Yet, we know that security risks have proliferated, and small hospitals are at risk, even while resources to combat risks are thin. It's a conundrum—the lack of dedicated resources and technology are primary constraints to auditing and monitoring system and user activity. But underinvestment in security and resources result in unacceptable risk tolerance.
We have an obligation and responsibility to maintain the safety and security of every patient every day. Beyond regulations, the integrity of our staff and our data has an effect on patient confidence in their care. We are not willing to compromise on our passion for patient safety and patient care; therefore, we need to handle their information with that same passion.
Here are some other challenges that are especially difficult for those monitoring HIPAA at rural organizations:
It's crucial to manage business associates and covered entities. As the data owner, our facility must have satisfactory assurance that business associates will safeguard information appropriately. Managing different agreements and ensuring they meet our standards takes time away from our day jobs.
Just having a completed agreement with our business associates doesn't mean the mission is accomplished. We run risk assessments, some of which find issues, and that can be sticky. For example, a recent assessment found a data protection gap at one of our vendors, and after discussion, it had to purchase software to improve security. A healthcare organization's security is only as strong as its weakest link, so it's important to be vigilant, both inside and outside your walls.
Casual record “snooping” can be a problem everywhere, but it's especially a challenge in rural environments. Small communities often experience big dollops of gossip, and it's difficult but necessary to fiercely defend protected health information. Snooping is rarely malicious but arises out of sheer curiosity; given the culture of small towns and rural facilities, we have our work cut out for us.
Identifying snoopers vs. those employees who are just doing their jobs is challenging. Giving employees access to records so they can do their jobs often gives them access to records for just about everyone in town. Discovering inappropriate access takes a lot of auditing and monitoring, and some traditional approaches don't work. Standard methodology and variable matching of results can tend to show fewer true incidents of inappropriate access. Smaller facilities often lack the appropriate tools to assist in monitoring inappropriate access to protected health information because of the cost, and the shortage of tools drives up the risk.
Because of the small “sample” size, de-identified information submitted for syndromic surveillance by a small rural facility presents unique challenges. If you look at a patient population in a rural environment and are looking at males from a certain ZIP code who are 75 years old, the pool is small enough that, if the wrong people are able to access the data transmitted to the state, they may be able to identify the patient.
Small facilities need to move from reactive monitoring practice to an efficient and proactive security program to reduce both risk and cost. A proactive approach involves communication and training, and also identifying, documenting and mitigating data security risks.
For me, HIPAA is an ongoing, time-consuming job. I have to enforce compliance with strong policies and procedures that I must review on a regular basis. It is an intricate dance—privacy and security go hand-in-hand, and one is not effective without the other. Being vigilant, and developing consistent risk-management actions, enables me to stay on top of things.
Managing these well can help reduce the pressure on the person trying to juggle those many jobs at a rural facility. Staying vigilant on HIPAA compliance is really the only way to keep the task manageable and enable increased productivity in that “day job.”
Anna Turman is chief operating officer and chief information officer at Chadron (Neb.) Community Hospital and Health Services.
