Yan Kravchenko
Information Security Leader with 25+ years of experience
The Mayo Clinic recently launched Mayo Clinic Center for Social Media intended to help train medical practitioners and patients about the use of social media to improve patient care. While it’s easy to see how greater access to healthcare related information can be very valuable, problems with doctors and nurses posting PHI inappropriately has made news headlines more than a handful of times. Therefore, this new development comes at a great time, just as more and more organizations are beginning to appreciate the value of a comprehensive social media strategy.
One of the common and consistent themes at HIMSS (Healthcare Information and Management Systems Society) this year was achieving “Meaningful Use” requirements so that healthcare providers can apply for EHR (Electronic Health Record) stimulus money. The “Meaningful Use” requirements focus on:
Improving quality, safety, efficiency, and reduce health disparities Engaging patients and families Improving care coordination Improving population and public health Ensuring adequate privacy and security protections for personal health information Naturally, my interest is within the last item in the list, and within this post I hope to bring more clarity to a small subset of what clearly is becoming the newest “hot-item” of the healthcare industry.
I recently had the opportunity to review an article by Michael Koploy of Software Advice titled “HHS Data Tells the True Story of HIPAA Violations in the Cloud“. While the article has great data about the historical breaches, I think it’s fair to say that not enough time has passed for us to know the real implication of companies moving EMRs into the cloud. HIPAA violations in an IT-centric environment like cloud or software-as-a-service providers are harder to detect, and the general awareness of rules around HIPAA violations are lower than that in the hospitals.
At a recent networking event I heard a manager express frustration over managing an employee who got caught up in her own fairy tales that resulted in a very embarrassing termination. She told her co-workers that she was diagnosed with cancer and needed time off for surgery and treatment. The company responded with genuine concern and care, assuring her that she will have all the support and time off she will need.
One of the most promising technologies for automatically enforcing compliance with sensitive data handling practices is Data Loss Prevention (DLP) technology and it is quickly gaining popularity and adoption across many industries. Does this mean that DLP is the answer to all sensitive information handling concerns? In short, I am sorry to say that while DLP offers excellent solutions within a limited range of data, such as payment cards, social security numbers, and other easily identifiable data, it does not offer great solutions for HIPAA compliance.
Business Associates Need to Understand HIPAA & HITECH Requirements Even though the full extent of the HIPAA and HITECH requirements will not be required for Business Associates until 2011, my experience with helping organizations reach compliance with appropriate security requirements suggests that compliance efforts should begin right away. Proposed changes to the rules can be viewed at regulations.gov. The deadline for submitting comments has passed on August 13th; however I would be surprised to find significant changes from those that have been proposed.