Privacy & Breach Prevention Educational Seminar at Newport Beach

From GOCHIA Educational Session: HIPAA- HITECH

I attended a seminar on August 17, 2009 held by GOCHIA (Greater Orange County Health Information Association) about Privacy and Breach Prevention (Understanding the HIPAA-HITECH Requirements). The seminar was held in the conference room in the First Team Real Estates office in Newport Beach, California. Eric L. Nelson, CIPP from the Lyndon Group was the speaker. (I did some research about the Lyndon Group: this organization works with companies in the financial industry to assist them with accounting, financial reporting, mergers and acquisitions support, IT, governance, enterprise risk management, compliance, and financial management services.) Eric and I have discussed about the services that his organization offers, and he told me that working with the health information management industry is a recent collaboration for the Lyndon Group. I think that it is a recent collaboration because of the new HIPAA-HITCH requirements tht healthcare organizations have to meet, and there is need for protecting the privacy of medical records. It is going to require a team of people who specialize in privacy to make a healthcare organization successful in keeping patient information confidential.

Eric's PowerPoint presentation was geared toward planning and preparation for the new HIPAA-HITH requirements. He began his presentation with background information regarding the rise in privacy breaches (both internal and external). There are a number of factors that contribute to these breaches: some employees tampering with PHI (Personal Health Information) for purposes other than for their work, external entities/hackers maliciously attacking healthcare computer systems, and third party outsourcers misusing PHI. It is disurbing to think that outsourced employees (such as medical transcriptionists overseas) can access patient information from the United States and can use it for purposes outside of productivity. According to Eric's presentation, there is about a 25% increase in security spending this year (2009) although 5% of privacy breaches derive from malicious attaks. About 95% of breaches come from people/policies/processes, and unfortunately security is not taking action on these data breach risks.

Eric then gave an overview of compliance requirements. HITECH is a new compliance requirement that has a broader coverage than that of HIPAA; it includes requirements for Business Associates, notification requirements, prohibition on selling PHI, mandatory audits, and ensuring that compliance is now required by law (not required by contract). In order to plan and prepare for successful privacy compliance, one has to understand that collection, access, and retention is how information flows. It is unfortunate that about 71% of participants who responded to the 2008 Global State of Information Security Study say that their organization does not have accurate inventory of where PHI is located. One has to make a risk assessment of his/her organization's privacy compliance. An organization needs to identify adminstrative, technical, and physical safeguards. It then needs to review internal privacy and security policies. Also, it needs to review third party policies and requirements from contracts.

I admit that I came out of this seminar with new, updated information regarding privacy/HIPAA/HITECH compliance. My knowledge of this topic was limited to information I have obtained from my Health Information Management textbooks, HIPAA training sessions at Rancho, and articles from the "Journal of AHIMA" (American Health Information Management Association). I had read an article in the May 2009 issue about how the ARRA will invest in the privacy of PHI. The most recent issue (August 2009) pertains to how the state of California is adjusting to federal and state privacy legistation.

In addition to meeting Eric Nelson, I also met a few vendors who sponsored the seminar. I met Kalani Jones from B.A.C.T.E.S. (a company that specializes in ROI and RAC audits) and he assisted GOCHIA with the quarterly newsletter by showing them sample layots and sample logos for the association. He also helped with the setup of the conference room. I came early just in case there was traffice on the drive to Newport Beach. I did as much as I could to help Susan McNally (President of GOCHIA) with setting up the conference room, helping the caterer setup to hors d'oeuvres, registering some attendees, and take photographs for the newsletter. I met Maria Alizando, RHIT again along with Robert Caban, RHIT of Caban Resources as I registered their names at the table. Also, I met Lizbeth Felix, RHIA and Leslie Scarborough, RHIA from HOAG Hospital, which is not far from the location of the seminar (several miles north up along Pacific Coast Highway 1 and near the 55 Freeway). I had met with these professionals last May at the GOCHIA Member Recognition Dinner at the Knott's Berry Farm Chicken Dinner Restaurant in Buena Park, CA. I met with two other vendors: Teresa Bray from GRM and Donna Paine from Trackstar. Teresa Bray and I had a pleasant conversation about the us of her services in the Los Angeles area. I told her that I sometimes see the GRM vans in the Rancho/Downey area and wonder if Rancho uses it. I found out through Rancho's HIM Director that they do not use GRM. Perhaps GRM is used by another facility near Downey (Downey Community Hospital? Coast Plaza Hospital in Norwalk?), but I will have to do some more research to find out. GRM is based in Pico Rivera, which is not too far from Downey. Donna Paine from Trackstar informed me of their new RAC system and encouraged me to share her information with the ROI supervisor of my facility.

After the presentation, there was a short break where attendees could gather and share information. Also, it was a great opportunity to network with mhy fellow HIM students. I met four students from ITT Technical Institute (Anaheim campus). They helped with a majority of the registration and were more than happy to receive my business cards. They soon got the idea of making their own. They wre a wonderful group of ladies and HIM-professionals-to-be. They wull experience what I will be experiencing in my last year as an RHIT student. The GOCHIA Board Meeting was brief: we discussed about plans to launch a GOCHIA Facebook page and the quarterly newsletter. Overall, I think the entire educational session was a success thanks to the collaboration of GOCHIA, the caterer, the students from ITT Tech and Cypress College, the vendors, and of course the speaker of the night.

This is the first of many seminars that I will document in this blog. Expect to see more blog posts of my seminar experiences in the near future.