Compliance Corner

In EHR Security, the Best Defense is a Good Plan

Health IT is an ever-evolving field. The risks involved are also in a constant state of change. With these changes, new measures must be adopted to help protect electronic health information. Here are a few tips to consider.

By Jolynn Cook, RN, COE, CASC

Health information security is an iterative process driven by enhancements in technology as well as changes to the healthcare environment. As you adopt new health IT to enhance the quality and efficiency of care in your practice, it is equally important to reassess your health information security policies. Identifying risks and protecting electronic health information can be challenging for small ophthalmology practices. Depending on the level of information security expertise within your practice, you may want to consider seeking outside advisors to assist you in assessing your health IT environment and in determining risks to electronic health information. You may also want to consider seeking legal counsel familiar with the obligations of your practice as you adopt and implement new electronic health information technology.

The Changing Face of HIPPA

HIPAA has been in effect since 2003, but it wasn’t until 2009 that business associates were added to the list of entities responsible for compliance. That same year, part of the American Recovery and Reinvestment Act (ARRA), the HITECH Act, included breach notification requirements for all covered entities under HIPAA, including business associates. These federal regulations require practice managers to insist upon compliance with regard to information security. In 2011, HHS funded an independent audit of healthcare industry compliance on these breach notifications.

Understanding Security

Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Information security is achieved by ensuring the confidentiality, integrity and availability of information. In most ophthalmic practices, these traits are defined as:

■ Confidentiality. Ensure electronic health information is not made available or disclosed to unauthorized persons or processes by anyone.

■ Integrity. Ensure electronic health information has not been altered or destroyed in an unauthorized manner.

■ Availability. Ensure electronic health information is accessible and useable at all times by an authorized person or persons.

Your IT Environment

Assessing electronic health information confidentiality, integrity, and availability requires an understanding of your practice’s health IT environment. This may include the technologies your practice deploys for both clinical and administrative purposes, where those technologies are physically used and located, and how they are used within your practice. As you assess your health IT environment, think about those situations that may lead to unauthorized access, use, disclosure, disruption, modification or destruction of electronic health information. These situations will likely be unique to your practice and may be in the form of technology issues (e.g., lack of securely configured computer equipment), procedural issues (e.g., lack of a security incident response plan), and personnel issues (e.g., lack of compliance with policies and procedures and/or adequate security training).

Mitigate Risk

For each risk to electronic health information your practice identifies, try to assess the outcome of an undesirable action or event occurring as a result of that risk, and evaluate what kind of impact such an event would have on your practice and patients. According to the Certification

Commission for Healthcare Information Technology and the National Institute of Standards and Technology, in order to mitigate each risk your practice can perform two important steps:

First, review your existing health information security policies and develop new policy statements to address new risks to electronic health information. These new policy statements could require the use of encryption technology, clarification of whom is authorized to view and administer electronic health information, or refinement of how and when electronic health information is provided to patients or other healthcare entities. Insist policies and procedures are followed by all parties, from physicians to front desk personnel and schedulers.

Second, institute your updated security policies into your practice to mitigate new risks. This step will help your practice keep security policies current and decrease the likelihood of electronic health information being accessed, used, disclosed, disrupted, modified or destroyed in an unauthorized manner. Consider investing in a cyber insurance policy.

Meeting EHR’s challenge

EHR fundamentally changes your practice’s health IT environment, and introduces risks to health information you might not have considered. The intent of EHR is to introduce significant efficiencies in the delivery of health care to your patients. In effect, it can become the cornerstone to your health IT environment, however careful review of the practice’s policies and procedures pertaining to IT is necessary. While you may first use EHR within your practice to maintain medical records in electronic form, you may have also purchased your system to exchange electronic health information through a variety of mechanisms with other healthcare entities and your patients. Practices are required to implement these exchanges of information in order to comply with meaningful use. EHR can have a wide-ranging impact. Ensuring the confidentiality, integrity, and availability of EHR and electronic health information contained within EHR can be challenging.

Seeking expert help and assistance may be the best option. You may consider purchasing a cyber insurance policy as another layer of protection, should a breech or other problem occur. OP

Ms. Cook is the Administrator of the Laurel Eye Clinic and the Laurel Laser & Surgery Centers. A Certified Ophthalmic Executive and a Certified Administrator Surgery Center (CASC.), Ms. Cook is a registered nurse and also has a degree in Health Care Administration.