The Security Scrutinizer with Howard Anderson

EHR Incentive Winners: Lessons Learned

Updated Risk Assessments, Continual Training Are Key

Texas Health Resources, which already has earned almost $20 million from the HITECH Act's EHR incentive program for 11 of its hospitals, conducts quarterly as well as annual risk assessments for all its applications, said Ron Mehring, director of information security. So it was easy for the large provider organization to meet the only explicit security-related requirement in the meaningful use criteria for stage one of the federal EHR incentive program: Conduct a risk analysis and take action to mitigate any risks identified.

If a hospital or a clinic "understands the risks involved in handling healthcare information and develops a program to manage that risk," meeting the EHR incentive program's risk analysis requirement will be a snap, Mehring said.

We have a robust training program that's role-based across the enterprise. 

Similarly, Fallon Clinic in Massachusetts has been conducting frequent risk assessments for years to comply with HIPAA as well as tough state regulations, so it simply documented its actions for the incentive program, said Paul Nichols, director of IT infrastructure. So far, the clinic has received $400,000 worth of incentive payments; it expects to eventually earn $10 million (see: EHR Incentive Winner Tackles Security).

In addition to conducting internal risk assessments, the clinic annually hires a consulting firm to conduct reviews. "We actually use different vendors each time," Nichols said. That way, the clinic can benefit from the different skill sets and perspectives of the outside experts, he explained.

Importance of Training

Executives at Texas Health Resources and Fallon Clinic also emphasized the need for extensive staff training on privacy and security issues. "We have a robust training program that's role-based across the enterprise," said Texas Health Resources' Mehring.

At Fallon Clinic, trainers recently visited every site to review state and HIPAA regulations and explain the clinic's policies. The face-to-face training helps "build a rapport so that they're comfortable calling us with questions," said Cyndy Hatch, manager of IT security.

The idea behind the training, Nichols said, is "to help staff understand what we're doing" so they don't just perceive security as "getting in the way of them doing business."

So if your organization is considering expanding its use of EHRs and hoping to earn federal incentive dollars, carefully consider these important lessons from these two EHR trailblazers. Update your risk assessments again and again. And continually train your staff on how to comply with your privacy and security policies.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.