Medical data security increasing concern for ACOs

By Mark Terry

As more providers adopt accountable care models--and take on the responsibility of facilitating medical data exchange--healthcare leaders are under increasing pressure to protect personal health information (PHI).

In fact, two-thirds of healthcare organizations that belong to an ACO believe privacy and security risks have increased, according to a recent Ponemon Institute study.

MHMD Memorial Hermann Physician Network, an ACO in Houston affiliated with the Memorial Hermann health system, has developed a provider agreement with their physicians that emphasizes HIPAA-compliant data sharing and assesses security risk for physicians, according to an iHealthBeat article

"We run security audits for them so they can quality for those incentives," Shawn Griffin, chief quality and informatics officer for the ACO, told the publication.

Sharp HealthCare, a San Diego-based health system that participates in both Medicare and commercial ACOs, exchanges encryption keys with the new entities, in addition to other tactics, including role-based access control to maintain restrictions on employee data access, according to the article.

Seattle Children's Hospital is also tackling data security, with an emphasis on mobile devices, HealthITSecurity reports

"We measure [risk] constantly," Cris Ewell, the hospital's chief information security officer, told the publication. "I look at risk in expanded areas, so I'm measuring things like attack vector, the maturity and target potential of the information security itself and all the assets."

The organization is balancing the need to comply with HIPAA and HITECH and to protect patients' PHI and the important job of improving patient-provider communication, Ewell says in the article. The more layers of PHI, the more users and the more organizations involved, the more complicated that becomes.

"We have to run through the different technologies and consent scenarios to determine what will work, as some scenarios may not work enterprise-wide but will work for a select group," he said.

To learn more:
- read the Ponemon survey
- here's the iHealthBeat article
- read the HealthITSecurity article