At nine-hospital MedStar Health serving the Washington, D.C. region, posters touting its commitment to health information privacy and security, with the trademarked theme “Promoting Trust by Protecting Privacy,” are prominent in hospital publications and throughout facilities, including elevators. Other posters are for educational purposes. One promoting strong passwords shows a teenage boy standing in front of his birthday cake with the message, “My birthday is extra special, it can open my mom’s email.”

The posters are part of a commitment to bolster privacy and security that started in 2006. At that point, MedStar’s budget, technical and cultural support for information protection was fading with the realization that government enforcement of the HIPAA privacy and security rules was not going to be what was anticipated, says Alexander Eremia, vice president, deputy general counsel and chief privacy officer. He spoke at the Safeguarding Health Information conference that the Department of Health and Human Services’ Office for Civil Rights and the National Institute of Standards and Technology are hosting in Washington.

The effort to change the culture, rebuild compliance programs and “bake” compliance into organizational initiatives really got the attention and support of senior executives following a couple of breach incidents. In addition to posters, MedStar’s privacy/security awareness program includes an annual “Privacy and Security Week” campaign with a number of activities and retraining, an annual roundtable seminar on protecting information, and periodically setting up “lunch and learn” tables in facilities with games and food. For instance, you get a cookie if you know the name of the chief privacy officer or how many “p’s” are in HIPAA. MedStar also distributes educational brochures through corporate e-mail, including reminders on the policy to only use encrypted flash drives.

At MedStar, all electronic protected health information at rest on laptops is encrypted, Eremia says. All desktops are not encrypted but users are encouraged to use network servers and not store data locally. Users have the ability to encrypt data being transmitted and part of the education campaign is to bring home the message of when and how to do that. The delivery system’s policy is to encrypt all data sent outside the corporate firewall.

Encryption is a major investment, Eremia acknowledges. MedStar has encrypted more than 1,500 laptops and it was a month-long process to hunt them down. The organization now is testing technology to prohibit plugging in unencrypted thumb drives.

Costs for encryption have come down in recent years and acceptance is rising, he notes. “I certainly think it’s something every health care organization should consider and assess against competing priorities.”

--Joseph Goedert


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access