QHN’s Privacy/Compliance Officer, Janet Terry, recently joined us to discuss best practices to keep health data safe and secure. Janet has worked at QHN since 2010 and has been the Privacy/Compliance Officer at QHN for the past 10 years.
Q: A host of recent news stories from around the country about security breaches brings up a critical question – what’s at stake with patient health information?
A: Understanding how we can best protect the privacy and security of the information entrusted to all of us starts with understanding what’s at stake. This patient health information, which for QHN represents the health records for over 1 million individuals in western Colorado and beyond, is critical, protected data. For me, the concept of protecting this information impacts all of us, our friends and families, the responsibility of it all is very sobering.
In addition to the 1 million patients in the QHN system, there are over 7,000 Users, and there have been more than 150 million messages collected into the system. All this information came from our participants as they care for their patients.
I point this out to highlight the responsibility QHN feels in keeping the information safe, but also to help understand that this is information for your patients, and QHN cannot keep it safe without your help.
Q: How can participants help safeguard patient data while making it available for exchange when that data is needed?
A: Our participants are critical to keeping patient data safe. Here are three straightforward ways any practice can help protect data:
- Keep QHN informed about changes in your organization – Let us know when a user leaves. By notifying QHN, we can delete user access and better ensure only those with up-to-date permission can access QHN. Adding notifying QHN to your organization’s exit/outboarding checklist is one way to make this happen. We are also putting in place additional access and active user reports that will better enable participants to see who at their organization currently has access.
- Let us know if you suspect someone has misused QHN – Part of my role is helping our participants when problems may have occurred, whether that’s non-approved access, viewing records of someone that’s not a patient, or other issues that arise. Our system tracks all keystrokes, so we can quickly and accurately assess whether inappropriate actions have occurred.
- Constantly remind everyone NOT to share their log-in credentials and passwords – This is bigger than QHN, but sharing log-in credentials remains one of the most significant security threats faced. While it may seem inconsequential, improper access to QHN through what may seem like simple password sharing is a violation of patient health information protections and often leads to significant penalties for providers, their staff, and the organization.
Following these tips will go a long way to keeping patient health information protected. Additionally, it’s important to stay vigilant. Threats continue to emerge, so following best practices grows more crucial.
Q: How has security and privacy evolved at QHN over its nearly 20 years of exchanging health information?
A: QHN was founded on trust. Providers across our network needed to trust we could safeguard their patients’ data before we could begin to exchange data to improve care coordination, reduce duplication, and the other benefits QHN brings.
But we continue to strengthen our approach. Last year, QHN’s HIE achieved certification. HITRUST’s Risk-based, 2-year (r2) Certified status demonstrates that QHN’s HIE has met key regulations and industry-defined requirements and is appropriately managing risk. This achievement places QHN in an elite group of organizations worldwide that have earned this certification. By including federal and state regulations, standards, and frameworks, and incorporating a risk-based approach, the HITRUST Assurance Program helps organizations address security and data protection challenges through a comprehensive and flexible framework of prescriptive and scalable security controls. Learn more about QHN’s HIE achieving HITRUST certification here.
Q: Are there outside resources that provide additional help for participants and other organizations?
A: Fortunately, there are good sources of information to help medical practices and others with these challenges. The federal government’s HealthIT.gov provides excellent resources, including a HIPAA Security Risk Assessment tool that practices can use for free. A Security Risk Assessment helps identify potential vulnerabilities that can be addressed to improve security across systems. All providers, hospitals, etc. that store or transmit ePHI are required by the HIPAA Security Rule to perform a regularly scheduled Security Risk Assessment.
Here are some additional newsletters I recommend:
Working together, we can ensure safe, trusted exchange of patient data allowing providers to offer the best care possible.
~Janet Terry | QHN Privacy and Compliance Officer
To learn more about security and privacy best practices, watch this recent QHN Hot Topics webinar, and sign up for future updates from QHN.