Oct 18, 2011

Developing and Implementing System-Wide Policies

This is the fourth article in a five-part series designed to spur you toward privacy and security policies that will help your organization achieve HIPAA compliance. So far, we've covered risk assessmentTrojans andcoordinating information across departments. In this article, we discuss the important step of crafting and implementing policies system wide.

When discussing policies related to HIPAA compliance, they must be system wide, not department specific. Just as we discussed collaboration among decision-makers in our last article, policy development and implementation must also be a joint effort across many hospital departments. Physical therapy is different than radiology, which is different than cardiology, which is different than obstetrics, and so on.


Take, for example, the hospital lab. Only those conducting the tests are in the clinical lab. In the radiology department, however, there is a steady stream of patients in and out of the diagnostic area. In the lab, there is virtually no chance of a patient seeing another patient's private information. In radiology, it's a different story. So what might work as a privacy policy for lab may not work for radiology.


Together with other hospital departments, write a blanket, hospital-wide policy that meets everyone's needs, but note - you can include exceptions. Consider exceptions an extra level of protection for your hospital with regard to HIPAA compliance. For example, you may write a policy that states, "All computer screens with patient information displayed will not be viewable by the general public." In the lab, this works just fine. But what about in radiology? Who is the general public? Does it include a patient that came into the diagnostic area for a specific test, or a patient who happens to walk past the room? To address these concerns, you may write an exception that would specify that the patient not be brought into the room until their unique information is up on the screen, or perhaps you may add a "screen block" that would make the computer screen not viewable from the patient's vantage point.

Or consider this example: Let's say your hospital policy states that every user must log into a computer or medical device with a unique user name and password. But you have an older-model X-ray machine that only allows two different user names and passwords. You can write an exception stating that the device is known not to comply with the hospital policy and will be maintained in a secure area, used only by the radiologist assigned that day - and never left unattended in public areas.

When crafting hospital security and privacy policies, it's important to consider "addressable" vs. "required" specifications, meaning those requiring appropriate assessment and safeguards, and mandatory implementations as stated in the HIPAA Security Rule, respectively. Addressable, however, does not mean "ignorable." It means it must be evaluated for application in your hospital and may be determined not to be necessary to reduce your risk. You have probably heard a lot about encryption lately, and some think it's the silver bullet to preventing breaches. Encryption is an addressable standard, meaning each hospital should address its applicability to them, taking into account factors like size, possibility of a breach and value of risk associated with a breach. Then decide whether it should be addressed by your hospital.

A note on encryption: It will not necessarily reduce your risk of a privacy breach, neither will it protect you from HIPAA violations. Encryption is broken with a password. And where do many people keep their passwords? On a post-it note, taped to their computer screen! So if you leave your laptop in the car one evening after work and it's stolen with the password taped to the screen, that's a clear breach.

You may also have heard of different levels of encryption: 256-bit vs. 128-bit vs. 64-bit (the higher the number, the harder it is to break the code). Some hospitals write 256-bit encryption into their privacy policies when the HIPAA statutes may require far less. In other words, don't impose impossibly strict self-regulation when your privacy policies are adequate at a lower level. If there is a privacy breach, HIPAA officials may judge your institution based on your own policies if they're stricter than federal regulations require.

Finally, remember this: The only thing worse than having no policy is having a policy you don't follow.

In our final article in this series, we'll cover purchasing IT and medical equipment as it relates to being HIPAA Compliant.

Earl Reber is executive director, eProtex.


No comments: