By Greg Bengel, contributing writer
With the September 23 deadline for covered entities to reach compliance with the final HIPAA omnibus rule approaching, one expert talks about how providers can ensure data security
In a conversation with Health IT Security, Nancy Fennell, Director of the Regional Extension Center of New Hampshire (RECNH), discussed how providers can strengthen data security and avoid data privacy setbacks. RECNH is one of several federally funded centers across the nation that helps providers to meet meaningful use requirements and has focused on the HIPAA Security Rule and how providers can help ensure data security.
Last March, the final omnibus rule modifying HIPAA security, privacy and breach notification, and enforcement rules went into effect and all covered entities must reach compliance by the September 23 deadline. Health IT Outcomes previously reported that reaching compliance might be a challenge, and this HHS press release notes the changes imposed by the new omnibus rule were called “the most sweeping changes to the HIPPA Privacy and Security Rules since they were first implemented.”
“With the HIPAA omnibus rule coming into play, we’re helping organizations ensure they’re clear with their privacy guidelines and privacy practices,” Fennell says. Reading the interview on Health IT Security shows that, in Fennell’s eyes, a lot of data security and privacy problems encountered by providers are centered on human error that can easily be avoided.
When asked what security issues she has encountered in her work, Fennell mentioned that as patients become more technically savvy, they have tried to access provider computers within exam rooms. Here lies an example of a relatively simple human error problem that can be easily fixed. “We need to make sure providers are aware and staff members log off of their computers when they leave an exam room or take their laptops home with them when they leave,” she says. “Another [reminder] is not sharing passwords, which is a really big issue. Many staff members have a sticky note with their password under their keyboard. Fortunately, with the work that RECNH has been doing with the practices, we’ve helped to raise awareness and not having passwords readily accessible. That’s been a real improvement.”
What else should providers be doing? According to Fennell, providers need to make sure that their business associate agreements are up to date (advice that is echoed elsewhere, like here on smithlaw.com). Also, says Fennell, it is important to verify “that the IT professionals working for the practices really are professionals. If they’re a specialist, they need to be credible.”