PIVOT Points

In the wake of ICD-10, agencies should take several steps to improve data security

Agencies preparing for ICD-10 should reexamine their data security policies — and make sure to address those policies with staff. Doing so could help agencies prevent a significant and costly data breach, or at least lessen chances that one will occur.
The need to examine policies comes partly due to many employees’ unfamiliarity with the code set, says attorney Paul Hirsch of Pearson & Bernard, in Edgewood, Ky.
Consider a scenario where despite receiving training one coder, who fully understands ICD-9, doesn’t quite understand yet what to input into an electronic health record (EHR) system for ICD-10.
If the coder uses her personal cell phone to shoot a photo of protected health information (PHI) on her work screen and then texts it to a coworker to check work, she would potentially violate HIPAA and create a breach.
Even a small breach could result in civil monetary penalties of $25,000 per incent, says attorney Tatiana Melnik, health care and technology attorney at Melnik Legal in Tampa, Fla.

What to ask of vendors about security
One question Hirsch suggests asking of EHR vendors: Does the software automatically lock the screen and hide PHI/sensitive data after a period of inactivity?
If it doesn’t, agencies hopefully will have policies and procedures requiring that mobile devices go into screensaver mode when left unattended, Hirsch says. Policies also should say that access to secure information systems requires usernames and passwords, Hirsch says.
Melnik also advises agencies ask vendors about cyberliability insurance.
That kind of insurance would cover things such as forensic investigation and identity theft protection, Melnik says.
In the event that a vendor gets hacked, many providers’ information — not just yours — might get stolen. If that happens, Melnik says, without insurance the vendor might not be able to survive financially.
Other steps to address data security

• ● Take outsourced coding into account. Some agencies hiring individual coders or small coding companies are not taking into account that transmission of unsecured PHI by email creates the potential for HIPAA breaches, says Brandi Whitemyer, AHIMA approved ICD-10 trainer and product specialist at DecisionHealth. Agencies should make sure that outsourced coders have email that is encrypted to HIPAA’s standards, or the agency should establish a process by which PHI is exchanged within the agency’s EMR system, she says.

• ● Conduct a risk analysis to see what data security holes might exist. A risk analysis tool HHS released last year, for instance, contains more than 150 questions about handling of PHI. That tool lists potential impacts agencies could face when they lack encryption .

« Back