 |
| HIPAA STRATEGIES |
Overall HIPAA Strategy
The
HIPAA security and privacy regulations not only impact the communication of
data from one health care individual to another or from one organization to
another, but they also impact the storage of individual patient information and
other critical data, whether or not it is transmitted outside your control.
These standards apply to computer and paper storage of patient protected health
information and all electronic transactions involving any person's health
information among parties. They provide security and privacy standards for all
patient health activity. They will require an investment, if only in time in
some cases, and failure to comply with them can result in significant fines and
imprisonment.
The HIPAA security and privacy regulations address all
storage and transmission of patient identifiable data. This includes all
individual practioners and health care providers with his/her own personal
computer to the family practitioner and group practices of all sizes.
 |
For even the
individual health care provider or vendor, compliance with these regulations
includes not only information safeguards, but also physical safeguards and
responsive administrative policies and procedures, all of which has to be
firmly documented.
If your are an individual or small group practice or
larger, additional personnel and consultants may be needed or utilized to
achieve compliance, depending upon the size of your business and your
discipline.
Smaller health care providers and individual professionals
will have to take special precautions to ensure that data is adedquately
protected. Sharing of passwords, posting of passwords on terminals, and
deactivating password requirements are inconsistent with the compliance
requirements of these regulations. And backing up all data files and storing
them in a remote offsite third-party facility is an excellent data protection
strategy and practical option for ensuring the integrity of your
data.
Change Management
Strategy
The HIPAA Security regulations have extensive
and broad implications, in fact, to some the proposed security regulations have
broader implications than any other sections of HIPAA.
For the
individual health care provider and small office, new procedures will have to
be put into affect. For some the requirements reach into the heart of their
operations, not only changing physical and organizational structures and
processes, but changing deep rooted organizational cultures and
beliefs.
These regulations speak to an industry mindset in which access
to information is valued by all, but the protection of information is trailing
badly in priority. The key is finding a balance between the need for retrieval
of health information while maintaining the confidentiality and sensitivity of
that information. Application of information security techniques is not just a
technical process, particularly in a health care environment where access to
information is prized.
Organizational change, and more specifically,
culture change, surrounding the security of identifiable protected health
information is imperative. This will be especially challenging for the health
care professional and office worker who assumes an understanding of the issue.
Health care professionals hold a very general philosophy that patient
information is confidential and therefore must be securely maintained and
stored. However, when asked for specifics, most have vastly different views of
what is considered secure and to whom that applies.
|
Major change is
defined as those situations in which performance of job functions require the
individual and/or people throughout an organization to learn new behaviors and
skills. Major change encompasses an individual's work habits or an entire
workforce, and must focus on innovation and skill development.
To some
degree, the downside effects of change are inevitable. Whenever an individual
or groups of people are forced to adjust to shifting conditions, discomfort
will occur and resistance to change can set in. The key is to proactively
recognize the effects of change, plan for the change, and develop skill sets
and tools to support the change and the inevitable discomfort associated with
it. Without this proactive approach, the risk of poor implementation increases
significantly and reduces the opportunity to achieve required
compliance.
Change management is an attitude that can help individuals,
small groups or large organizations. Much has been written about change
management, and there are any number of methodologies or processes available.
What is common throughout the various approaches are the overall general steps
necessary to implement a successful change management program. These include:
- Create a Vision
- Make a Plan
- Implement the Plan and Communicate It To Others If You Are
In a Group or Organization
- Cultivate, Motivate and Empower Affected Parties, if
Applicable
- Cement the Change in Your Work environment, or Your Office
and Organization’s Culture
- Implementation Considerations and
Issues
The following is a
practical list of fundamental requirements to affect a change on a health care
provider or an organization’s culture. This list is not meant to be all
inclusive. Individuals and organizations will each need to determine the
significant impact given their own unique disciplines, habits, norms and
beliefs.
|
Security Requirement |
Management Change Issue |
|
|
|
|
Information access control
|
Access to information is prized. And although individuals and
organizations probably have some sort of access procedures in place today, the
issue of how well they operate remains.
Do you or your organization
identify who can have access to what information? If you are a small office or
organization, is it met with resistance?
Do you or does your
organization share IDs/Passwords? If you are a small office or organization, is
this a common culture?
If you are an individual who has health care
information on your computer at home, do any other people have access to that
computer?
If you are a small office or organization, how promptly are
terminated employees removed from access lists, or does this occur only when
the termination is unfriendly?
|
|
Security incident procedures |
Reporting violations is often difficult and many times
considered “ratting” on a friend. Whether it be an independent health
care professional reporting on a fellow professional, or an office staff member
reporting on another, most everyone often feels threatened by fear of reprisal
if discovered. |
|
Security awareness training |
Security training for both individual health care professionals
and organizational workers will be challenging since many already assume an
understanding of the issue. |
|
Personnel security |
Individual health care professionals and many small offices are
currently not in the habit of checking references, much less background
checks. |
|
Security management process |
Data security policies must be equally applied to everyone who
comes into contact with information in your possession. If your are a small
office or organization it will be important that sanctions for breaches in data
security be applied fairly and consistently to all employees, regardless of
their relationship, position or length of service. |
|
Physical access controls |
“Need to know” procedures should be implemented. It
may affect your exisiting practice, and if your are a small office or
organization your staff or co-workers who previously had automatic access to
data may feel slighted and be resentful if access is taken
away. |
|
Policy/guideline on personal computer and workstation
use |
A policy should be put into place to log off your personal
computer or workstation. Logging off before leaving your personal computer or
workstation unattended, even for a few minutes, may cause resentment around
your office or home. People may think you do not trust them. In addition, if
you are a small office or organization, installing standard automatic log off
technologies across your small office or organization will be difficult to
implement since workflow varies greatly across the office or
organization. |
|
|
|
|
|
