- When it comes to helping healthcare organizations avoid data security and privacy pitfalls, Regional Extension Center of New Hampshire (RECNH) Director Nancy Fennell has seen plenty of examples of human error that can be avoided. RECNH, which is part of a national network of federally funded centers that aid healthcare providers with meaningful use requirements, recently held webinar to discuss the HIPAA Security Rule and has been focusing on stressing the importance of data security to its clients.
Fennell took some time to speak with HealthITSecurity.com to delve further into what she and RECNH are working on with healthcare providers. RECNH has been really pushing privacy and security, especially as we move toward Stage 2 Meaningful Use with patient portals coming into play and patients becoming a lot more aware of receiving electronic copies of their protected health information (PHI).
What are some privacy and security trends you’ve noticed over the past few years?
I can tell you that when I first started working with practices in 2011, one practice didn’t have anti-virus software on two out of their three computers. We’ve also found that patients are technically savvy and there have been situations where patients have tried to access computers within exam rooms. So we need to make sure providers are aware and staff members log off of their computers when they leave an exam room or take their laptops home with them when they leave. Another [reminder] is not sharing passwords, which is a really big issue. Many staff members have a sticky note with their password under their keyboard. Fortunately, with the work that RECNH has been doing with the practices, we’ve helped to raise awareness and not having passwords readily accessible. That’s been a real improvement.
Can you talk about areas that some organizations may need help with to be compliant?
With the HIPAA omnibus rule coming into play, we’re helping organizations ensure they’re clear with their privacy guidelines and privacy practices. Another part is confirming that business associate agreements (BAAs) are up to date and as a BA ourselves, we need to make sure our information is up to date as well. Furthermore, we need to verify that the IT professionals working for the practices really are professionals. If they’re a specialist, they need to be credible. We’ve had many experiences where family members have come in and given their own guidelines. And they also need to know who’s out there in terms of IT specialists. If you’re a one-person shop, you’re your own IT director. You need to make sure systems are locked down at night, data is backed up etc…
Part of the work is keeping up with what your vendor is doing as well. I’ve seen instances where a provider and vendor are transmitting protected health information to each other via email. It’s important that people know the seriousness of breaches. It’s news-breaking information when these breaches occur.
Do you offer specific assistance to smaller healthcare providers?
We have a meaningful use privacy and security assessment that we provide to all of our practices We developed that in partnership with ONC. It handles administrative, physical and technical side of security. We push them on it and remind them of situations where data wasn’t backed up or data wasn’t secured. How many times have we heard about a laptop being stolen out of a car? For the one-doc shops, it’s ensuring they’ve taken the time and effort to secure their shop. It’s a lot of work, but you’d rather be protected than having to worry about a breach. As a practice manager I had to deal with a breach and I can’t begin to tell you the amount of work that was involved in terms of reporting. Five records took me more than 40 hours of work.