Addressing Privacy and Security
Risks in Today’s Healthcare
By Ann Meehan, RHIA
INFORMATION IS A healthcare organization’s most strategic
asset and requires enterprise-wide management to ensure
that it is protected and secured in the most compliant way—
for patient care and other business purposes. More than ever,
healthcare organizations face growing challenges in managing information due to the ever-growing volume of information, evolving regulatory requirements, and increasing risks
associated with security threats.
A recent survey of 100 healthcare compliance leaders by Iron
Mountain resulted in insights that health information management (HIM) professionals can leverage to better prepare
their organizations to address privacy and security risks in
this challenging ecosystem.
The key goals of the study were to:
1. Identify compliance leaders’ most pressing priorities over
the next three to five years.
2. Review industry trends hindering progress.
3. Explore how information governance (IG) can help advance identified priorities and improve privacy and security enterprise-wide.
4. Assess the current state of IG across three high-impact areas that are indicative of an organization’s risk profile and
IG program maturity. These areas include:
Information Inventory and Integrity
Retention Policy Management and Defensible Disposition
Privacy and Security
5. Explore best practices that can help compliance leaders
address common gaps to advance IG, support strategic
priorities, and enable enterprise-wide compliance.
Interviews were conducted from December 2017 through
February 2018 and included hospital compliance and privacy
leaders across a range of bed sizes (see Table 1 on page 33).
Survey results were published in a white paper. 1
Healthcare Compliance: Goals and Priorities
When asked what their top three compliance priorities are, respondents indicated:
1. Standardize policies and processes governing the management, use, security, and release of protected health
information (PHI) across the organization and/or newly
acquired/recently merged facilities (75 percent)
2. Employee compliance training and education (62 percent)
3. Enable HIPAA compliance and prepare for OCR audits ( 41
Interestingly, these three priorities are very much intercon-nected. The need to standardize is at the heart of ensuring consistency in how information is managed and secured. Without
a standardized approach, it would be virtually impossible to
effectively manage hardcopy records and electronic records
and information in today’s complex, ever-changing healthcare ecosystem. Without workforce training and education,
a standardized approach is not possible. Additionally, lack of
employee awareness or adoption of standardized processes
inhibits an organization’s ability to be compliant and meet audit requirements.
Barriers to Success
Survey respondents were also asked to identify the biggest
barriers to success. The top barrier at 33 percent was accelerat-