Five Steps to HITECH Preparedness

Bottom line: effective privacy protection requires more than IT security and compliance.

Five Steps to HITECH Preparedness

It is likely that HIPAA compliance or a conversion to electronic medical records initiated new data security measures in your organization. However, with breach incidents on the rise and the new HITECH law, reviewing all aspects of PHI security and data breach readiness is paramount.

Here are the five steps we recommend to all healthcare organizations for addressing HITECH requirements and the increased threat of data breach:

* Do a risk-based assessment: The first step in your incident response plan should be to conduct a thorough, risk-based assessment of practices related to your PHI assets and their lifecycle. This includes creating an accurate inventory of the PII/PHI data you hold and all internal and external workflows where the information is used. It should identify PHI-specific risks in your IT systems but also in your organizational policies and processes. Finally, it should identify all business associates that have access to PHI for which you are responsible.

* Secure PHI, per guidelines: With your risk-based assessment and PHI inventory in hand, you must ensure that this information is "secured" through a technology or methodology specified by the Secretary of Health and Human Services (HHS) pursuant to the HITECH Act. This includes "de-identification" of personal data (i.e., ensuring that you provide only as much data as is required for each business process or function). For example, by changing member identification numbers from social security numbers to an assigned member ID, our healthcare clients often look to remove or obscure the social security number from their database records. Of course, encrypting these information systems is a very advisable means to reduce data breach risks. These actions can minimize damage in case of a data breach, protects patients, and helps you avoid breach notification requirements that apply to "unsecured PHI."

* Address Contracts and Processes: The HITECH Act requires contracts with your business associates to authorize and define their use of the PHI that is shared with them. Business associates can include healthcare organizations, industry service providers, payors, suppliers or any other organization with which you do business. A risk-based assessment tells you which associates pose the highest breach risk, enabling your legal team to prioritize contract revisions and your operations team to concentrate on strengthening high-risk processes. In a recent hospital breach managed by ID Experts, highly sensitive PHI was breached by a business associate that impacted the hospital's reputation.

* Plan for Breach Detection: Under the HITECH Act, you must provide notification within 60 days when PHI in any form is breached, not just electronic records. The definition of "breach" now includes even incidental loss or exposure of single records or small amounts of personal information, as happened in the Nadya Suleman case where Kaiser was penalized $250K for a leak of medical information regarding her pregnancy with octuplets.

Reprinted with permission from

This story is reprinted from CSO Online.com, an online resource for information executives.
Story Copyright CXO Media Inc., 2006. All rights reserved.