Prevention is better than a cure. In the world of HIPAA privacy and security, training and awareness are among the most important aspects of prevention. The best laid policies and procedures won't keep your patient's PHI safe if no one knows how or why to follow them. But effective and engaging training methods can be elusive. Employees and administrators might begin to treat their annual training as routine, going through the motions to get their certificate, and then falling victim to a phishing attack that could have been avoided. New hires may be overwhelmed by the scope of HIPAA?it's a huge law?or struggle to connect it to their job duties. Developing education and awareness strategies that capture employees' attention and build privacy and security into the culture of their workplace can be a tall order.
Security officers may sometimes feel that they're asked to do too much with too little. Limitations surrounding staffing, budgets, or resources, or an administration that simply doesn't understand the importance of information security, can make a difficult task even more complicated. In some organizations, information security is a relatively new department and might lack the connections and relationships that more well-established departments rely on for support. Security needs allies. Fortunately, there's one they may already work closely with who is ideally suited: internal auditors.
Q: What is the recommendation for retaining hard copies of medical records once they have been transferred to an EMR system?
A: This varies quite a bit depending on your storage capabilities and state retention laws. I am aware of some organizations that keep these records for 3?6 years (until the statute of limitations has run out), but this is a very conservative approach. I have also seen six months and one month. I would suggest ensuring you have a rigorous scanning quality control process to reassure yourself that you in fact have the scanned documents and they are readable. I would recommend that you keep the hard copies for at least one month after scanning. You might also want to consult legal counsel on this matter.
Editor's note: Simons, director of health information and privacy officer at Maine General Medical Center in Augusta, answered these questions. She is also a HIM Briefings advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Send your questions related to HIPAA compliance to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com.
When President Barack Obama issued Executive Order 13636 February 12, 2013, Dena Boggan, CPC, CMC, CHPC, took notice. Boggan is the HIPAA privacy and security officer for St. Dominic Hospital, a 535-bed, 27-clinic facility headquartered in Jackson, Mississippi.
Engaging the board
An August 2014 American Hospital Association (AHA) article, "Cybersecurity and Hospitals: What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response" (www.aha.org/content/14/14cybersecuritytrustees.pdf), reported that hospitals and healthcare are part of the United States' "critical infrastructure," meaning "their systems and assets are considered so vital to the country that their impairment as a result of a cyber attack would pose a threat to the nation's public health and safety."
That's why Boggan and St. Dominic found it critical to ensure they have a robust cybersecurity program. A major part of that program was to get the hospital's board of directors and board of trustees in the know about cybersecurity. Boggan notes that at some of the organizations that suffered major breaches of PHI, investigators found that board members were generally unaware that cybersecurity programs even existed.
"They had that deer caught in the headlights look when asked about their program," she recalls of her research.
The AHA recommended, Boggan says, that organizations get their board of directors in the know. She started by developing a cybersecurity overview for her board. She reports up to St. Dominic's compliance committee, which includes some board members.
"We gave them a good definition of what cybersecurity is and identified that board of directors and trustees need to be responsible for understanding, at a high level, their organization's cybersecurity risks and vulnerabilities," Boggan says. "They need to understand the security response plan that is in place, who in management is responsible for delivering that plan, and when it's appropriate for board insight over that plan."
With major security breaches making headlines, HIPAA Phase 2 audits set to begin, and the OIG pressuring OCR to crack down on HIPAA violations, there's never been a better time to get serious about compliance.
