Getting your IT house in order
The explosion of data that needs to be collected, stored and analyzed requires a greater scrutiny of the security of that information along the continuum of care. As cardiology practices and departments align their cardiovascular information systems (CVIS) and cardiology PACS (C-PACS) with greater accessibility throughout the enterprise, they will need to work with IT and other specialties to guarantee the security of their patient information.

Recently, the Health Information and Management Systems Society (HIMSS) and the Medical Group Management Association (MGMA) unveiled their Privacy & Security Toolkit for Small Provider Organizations.

The toolkit specifically targets clinicians, practice managers and others who are part of a small provider organization. Even better, the toolkit is an online, interactive resource. Users can contribute to the toolkit by sharing privacy and security tools they have found valuable, as well as ideas for new content or feedback.

The toolkit is divided into several sections, including:
  • CMS Meaningful Use - Stage 1, Privacy and Security;
  • ARRA/HITECH - New Privacy and Security Requirements;
  • HIPAA;
  • Guidance and Resources;
  • Research/Data; and
  • Information for Executives/Key Decision Makers.

As more cardiology professionals strive to meet meaningful use, HIMSS and MGMA say that they are "required to protect the confidentiality, integrity, and availability of all electronic protected health information held, transmitted or received."

Implementing EHRs and e-prescribing, for example, creates new risks to patient data and therefore requires a re-evaluation of privacy and security efforts.

Fines for not complying with HIPAA privacy laws can range from "$100 to $50,000 per violation up to an annual maximum of $1.5 million, depending on the organization's lack of reasonable diligence and the nature of harm resulting from the violation," according to the two organizations.

Criminal penalties also are possible for HIPAA violations, ranging from fines and one to 10 years of imprisonment based on the misuse intent.

HIMSS and MGMA stress that information security can no longer be viewed as an afterthought or just a compliance requirement. "Many of the required activities in a security management program, such as documenting policies and procedures, are the same steps that are essential to a quality improvement initiative," they say.

Particularly for small provider organizations who may not have the resources of much larger providers, it would be wise to peruse the toolkit, if for no other reason than to ensure you haven't missed anything on the road to total electronic data transmission and storage.

"Our toolkit is truly a roadmap for smaller practices and clinics, as well as medical practices of any size that just need basic information on how to navigate the complex privacy and security laws and understand the security components to meet meaningful use that is part of the EHR incentive program," says Lisa A. Gallagher, senior director of privacy and security at HIMSS, based in Chicago.

Check back with us and share your experience with this toolkit with our readers.

Chris Kaiser
Cardiovascular Business