Today, keeping patients’ Protected Health Information (PHI) secure is top-of-mind for every hospital and healthcare provider. Not only must PHI be safe from curious cyber crooks and natural disasters such as Hurricane Sandy, but also hospitals must keep it protected as they navigate government mandates like the HIPPA, HITECH and Affordable Care Acts, including their rules and regulations.
Health systems strive to achieve the compliant, secure and efficient exchange of PHI to reduce their liability for violations of federal privacy rules, such as HIPAA regulations. Not only does the proper management of PHI disclosure minimize liability and financial risk to the healthcare organization, but also it leaves patients more satisfied because they recognize that the health system protects their most sensitive information.
Hospital and healthcare providers benefit from added security when they partner with healthcare IT service providers to employ the latest technology to monitor and safeguard the sensitive information. With the ACA, many IT service providers are using these same protective shields for data as they steer their healthcare clients through its requirements and changes. Among other tactics, IT service providers are tapping cloud, disaster recovery and other protective IT services to help secure this data.
Consider what one IT service provider to the healthcare industry is doing, specifically.
MRO Corporation, headquartered in King of Prussia, Pa., provides PHI disclosure management services, including release-of-information, audit compliance and tracking, and accounting of disclosures for healthcare providers. Through its technology, it ensures the secure, compliant and efficient exchange of protected health information between healthcare providers and entities requesting the data.
In addition to its disclosure management services, MRO also provides Meaningful-Use-certified solutions that support client attestation and health information exchange.
The government’s “Meaningful Use” electronic health records incentive program includes both a core set and a menu set of objectives specific to eligible professionals or hospitals and critical-access hospitals. In Stage 1, there are 24 Meaningful Use objectives for eligible professionals, and to qualify for an incentive payment requires meeting 19 of the objectives. Eligible hospitals and critical-access hospitals must meet 18 of 23 meaningful use objectives.
Image via Shutterstock
Successful attestation of Meaningful Use Stage 1 was one of the goals that The Chester County Hospital in West Chester, Pa., strived to meet when they created a unified and centralized PHI disclosure process across the healthcare enterprise. The hospital met Stage 1 objectives for providing patients with electronic copies of health information with its inpatient electronic health record that had MRO’s patient portal, MROGateway, attached to it. Software from MRO automatically sent discharge summaries into the portal for easy, secure access by patients.
MROGateway is MRO’s platform through which healthcare providers offer a secure online portal for patients to view, download and transmit discharge instructions, referral information and other health information. The portal integrates with a variety of electronic medical records systems and software platforms used for managing disclosure of protected health information. It can be custom-tailored so that the features, functionality and design meet each health provider’s needs.
Besides providing data protection, The Chester County Hospital reduced turnaround time for providing patients with their records to just two days from 10-14 days before the centralization, meeting the requirements established in Stage 1 Meaningful Use.
Moving into Stage 2, the Meaningful Use requirements have shifted from providing electronic copies of health information to enabling clients to view, download and transmit their health information to a third party. Stage 2 focuses on patient engagement and is expected to drive the mass adoption of Direct Secure Messaging – a standards-based, secure email for healthcare organizations provided through a Health Information Service Provider (HISP).
MRO offers such services as a HISP, and relies on business continuity and data recovery IT vendor SunGard Availability Services to protect its HISP technology used in exchanging sensitive client information. That security is absolutely critical.
A key provision for achieving Stage 2 of Meaningful Use requires an organization to be able to exchange electronic health information among doctors, hospitals, clinical and other providers. This can be achieved through the use of Direct Secure Messaging, and is meant to improve patient-care coordination and quality; it’s also driving more healthcare organizations to join health information exchanges.
But data-sharing is difficult, reflecting the voluminous and heterogeneous nature of medical data and the fact that it is stored in proprietary formats. This, of course, raises concerns about data security and privacy.
With the emergence of health-related programs that continue to evolve like the HITECH Act, Affordable Care Act and others, hospitals and other healthcare providers should partner or seek counsel from a vendor that has the depth and breadth of knowledge of healthcare privacy law and also understands the critical importance of protecting patient and other health records.
Anthony Murray is director of technical operations at MRO Corporation. In his role, Murray oversees the organization’s technical operations so that the service-level expectations of MRO clients are met. He is responsible for ensuring the IT infrastructure is fully operational, secure and constantly monitored for potential external and internal threats. Murray also serves as the company’s Information Systems Security Officer (ISSO) through which he provides a single source for Direct Secure Messaging (DSM) security objectives; provides maintenance and management of MRO and client certificates and anchors; and develops and enforces policies and procedures around DSM to comply with MRO’s security policies.
Edited by
Alisen Downey
