[BreachExchange] The Role of HIM Professionals in HIPAA Compliance

[Audrey McNeil]

http://healthitsecurity.com/news/the-role-of-him-professionals-in-hipaa-
compliance


Individuals in the health information management (HIM) field play a
critical role in covered entities’ approaches to data security, especially
HIPAA compliance.

HIM professionals are often “acquiring, analyzing, and protecting digital
and traditional medical information vital to providing quality patient
care,” according to The American Health Information Management Association
(AHIMA). Furthermore, HIM professionals need to understand an
organization’s workflow, and how the latest applications will potentially
come into play.

HIPAA rules require that organizations have a privacy officer or a security
officer, and HIM professionals tend to be an organization’s privacy
officer, said Angela Rose, a director of HIM Practice Excellence at AHIMA.

“They'll be responsible for implementing the whole program, like policy and
procedures: writing them, the training of staff, just making sure that the
laws and the requirements are met as a whole,” she told
HealthITSecurity.com.

Rose added that she has been at AHIMA for nine and a half years, and that
it’s exciting times right now in the healthcare industry, in terms of
privacy and security.

“Whether it’s speaking, or an article, books we create related to privacy
and security, meetings we have, I’m usually a part of the planning in some
way, shape, or form,” she said.

Today there are some HIM professionals that are IT security officers, but
that role will typically still be in an IT department. However, it’s
essential that the security officer and the privacy officer – especially in
today’s environment – are basically married. You cannot have one without
the other in the current healthcare environment and they must work
together, Rose stressed.

The right HIPAA compliance training for reach organization

Each covered entity and business associate is different, so every
organization will need to implement HIPAA regulations differently, Rose
pointed out.

“HIPAA mandates training, so whether it’s a PowerPoint presentation where
you’re actually listening to somebody speak, or an online course, it may
vary,” she said.

A lot of organizations today will use their intranet, that may include a
presentation followed by a quiz to ensure that staff members were paying
attention and listening.

There can also be various webinars given to employees. Overall, there are
many avenues through which HIPAA privacy and security training can be
given, and it’s essentially up to the organization as to how it wants to
deliver it.

Rose called back to the “marriage” that needs to exist between an
organization’s security officer and privacy officer, or even IT director.
Some HIM professionals are more technically oriented than others, but
historically, HIM professionals are the privacy people. In that regard,
it’s important to “be more techie,” Rose explained.

“We may not need to walk the walk, but we have to talk the talk,” she said.

For example, HIM professionals should understand what a firewall is: what
it does, what it needs to do. But they don’t necessarily need to be the
person who actually goes in and sets it up.

“That’s where you want to work with your IT counterpart,” Rose maintained.
“You can ask, ‘Okay, does this do A, B, C…how does this work?’ and you work
together to make sure that compliance is met and that your systems are
protected.”

Information security needs to be part of any healthcare organization’s
culture, Rose emphasized. It must be from top down, and senior management
must be “on board 150 percent.” This will help show employees how important
privacy and security is, and that the company is serious about keeping data
secure.

“A lot of times I'll recommend working it into your employee evaluation,”
said Rose. “Asking things such as, ‘Did your employee have one or three
HIPAA privacy or security violations this year?’ That should affect their
evaluation, because if it's a part of your culture, and keeping your
information secure and the confidentiality of your patients is crucial and
significant to your organization, then your employees have to feel that too.

“There have to be repercussions and disciplinary action when those policies
and procedures aren't being followed or rules are broken, for lack of a
better word.”

Rose added that she doesn’t like to use the word “punishment,” but some
sort of disciplinary action should be used whether it’s a physician or a
janitor who violates privacy and security policies or procedures.

Ensuring that the privacy and security sides work together

In terms of building a privacy and security team, Rose noted that
healthcare organizations are likely looking for a few things. First, they
want to ensure that the individuals know what they’re doing: they
understand the laws, know what needs to be done, and know the best way that
the organization can get it done.

“This is important because Organization A is going to do it a different way
than Organization B,” Rose said. “Interpretation of the requirements and
the laws are also going to be a little different. Some of them are very cut
and clear, black white. Some are very grey. They’re looking for competency,
experience, and trusting in that these teams – whoever they are – know what
they are doing.”

Finding the ideal balance between cybersecurity backgrounds and an IT
background will also help, she agreed. It will be like merging the techie
person with the person who knows all about the compliance side.

“It’s all about the writing of the policies and procedures, the training,
what the law says,” Rose stated. “Organizations also need to be able to say
to the IT person – who might not know exactly what the law says – ‘Hey,
this has to be done.’ That's why it's so important for those two to work
together. It's not just privacy or security anymore. It has to be privacy
and security, because privacy has to understand some of security, and
security has to understand some of privacy.”

Without those two working together, Rose said she’s not sure how an
organization can meet full compliance or be confident in its program.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160922/0786ace0/attachment.html>