Attendees to the 2002 Healthcare Information Management Systems Society in Atlanta had security on their mind. But it wasn't just the increased security precautions taken by the airline industry.
According to the 13th annual HIMSS Leadership Survey, sponsored by HIMSS and Superior Consultant Company, healthcare providers identified improving IT security as their top current IT priority. These IT security issues are forecasted to remain at the top of the agenda for healthcare providers over the next two years, according to HIMSS and Superior Consultant.
With compliance for the privacy regulations of the Health Insurance Portability and Accountability Act (HIPAA) required by April 2003 and security regulations in proposed form, attendees flocked to HIPAA-oriented sessions at the Georgia World Congress Center.
In one HIPAA presentation, attorney Patricia Carter discussed how healthcare institutions can take advantage of existing corporate compliance programs as they work to implement HIPAA's security and privacy regulations. Many healthcare facilities have implemented compliance programs to prevent, detect, and correct unwanted conduct and avoid financial loss, legal liability, and harm to their reputations, said Carter, an attorney with Minneapolis law firm Gray, Plant, Mooty & Bennett.
The U.S. Office of the Inspector General (OIG) has encouraged careful attention to such programs, which analyze operations, assess risks, and direct compliance efforts in healthcare facilities. The same steps performed in a successful corporate compliance program can be applied to compliance with HIPAA's privacy and security regulations, Carter said.
HIPAA demands documented policies to address all components of privacy and security, she said. A security policy should cover a high code of conduct. A HIPAA privacy officer should be appointed, with responsibility for development and implementation of privacy policies and procedures. This person would work with the compliance officer, and could also fill that role as well, she said.
A security officer should also be appointed, tasked with overseeing security measures and the conduct of personnel regarding protection of data. The security officer should not serve as the compliance officer or privacy officer, she said.
Privacy training covering policies and procedures needs to be developed to satisfy regulations, with specific training of select employees depending on job responsibilities, she said. Security awareness training should be provided for all employees, including training on viruses and password management. As with privacy, specific security training of select employees should be given depending on job responsibilities.
All new employees should receive training, with all employees receiving training at least annually. Attendance should be documented. Information on sanctions, as well as reporting processes for noncompliance, should be disseminated, Carter said. It's a good idea to integrate privacy and security training with compliance training as well, she said.
A contact person should be designated to receive privacy complaints, and a process should be formed on how to receive, document, and respond to complaints. For HIPAA security, documented security incident procedures should be formulated. A formal mechanism should be instituted to document security incidents, and formal rules should be set up spelling out the response to security incident reports, Carter said.
While specific auditing is not required for HIPAA's privacy regulations, auditing is recommended to verify adherence to privacy policies and procedures, she said. Institutions should track disclosures, as they must account for all disclosures upon request.
Security monitoring efforts should be focused on identified risk areas. Officials should review records of system activity, but also focus review on improper access and patterns of system activity, she said.
As for disciplinary guidelines, institutions must develop and apply appropriate sanctions for noncompliance with privacy regulations. Sanctions and discipline policies and procedures for security violations should be communicated to all employees, agents, and contractors, Carter said. Background checks should be performed.
The compliance team should develop procedures to mitigate any harm from improper use or disclosure of information, and spell out formal procedures covering incident reporting and response procedures for security-related matters.
Carter said it's important to keep records, both for the compliance and HIPAA programs. These records should cover reports, responses, internal investigations, and corrective action.
IHE
The Integrating the Healthcare Enterprise initiative, a joint project between HIMSS and the Radiological Society of North America, wrapped up its third year at the meeting. Education was one of IHE's primary goals for year 3, and several educational sessions were presented. The IHE demonstration area also featured demos of the seven IHE integration profiles.
IHE can be a great help to those seeking to implement an enterprise-wide image and information management system, according to Dr. David Piraino, section head for computers in radiology at the Cleveland Clinic Foundation.
IHE is seen as the crucial link in breaking down the technical barriers that have hindered the development of data networks that span individual specialties and hospital departments. Before a system can be built, however, it's important to evaluate an institution's workflow issues and purchasing resources, according to Piraino, who made his comments during a session on IHE integration strategies.
IHE integration profiles, such as scheduled workflow and patient information reconciliation, can help solve clinical priorities such as the proper identification of patients, Piraino said. IHE has made a lot of progress since its inception. Unfortunately, most vendors need more time to bring these benefits to market, Piraino said.
To deal with variable implementation rates, and the financial challenges of upgrading current systems, Piraino suggests using IHE concepts to model current workflow. If necessary, these concepts can be applied manually within radiology to perform process reengineering, until an electronic solution can be procured, he said.
Once the radiology department has a good understanding of its workflow, it's time for the rest of the enterprise to get its act together, he said. For example, substantial healthcare benefits can be gained by developing an integrated clinical desktop linking radiology and other clinical applications.
Other benefits can be found by sharing images and results among departments, using standardized codes and terminology, and determining the best ways to manage information, such as historical studies. Future IHE expansion beyond the radiology domain will help advance these ideas, Piraino said.
By Erik L. Ridley
AuntMinnie.com staff writer
February 8, 2002
Copyright © 2002 AuntMinnie.com
