For healthcare providers looking to ensure the security of electronic patient information, it's just as important to solidify employee knowledge as it is to encrypt data and implement improved IT solutions, said Lee Kim, an attorney with Pittsburgh-based firm Tucker Arensberg who also serves as chair of the mHIMSS Legal/Policy Taskforce.
Speaking at the Government Health IT Conference & Exhibition last week in Washington, D.C., Kim (right)--who was joined by Deborah Hiser, a partner at Austin, Texas-based law firm Brown McCarroll--said that providers must educate employees about why such security is important, in addition to explaining the how to's.
"Secure the human," Kim said. "Breaches often are the result of things that we as humans do. You should guard your information systems as if you were going home and locking your own door."
Lee also said that providers frequently should conduct gap analyses to see where deficiencies may lie in security efforts.
"Think of the middleware interfaces in between medical devices," Kim said. "A lot of the time, that's where weaknesses can be found."
Hiser (left), who represents health information exchanges throughout Texas, talked about the importance of maintaining risk assessments for providers.
"The Office for Civil Rights will find you if you don't continue to update your risk assessment," Hiser said. "You don't want to be in that situation, where you're subject to penalties and corrective actions. It's not fun."
She added that both covered entities and business associates, the latter of which now are subject to penalties for HIPAA violations, would be wise to restrict the rights of contractors to subcontract without prior approval, due to liability reasons.
"If a subcontractor won't comply, it's a business decision whether to enter into an arrangement," Hiser said. "But you assume the risk."