HIPAA compliance officers explain hurdles, data security successes
@9417
@9417
Jeff Jenkins tried hard to stamp HIPAA security into the culture of Georgia's Department of Human Resources, which oversees public health. But one big obstacle stood in the information security officer's way: upper management.
Jenkins said the lack of resources and management support for employee training was a big brick wall that was no longer worth climbing. So he left for a job as security governance and compliance manager for Atlanta-based S1 Corp.
"You want to work where you can be effective in as short a time as possible," he said. "In government, that's very hard. When you don't have management buy-in, you can't enforce the policies needed to change how people approach their daily tasks in a way that's more security- and HIPAA-minded."
Pete Stagman has had the opposite experience as information technology manager for Dedham, Mass.-based Boston Home Infusion, which provides healthcare services to roughly 13,000 homebound patients in New England.
"Upper management understands it needs to get done," Stagman said. "They were clinicians, not moneymen. I tell them we need something and what it'll cost. They shake their heads and say 'OK, we need it.'"
HIPAA data security rules
HIPAA rules force health insurers to secure sensitive data: HIPAA is forcing a majority of health insurance companies ensure the security of sensitive data.
HIPAA security rules broken down: The HIPAA security requirements have been described by the Department of Health and Human Services, ArticSoft, HIPAAacademy.net and the Centers for Medicare & Medicaid Services (CMS).
HIPAA security rules essential to protect data, say experts. The HIPAA security rules force healthcare firms to protect sensitive healthcare information. The security rules could guard against identity theft and data security breaches, say IT pros and industry experts.
HIPAA security rules apply to firms with healthcare plans.Companies that offer healthcare plans are affected by the HIPAA security rules.
HIPAA security rules set hurdles for struggling hospitals: Struggling hospitals hand HIPAA responsibility to the IT department, which can cause problems, say experts.
The experiences of Jenkins and Stagman show how HIPAA security officers can have a real impact with upper management's full support, or be doomed from the start without it.
Jenkins said one big problem was upper management's perception of what security entails. "There was more support for the privacy side of HIPAA because it was seen as more of a legal, training and human resources matter and that's where you tend to see more urgency," Jenkins said. "Security is perceived as more of a technical aspect and there isn't as much urgency."
In his new role at S1, Jenkins deals with the financial sector, which has its own set of compliance challenges under laws like Sarbanes-Oxley. Having worked on the health care side, the government side and now the financial side, he said it's easier to understand the big picture.
"If you look at HIPAA by itself, it's more about meeting a compliance deadline," he said. "But if you stack it against other laws like Sarbanes-Oxley, you see this as a paradigm shift in technology. It's not about meeting deadlines. It's about meeting the security threats of the information age and better managing technology in the post-boom era."
Pete Stagman
Stagman has been fortunate because his bosses seem to understand that. That's not to say his job is a piece of cake.
"This started as a three-man shop and now there are 50 people on the network -- 65 employees in all, spread between here and offices in New Bedford and Springfield [both in Massachusetts]," he said. "Many aren't used to the passwords and the timeouts."
Adding to the challenge is that the organization is essentially a small hospital in which the doctors and nurses are set up in the patients' locations.
"We have liaisons in a hospital -- employees who stay at various hospitals -- and when a patient is released, a doctor or nurse will talk to the liaison who in turn gets all the patients' paperwork to us," Stagman said.
"Let's say one of our drivers shows up at a patient's house with a bag of medication and equipment," he added. "The driver has the paperwork that the patient must sign to receive those items. In some case the patient will take the package and close the door without signing. Now we don't have a signed document from the patient. That's a problem because we can't charge them without it."
So they have to adopt the approach of your average fast-food drive through and "get the cash before you give them the food," he said. "We have to really beat it into the drivers' heads that we need that signed paperwork."
Stagman said another challenge is that the organization's software is "very role-based." Drivers can't access patient records, and if someone in the warehouse needs that information to put an order together, they'll go to someone who does have access.
"That person might be very busy, and so they'll give the unauthorized person the password," Stagman said. "Before HIPAA that wasn't a big deal. Now it is. So in a sense HIPAA has helped us bring that kind of problem under control. In the end, HIPAA has made my life easier because it has forced upper management to think harder on security."
Of course, he added, his life is also easier because the management was willing to think harder in the first place.
