HITECH: Security Reminder for Clinics Physician Groups Alerted to Risk Assessment Need
Clinics applying for HITECH Act electronic health records incentive payments are getting a reminder about the importance of information security, says Robert Tennant of the Medical Group Management Association

Physician group practices applying for EHR incentives from Medicare or Medicaid must conduct a risk assessment, a step many smaller clinics have yet to take, Tennant acknowledges.

Under the HIPAA security rule, which went into effect in 2005, healthcare providers were required to conduct such an assessment. But for many physician groups, that requirement "slipped under the radar" until now, he adds.

In an interview (transcript below), Tennant advises physician group practice administrators to:

  • Take information security seriously. Conducting a risk analysis "is a very foreign practice for most practice administrators," he acknowledges.
  • Build a risk management strategy based on answering the question, "What if?" For example, clinics that consider "what if a laptop gets stolen" will appreciate the value of encryption, security policy development and staff education.
  • Consider acquiring EHR software that is not only certified as meeting the HITECH requirements but also meets the tougher requirements of the Certification Commission for Health Information Technology's 2011 certification standards.

As senior policy adviser for health informatics, at MGMA, Tennant focuses on federal legislative and regulatory health information technology issues, including HIPAA, electronic health records, electronic prescribing and ICD-10 coding. MGMA has 22,000 members who manage more than 13,570 organizations in which more than 275,000 physicians practice.

ANDERSON: For starters why don't you tell us about MGMA and your role there?

TENNANT: MGMA is a trade association that represents practice executives in the leadership of medical groups, and a medical group is an organization with three or more physicians, including single-specialty groups all the way up to multi-specialty groups like the Mayo Clinic. We really help to focus in on the administrative side of healthcare as opposed to the clinical. My role in health information technology is to assist practice administrators and others prepare to meet the challenges of government regulation, incentives and penalties and, of course, the area we are going to focus on today, which is meaningful use of electronic health records.

Risk Assessment

ANDERSON: To qualify for the Medicare and Medicaid EHR incentives under the HITECH Act, physician groups must conduct a risk analysis and then take action to mitigate those risks that they have identified. So for a clinic with relatively limited resources, what is a good way to accomplish that task?

TENNANT: As most folks know, the HIPAA security rule compliance date was back in 2005. And even though a lot of practices have been very vigilant in terms of their preparation and compliance with the HIPAA privacy rule, in some ways the security rule has slipped under their radar screen. So when it comes to meaningful use, all of a sudden issues of conducting a risk analysis and mitigating potential threats come to the forefront.

What practices need to do first of all is understand the rule. And there are a lot of resources on MGMA's website, and plenty of resources through the government. I would highlight a wonderful security seven-part security series on the HHS Office for Civil Rights website aimed at the smaller physician practice. It is a wonderful discussion of each of the main components of the final rule and really gives you a step-by-step approach on how to comply with the rule and conduct a risk analysis. I would say scour the websites for as much free and low-cost information as possible, and if that is not enough, then practices may want to hire the services of a top-notch consultant.

Risk Mitigation Steps

ANDERSON: What do you believe are some of the key risk mitigations steps that many clinics will end up having to take?

TENNANT: The advice that I give our members is very simple, and that's to say the two most important words: "what if." So you want to ask yourself: What if our server fails? What if we have an environmental issue, whether it is a hurricane or a snowstorm, which impacts our physicians' ability to gain access to their electronic data? What happens if we have a laptop with patient information stolen from the clinic? What happens if a smart phone with information on it is stolen at a hospital? As soon as you walk through those what ifs, then it becomes very clear what the practice needs to do.

For example, in terms of laptops, you need to, if possible, encrypt the data so if the laptop is stolen the information will not be accessible by those who shouldn't be looking at the data. But also develop policies and procedures. So, for example, you may want to tell the clinicians that information on laptops is not permitted to be taken outside the clinic, and if it is, it must be encrypted.

Remote access, the updating of virus software, firewalls -- all of those technical things traditionally we haven't paid much attention to -- now again come to the forefront.

We are seeing more emphasis by the government on enforcement, so I think security is going to now be a part of the lexicon of the practice administrator. ...

Choosing an EHR

ANDERSON: To earn the HITECH incentives, physician groups have to use certified EHR software that includes a list of specific security functions, including encryption and authentication among many others. So how can clinic administrators go about comparing and contrasting the effectiveness of security functions of EHR software to help them select the right system for their practice?

TENNANT: In order to qualify for the meaningful use incentives, you must be using a certified system. Just because the system is certified, that really doesn't give you much help in terms of how those features and functionalities will work in the real world. And so what we are encouraging our members to do is a couple of things.

First of all, we advise them to consider the higher-level certification offered by the Certification Commission for Health Information Technology, known as their 2011 certification. That goes above and beyond the minimum HITECH requirements.

But the other factor, which I think is absolutely critical, is networking. That is one reason why practice administrators turn to MGMA and why physicians turn to their specialty societies; it allows them to interact with their colleagues, their peers, who have been going through these challenges. And so by discussing in online forums the use of encryption or how they handle passwords or what is a good policy to use for this or for that, the practice administrator can get a leg up on developing policies that not only comply with the law but that can actually function within the organization.

Again, take advantage of all the resources out there. Another wonderful resource is the Workgroup for Electronic Data Interchange or WEDI; they have a number of white papers available on a whole host of privacy and security topics. Again, leveraging these types of resources will cut down on the cost and increase your ability to come into compliance with the regulations.

Addressing Privacy

ANDERSON: What other advice would you offer to clinics installing their first EHR systems about how to ensure the privacy of patient information?

TENNANT: Well I think good advice is always take this type of challenge seriously. A lot of practices were pretty vigilant about creating privacy notices and making sure that the privacy of the data was maintained, but they took a somewhat more cavalier approach to doing a risk analysis, mainly because this is very foreign to most practice administrators.

Most are not experts in the field of encryption and user authentication and those types of technical details. ... There are a lot of low-cost software packages that will help encrypt and protect the data electronically. ... It is not just the practice administrator that needs to take these things seriously; the clinical and administrative staff need to as well.

We are going to see, with the release of the forthcoming final version of the federal breach notification rule, that there are some potentially serious ramifications to a security breach in a practice. The time has come to take security much more seriously and, of course, to leverage all available resources to make the practice as safe as possible.




Around the Network