● Roundup: 2013 Forecast – HIPAA Privacy & Security Follow the pharmacy road. While the Office of the
Inspector General, the enforcement arm of HHS, has called for guidance on security standards and best practices, the pharmacy services sector of healthcare has already paved that golden road. Recognizing that there is a technology component to assuring the security of PHI, but that most data breaches are attributable to people – hackers, employees mishandling health information, thieves and the like – the best practice is to engage people, processes and technology. Pay attention to the pharmacist behind the counter.
Patient consults in the pharmacy setting, for example, require utmost attention to privacy and security. Pharmacies provide HIPAA education and training for all employees who step behind the pharmacy counter. Other process and technology safeguards have been successfully addressed – from removing notes with passwords affi xed to the pharmacy computer moni- tor to addressing authentication for e-prescribing controlled substances. T ere is no doubt that healthcare organizations need to shift priorities in favor of fortifying privacy and security of PHI. As technology continues to evolve and access expands (as with BYOD, for example), processes, education and standards must keep pace, striking the right balance and enabling more effi cient and better quality healthcare while protecting patients’ personal health information.
Dean Wiech, managing director, Tools4ever Inc. Five reasons to use role-based access control Role-based access control (RBAC) allows organizations to restrict access to certain sys- tems, allowing only authorized users access to specifi c information. T ough little known among the mainstream, as a tool RBAC is used by the majority of health systems and has the potential to protect the security of information healthcare organizations protect. Here are fi ve reasons why the use of RBAC is a natural fi t in a healthcare environment: 1. Improves systems and applications security. Often, when new employees need accounts, a copy of another is made, called a “template user”; this is a security risk since access to applications and systems are also copied and are often never revoked. RBAC allows IT administrators to see what employees have access to given their role in the organization, ensuring access is granted only to those with security clearance.
2. Makes security changes easier. Employees frequently change roles and jobs within an organization and sub- sequently need diff erent access privileges. With RBAC in place, complex changes, such as a part-time employee working in two diff erent departments, are handled without signifi cant eff ort.
3. Meets audit requirements. Employing RBAC makes meeting strict audit requirements easy as healthcare or- ganizations must show that their information is secure.
20 February 2013
RBAC ensures that secure information remains that way, and organizational leaders can easily access this information for audits, if needed.
4. Increases employee productivity. With RBAC, employees don’t have to wait for their privileges to be assigned and are able to immediately begin working with necessary applica- tions, such as word processing and email. RBAC allows for automated access to base systems, and new users can get to work in a more effi cient manner than paper-based systems, which can take days to set up and deploy.
5. Reduces internal costs and cuts unneeded licenses. With RBAC, an organization can determine which internal ap- plications are being used and how often, and decide which are necessary for their needs. Programs deemed unnecessary can be eliminated or have licensing counts reduced.
Drew Gantt, partner, Cooley LLP Outlook on data privacy and security in 2013 As 2013 gets underway, we are in the midst of a health in- formation revolution. Ironically, HIPAA, which was intended to address privacy and security in a digital age, stands as a major impediment to digital health. It does so because it assumes that health information rightly resides with providers and payers (HIPAA-covered entities), rather than business associates or consumers. HIPAA requires that any business associate of a HIPAA covered entity either return to the covered entity or destroy patient information when the relationship between the business associate and the covered entity ends. T at require- ment eff ectively constrains information from easily following the consumer, a major objective and promise of the health information revolution. For example, HIPAA makes it diffi cult for a wellness company to continue to serve an individual if that individual changes health plans or the wellness company stops doing business with the individual’s health plan. In 2013, look for increased pressure to reform HIPAA to allow information to be more readily accessed by consumers and digital health companies. At the same time, increased use of mobile media by
health care providers continues to challenge those who are responsible for protecting that health information. T eft or loss of mobile media, including smartphones, laptops, tablets and fl ash drives, continue to be among the largest source of data breaches, prompting the federal government recently to issue specifi c guidance on how to use such devices in compli- ance with HIPAA. (http://www.hhs.gov/ocr/privacy/hipaa/ administrative/securityrule/remoteuse.pdf) T at guidance recommends limiting off site use of mobile media that may contain health information. While this posi- tion is understandable, it refl ects the old paradigm view that information remains within the control of the providers and payers and ideally does not leave their facilities. Healthcare facilities and other companies that use mobile media con- taining patient information will continue to face challenges with implementing use of such devices, given the current regulatory regime.
HMT HEALTH MANAGEMENT TECHNOLOGY www.healthmgttech.com