Many thanks to Feisal for his comments on security. I am noticing a new awareness in healthcare regarding security and privacy of PHI. The original HIPAA regs on these topics were enforced (look here for enforcement and resolution data) when a complaint was made. But no proactive procedure was in place to ensure that you were compliant with the regulations. I didn’t sense an urgency prior to 2009. That is changing now with the new guidelines and updated HIPAA for HITECH. Fines and exposure are increasing and we are seeing an increased focus on privacy and security. Business Associates (BA) also beware – you have new liability and your covered entities (CE’s) also have liability for your disclosures. With more vendors offering SaaS models, it is very likely that CE’s will start taking a deeper look at your systems, policies and procedures.
A few unintended, public PHI disclosures have highlighted the liability associated with unintended exposure. And if you have worked anywhere in the healthcare arena, then you understand the vast number of potential holes that need to be plugged to reduce your risk. All organizations have different systems, policies, procedures, processes, information needs …and therefore different weaknesses. And every time you change your systems (that new EHR, server, admin policy…..) you may be adding new risks. No single solution, policy or update will protect you.
From a personnel standpoint, there are two ways to approach your new focus on security. I am seeing increased hiring for security specialists as more HIE and EHR technology is being deployed. Bringing expertise in house makes sense for large organizations. Although, whether you are a small provider practice, a BA or a large health plan, I might suggest that you also think about bringing in an experienced outsider to evaluate the security of your technology, policies and procedures. Having someone who hasn’t created and isn’t responsible for your systems and policies, taking a second look often adds great value and peace of mind.