and privacy policies, it's important to consider "addressable" vs. "required" specifications, meaning those requiring appropriate assessment and safeguards, and mandatory implementations as stated in the HIPAA Security Rule, respectively. Addressable however does not mean ignorable. It means it must be evaluated for application in your hospital and may be determined not to be necessary to reduce your risk. You have probably heard a lot about encryption lately, and some think it's the silver bullet to preventing breaches. Encryption is an addressable standard, meaning each hospital should address its applicability to them, taking into account factors like size, possibility of a breach and value of risk associated with a breach. Then decide whether it should be addressed by your hospital.
A note on encryption: It will not necessarily reduce your risk of a privacy breach; neither will it protect you from HIPAA violations. Encryption is broken with a password. And where do many people keep their passwords? On a post-it note, taped to their computer screen! So if you leave your laptop in the car one evening after work and it's stolen with the password taped to the screen, well, that's still a clear breach.
You may also have heard of different levels of encryption: 256-bit vs. 128-bit vs. 64-bit (the higher the number, the harder it is to break the code). Some hospitals write 256-bit encryption into their privacy policies when the HIPAA statutes may require far less. In other words, don't impose impossibly strict self-regulation when your privacy policies are adequate at a lower level. If there is a privacy breach, HIPAA officials may judge your institution based on your own policies if they're stricter than federal regulations require.
Finally, remember this: The only thing worse than having no policy is having a policy you don't follow.
4. Review purchases of IT and medical equipment from a risk management perspective. Too often, hospitals and healthcare organizations allow emotion to drive capital purchases. Radiologists, intensivists, cardiologists, all have their preferences regarding brands, based on factors ranging from personal biases to legitimate professional needs. As we discussed previously, collaboration is the key here, too. Invite enough people into the decision-making process so that emotion can be driven out by logic, leading to the best decision for the organization.
When making capital purchasing decisions, it's important, of course, to consider factors like purchase price and total cost of ownership (cost to operate over time, total revenue generated, maintenance costs, parts procurement, etc.), but it's also crucial that you consider security standards. Are the security features that you need already built into the product? What does the MDS2 say about the use of anti-virus or how the device must be connected to your network? Or will you have to retrofit the device after it’s installed to make sure it’s HIPAA compliant? And how much will that cost? Is the software up to date, or already outdated, making the device harder to secure? Updated software is key to ensuring privacy and security.
5. Develop a culture of accountability. Accountability harkens back, once again, to collaboration. Encourage your staff to cultivate the habit of reporting problems and holding one other accountable for their role in HIPAA compliance. If this sounds too time- and labor-intensive, I'd urge you to consider what is at risk and not settle for band-aids and quick fixes. With multi-million-dollar fines and patient data vulnerabilities at stake, you can't afford not to do so.
If you do have a breach, accountability means not pointing fingers at who's to blame, but learning how to improve for the next time. We know we're going to make mistakes — it's part of being human — but our goal should be two-fold: 1) Minimize the number of mistakes by pre-planning and collaborating ahead of time, and 2) Not repeat the same mistake because you've learned from it.
Earl Reber is the Executive Director of eProtex. In this role, Mr. Reber leads a cross-functional team of IT and clinical engineering experts in helping healthcare providers achieve greater ePHI security and HIPAA compliance by securing their network medical devices. He is also a board member of the Indiana chapter of HIMSS and frequent speaker at regional and national health technology conferences.
More Articles on HIPAA Security:7 Ways to Secure Physician Text Messages
5 Considerations for Hospitals Releasing Medical Records to Patients Electronically
Guidelines to Safeguard Healthcare Data, Avoid Loss
© Copyright ASC COMMUNICATIONS 2015. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.
To receive the latest hospital and health system business and legal news and analysis from Becker's Hospital Review, sign-up for the free Becker's Hospital Review E-weekly by clicking here.
New From Becker's Hospital CIO