- Individuals in the health information management (HIM) field play a critical role in covered entities’ approaches to data security, especially HIPAA compliance.
HIM professionals are often “acquiring, analyzing, and protecting digital and traditional medical information vital to providing quality patient care,” according to The American Health Information Management Association (AHIMA). Furthermore, HIM professionals need to understand an organization’s workflow, and how the latest applications will potentially come into play.
HIPAA rules require that organizations have a privacy officer or a security officer, and HIM professionals tend to be an organization’s privacy officer, said Angela Rose, a director of HIM Practice Excellence at AHIMA.
“They'll be responsible for implementing the whole program, like policy and procedures: writing them, the training of staff, just making sure that the laws and the requirements are met as a whole,” she told HealthITSecurity.com.
Rose added that she has been at AHIMA for nine and a half years, and that it’s exciting times right now in the healthcare industry, in terms of privacy and security.
“Whether it’s speaking, or an article, books we create related to privacy and security, meetings we have, I’m usually a part of the planning in some way, shape, or form,” she said.
Today there are some HIM professionals that are IT security officers, but that role will typically still be in an IT department. However, it’s essential that the security officer and the privacy officer – especially in today’s environment – are basically married. You cannot have one without the other in the current healthcare environment and they must work together, Rose stressed.
The right HIPAA compliance training for reach organization
Each covered entity and business associate is different, so every organization will need to implement HIPAA regulations differently, Rose pointed out.
“HIPAA mandates training, so whether it’s a PowerPoint presentation where you’re actually listening to somebody speak, or an online course, it may vary,” she said.
A lot of organizations today will use their intranet, that may include a presentation followed by a quiz to ensure that staff members were paying attention and listening.
There can also be various webinars given to employees. Overall, there are many avenues through which HIPAA privacy and security training can be given, and it’s essentially up to the organization as to how it wants to deliver it.
Rose called back to the “marriage” that needs to exist between an organization’s security officer and privacy officer, or even IT director. Some HIM professionals are more technically oriented than others, but historically, HIM professionals are the privacy people. In that regard, it’s important to “be more techie,” Rose explained.
“We may not need to walk the walk, but we have to talk the talk,” she said.
For example, HIM professionals should understand what a firewall is: what it does, what it needs to do. But they don’t necessarily need to be the person who actually goes in and sets it up.
“That’s where you want to work with your IT counterpart,” Rose maintained. “You can ask, ‘Okay, does this do A, B, C…how does this work?’ and you work together to make sure that compliance is met and that your systems are protected.”
Information security needs to be part of any healthcare organization’s culture, Rose emphasized. It must be from top down, and senior management must be “on board 150 percent.” This will help show employees how important privacy and security is, and that the company is serious about keeping data secure.
“A lot of times I'll recommend working it into your employee evaluation,” said Rose. “Asking things such as, ‘Did your employee have one or three HIPAA privacy or security violations this year?’ That should affect their evaluation, because if it's a part of your culture, and keeping your information secure and the confidentiality of your patients is crucial and significant to your organization, then your employees have to feel that too.
“There have to be repercussions and disciplinary action when those policies and procedures aren't being followed or rules are broken, for lack of a better word.”
Rose added that she doesn’t like to use the word “punishment,” but some sort of disciplinary action should be used whether it’s a physician or a janitor who violates privacy and security policies or procedures.
Ensuring that the privacy and security sides work together
In terms of building a privacy and security team, Rose noted that healthcare organizations are likely looking for a few things. First, they want to ensure that the individuals know what they’re doing: they understand the laws, know what needs to be done, and know the best way that the organization can get it done.
“This is important because Organization A is going to do it a different way than Organization B,” Rose said. “Interpretation of the requirements and the laws are also going to be a little different. Some of them are very cut and clear, black white. Some are very grey. They’re looking for competency, experience, and trusting in that these teams – whoever they are – know what they are doing.”
Finding the ideal balance between cybersecurity backgrounds and an IT background will also help, she agreed. It will be like merging the techie person with the person who knows all about the compliance side.
“It’s all about the writing of the policies and procedures, the training, what the law says,” Rose stated. “Organizations also need to be able to say to the IT person – who might not know exactly what the law says – ‘Hey, this has to be done.’ That's why it's so important for those two to work together. It's not just privacy or security anymore. It has to be privacy and security, because privacy has to understand some of security, and security has to understand some of privacy.”
Without those two working together, Rose said she’s not sure how an organization can meet full compliance or be confident in its program.