The first anniversary of the Health Insurance Portability and Accountability Act (HIPAA) security enforcement date is here, but privacy and security remain front burner issues for healthcare. After four years of implementing HIPAA privacy standards, most organizations consider themselves HIPAA compliant, but in many ways, the ongoing process of balancing information access with privacy and security has just begun.
The report “On the Front Lines of Healthcare Privacy,” released recently by the American Health Information Management Assocation (AHIMA), says that the HIPAA-designated privacy officer position has expanded toward policy, operations, and management.
“We have a broader role now,” says John Gildersleeve, system privacy officer at Geisinger Health System in Danville, Pa. “We’re still responsible for interpreting and applying HIPAA day-to-day and for monitoring compliance activities. But we also have requests for interpretation in new areas involving the work force and corporate activities and have to look at the technical and physical safeguards we have in place to protect information.”
Another big change has been the privacy officer’s involvement in training. “The privacy rule was meant to give the public greater access to their records, and it has — if the rule is followed properly. But it becomes a hindrance if people aren’t trained properly,” said Joan Kiel, the HIPAA compliance officer at Duquesne University in Pittsburgh. “So the privacy officer needs to be involved in training the work force to know what really is allowed and what procedures need to be followed.”
The industry is still struggling with the uncertainties of implementing electronic medical records (EMR) as well as the fallout from high-profile security and privacy breaches. Recent audits by the Department of Health and Human Services Office of the Inspect General (OIG) have also shaken up complacency about HIPAA compliance by some organizations.
“HIPAA rules haven’t changed but one of the challenges has been keeping people’s attention on privacy, as there’s some thinking that ‘we have the stuff in place, now we can move on,’” says Kirk Nahra, a healthcare specialist at the Washington, D.C., law firm Wiley Rein LLP. “But security is a constant issue, and companies need to pay attention not only to what they are required to do today but also changes to the healthcare business environment as well as developing issues like identify theft.”
New privacy-related issues such as health information exchange, protection of data, compliance with state laws, and increased public interest also affect the privacy officer’s role, who must interpret and maneuver through the frequent inconsistencies of HIPAA and state regulations. And there are standards which lack efficacy, such as the burdensome accounting of patient disclosures. “It’s resource intensive and time-consuming to comply with, and we’re not seeing any value from it,” says Nadia Fahim-Koster, information privacy and security director at Gwinnett Health System in Lawrenceville, Ga.
According to Jana Chvatal, manager of the privacy and information security office at Texas Children’s Hospital, privacy officers also must have knowledge of initiatives at the state and federal level related to personal health records and electronic health records. “We have to oversee the implementation and compliance with HIPAA as well as other initiatives and manage them so that they are all in compliance with HIPAA. We also have to address the regulations with patients, who may have read a synopsis or a piece of a regulation or an article and misinterpreted what’s allowed and what’s not,” Chvatal says.
Alan Westin, professor of public law at Columbia University, New York, and principal of the Privacy Consulting Group, says the danger companies face is “feeling beleaguered and looking [exclusively] to technology companies to guide them.” Instead, says Westin, high-ranking, corporate-level privacy and security officers need to lay down the proactive policies first.
At Geisinger, for example, the internal audits and information security departments create a framework, which is then implemented by IT, with frequent independent security assessments, according to Kevin Kerestus, system vice president.
But since technology is changing faster than the rules, companies must use their best business judgment moving forward, says Wiley Rein’s Nahra, who is also co-chair of the Confidentiality, Privacy and Security Workgroup advising the American Health Information Community (AHIC).
Most importantly, as much as security and privacy are paramount, they should not slow down the speed of healthcare delivery. “A user has demands for access and ease of use. A doctor wants to know test results almost in real time,” says Geisinger’s Gildersleeve. “The question is: How do we do this in the electronic world in a way that’s secure and HIPAA compliant?”
Want to read more expert articles like this? Send an email to: