Healthcare Executive - September/October 2013 - 24

Protecting Patient Medical Data
evaluations; and daily huddles to discuss patients on the floor who might
spark curiosity—and inappropriate
intrusion into their health information.

business agreements cover how information is protected and when policies
and procedures should be reviewed?”
she says.

Still, “no matter how many safeguards
you have in place, there is always room
for improvement,” Gordon adds. “And if
you find a problem, you have to dig.
Where there’s smoke, there’s fire. It might
be just one department, but you need to
know. That’s why you need to audit.”

Failure among providers to perform the
security risk analysis required by HIPAA
since 2003 also persists, Pritts says.
Surveys during the past 10 years consistently show compliance hovering at 75
percent. “That’s the good news. But
where are the other 25 percent?” she says.

The federal requirement for patient
data breach notification—in place
since 2009 and which became more
stringent this year with the new
HIPAA Omnibus Rule—has shed
valuable light on where providers can
do better, reports Pritts. Device loss
and theft is a major one. So is encryption, particularly the encryption of
mobile devices. Tablet and smart
phone use in healthcare has exploded,
but mobile device security lags seriously behind, she says.

To spotlight the problem, ONC
worked with the Centers for Medicare
& Medicaid Services to incorporate
the HIPAA Privacy and Security Rule
into the meaningful use requirements
for EHRs. “If we’re going to pay you
to adopt EHRs, this is one thing we
want to make sure you do,” Pritts says.
She expects to see a rise in compliance
when data on Stage 2 meaningful use
implementation become available
within the next two years.

According to Gordon, agreements
with business associates warrant careful attention as well. “Are you making
sure, as vendors come in and information is passed back and forth, that your

Providence Health
& Services
Providence Health & Services,
Renton, Wash., has embedded a cadre
of privacy officers and information
security officers in the organization’s

business units and regional operations,
which include 32 hospitals in five states.
These professionals guide privacy and
security policy and procedure implementation at the local and regional levels
with an eye on data protection as well
as consideration for clinicians’ special
needs.
“Having these people out there as part
of how we operate has made a huge
difference,” says Eric Cowperthwaite,
chief security officer. “It’s not just me
sitting in an ivory tower at system
headquarters sending out policies from
on high. These are people with whom
hospital and regional executives can
interact every day.”
That degree of attention to patient
data protection did not happen overnight. “We came to the conclusion
six or seven years ago that we had to
be part of the hospital-level culture
in order to be effective,” he says. The
process started with the development
of regional security teams. It also
involved a great deal of collaboration
with regional staff to gain their
trust that privacy and security would
protect patient information without
interfering with the delivery of care.

“t’seasytoseethereturnoninvestmentwhenyou’regettingmedicalalerts
I
thatcansavelives.It’snotsoeasytoidentifythebenefitsofprivacyand
security.Whenthey’reworking,youdon’thearaboutit.”
Joy Pritts
OfficeoftheNationalCoordinatorforHealthInformationTechnology,
U.S.DepartmentofHealthandHumanServices

24

Healthcare Executive
SEPT/OCT 2013
Healthcare Executive - September/October 2013

Table of Contents for the Digital Edition of Healthcare Executive - September/October 2013
