Overall HIPAA Strategy
The HIPAA security and privacy regulations not only impact the communication of data from one health care individual to another or from one organization to another, but they also impact the storage of individual patient information and other critical data, whether or not it is transmitted outside your control. These standards apply to computer and paper storage of patient protected health information and all electronic transactions involving any person’s health information among parties. They provide security and privacy standards for all patient health activity. They will require an investment, if only in time in some cases, and failure to comply with them can result in significant fines and imprisonment.
The HIPAA security and privacy regulations address all storage and transmission of patient identifiable data. This includes all individual practioners and health care providers with his/her own personal computer to the family practitioner and group practices of all sizes.
For even the individual health care provider or vendor, compliance with these regulations includes not only information safeguards, but also physical safeguards and responsive administrative policies and procedures, all of which has to be firmly documented.
If your are an individual or small group practice or larger, additional personnel and consultants may be needed or utilized to achieve compliance, depending upon the size of your business and your discipline.
Smaller health care providers and individual professionals will have to take special precautions to ensure that data is adedquately protected. Sharing of passwords, posting of passwords on terminals, and deactivating password requirements are inconsistent with the compliance requirements of these regulations. And backing up all data files and storing them in a remote offsite third-party facility is an excellent data protection strategy and practical option for ensuring the integrity of your data.
Change Management Strategy
The HIPAA Security regulations have extensive and broad implications, in fact, to some the proposed security regulations have broader implications than any other sections of HIPAA.
For the individual health care provider and small office, new procedures will have to be put into affect. For some the requirements reach into the heart of their operations, not only changing physical and organizational structures and processes, but changing deep rooted organizational cultures and beliefs.
These regulations speak to an industry mindset in which access to information is valued by all, but the protection of information is trailing badly in priority. The key is finding a balance between the need for retrieval of health information while maintaining the confidentiality and sensitivity of that information. Application of information security techniques is not just a technical process, particularly in a health care environment where access to information is prized.
Organizational change, and more specifically, culture change, surrounding the security of identifiable protected health information is imperative. This will be especially challenging for the health care professional and office worker who assumes an understanding of the issue. Health care professionals hold a very general philosophy that patient information is confidential and therefore must be securely maintained and stored. However, when asked for specifics, most have vastly different views of what is considered secure and to whom that applies.
Major change is defined as those situations in which performance of job functions require the individual and/or people throughout an organization to learn new behaviors and skills. Major change encompasses an individual’s work habits or an entire workforce, and must focus on innovation and skill development.
To some degree, the downside effects of change are inevitable. Whenever an individual or groups of people are forced to adjust to shifting conditions, discomfort will occur and resistance to change can set in. The key is to proactively recognize the effects of change, plan for the change, and develop skill sets and tools to support the change and the inevitable discomfort associated with it. Without this proactive approach, the risk of poor implementation increases significantly and reduces the opportunity to achieve required compliance.
Change management is an attitude that can help individuals, small groups or large organizations. Much has been written about change management, and there are any number of methodologies or processes available. What is common throughout the various approaches are the overall general steps necessary to implement a successful change management program. These include:
- Create a Vision
- Make a Plan
- Implement the Plan and Communicate It To Others If You Are In a Group or Organization
- Cultivate, Motivate and Empower Affected Parties, if Applicable
- Cement the Change in Your Work environment, or Your Office and Organization’s Culture
- Implementation Considerations and Issues
The following is a practical list of fundamental requirements to affect a change on a health care provider or an organization’s culture. This list is not meant to be all inclusive. Individuals and organizations will each need to determine the significant impact given their own unique disciplines, habits, norms and beliefs.
| Security Requirement | Management Change Issue |
| Information access control | Access to information is prized. And although individuals and organizations probably have some sort of access procedures in place today, the issue of how well they operate remains.
Do you or your organization identify who can have access to what information? If you are a small office or organization, is it met with resistance? Do you or does your organization share IDs/Passwords? If you are a small office or organization, is this a common culture? If you are an individual who has health care information on your computer at home, do any other people have access to that computer? If you are a small office or organization, how promptly are terminated employees removed from access lists, or does this occur only when the termination is unfriendly? |
| Security incident procedures | Reporting violations is often difficult and many times considered “ratting” on a friend. Whether it be an independent health care professional reporting on a fellow professional, or an office staff member reporting on another, most everyone often feels threatened by fear of reprisal if discovered. |
| Security awareness training | Security training for both individual health care professionals and organizational workers will be challenging since many already assume an understanding of the issue. |
| Personnel security | Individual health care professionals and many small offices are currently not in the habit of checking references, much less background checks. |
| Security management process | Data security policies must be equally applied to everyone who comes into contact with information in your possession. If your are a small office or organization it will be important that sanctions for breaches in data security be applied fairly and consistently to all employees, regardless of their relationship, position or length of service. |
| Physical access controls | “Need to know” procedures should be implemented. It may affect your exisiting practice, and if your are a small office or organization your staff or co-workers who previously had automatic access to data may feel slighted and be resentful if access is taken away. |
| Policy/guideline on personal computer and workstation use | A policy should be put into place to log off your personal computer or workstation. Logging off before leaving your personal computer or workstation unattended, even for a few minutes, may cause resentment around your office or home. People may think you do not trust them. In addition, if you are a small office or organization, installing standard automatic log off technologies across your small office or organization will be difficult to implement since workflow varies greatly across the office or organization. |