What is on the holiday wish list for privacy and security officers?
A recent Ponemon Institute study on data security, it's more staff, more time, and more resources to protect patient privacy.
Of the 65 hospitals surveyed, most in the 100- to 600-bed range, 71% said they have inadequate resources to prevent and quickly detect patient data loss. We caught up with some privacy and security officers ourselves to see what they're hoping for this holiday season:
1. No breaches. "[I want] to have no breach incidents so I don't have to face an OCR audit," says Dena Boggan, CPC, CMC, CCP, HIPAA privacy/security officer at St. Dominic Jackson Memorial Hospital in Jackson, MS.
Too bad wishes aren't retroactive. 2010 saw a few data breach whoppers. In September, Lucile Salter Packard Children's Hospital at Stanford University was fined $250,000 by California health officials for failing to report within five days a breach of 532 patient medical records in connection with the apparent theft of a hospital computer by an employee.
In October, a computer flash drive containing the names, addresses, and personal health information of 280,000 people is missing - one of the largest recent security breaches of personal health data in the nation.
And in November the Connecticut Insurance Commission announced a settlement with Health Net in which the insurer agreed to pay the state $375,000 in penalties for failing to safeguard the personal information of its members from misuse by third parties.
2. More time. "I wish for more time to study the regulations in depth so that I am at my 'knowledgeable best' when discussing and training [on HIPAA issues],"says Boggan.
3. More staff. Boggan says she would like more staff, which she hopes would translate to fewer work hours. "An elf to help me magically finish all of my work in a goodly timeframe would be a Christmas miracle!" says Brandon Ho, CIPP, HIPAA compliance specialist for the Pacific Regional Medical Command based at Tripler Medical Center in Honolulu.
4. Employees who follow the HIPAA rules. Boggan says she wishes for employees to access only that information they need to do their jobs. "It's a no-brainer, but you'd be amazed at what hits the audit reports," she says. She hopes to never receive another e-mail notification stating that a user has triggered an exception in the hospital's auditing system.