ONC privacy officer talks culture, human error, ROI

BOSTON—HITECH ensures that providers have the technology to comply with HIPAA, and HIPAA offers an incentive for providers to include in other parts of their business outside of the EHR system, said Joy Pritts, JD, chief privacy officer at the Office of the National Coordinator for Health IT (ONC), during the second annual HIMSS Privacy & Security Forum.

Pritts said the ONC is helping providers comply with the regulations through regional extension centers. “They are our boots on the ground helping providers set up EHRs and provide assistance with privacy and security. They are extremely helpful in identifying areas where small providers need assistance. In all honesty, we learned the hard way that they are the people who need the most help.” The ONC was producing materials that were too technical for smaller providers. “We focused on common sense, baseline privacy and security materials that make people aware of what they need to do and then progress to more complicated concepts.”

Pritts said the biggest privacy and security stumbling block is “what I would call culture. We have heard over the years privacy and security often discussed as being a barrier. Privacy and security should not be seen as a barrier but things that are good for your business and good for your patients.” That message has to come from the top of the organization, she added. “If the whole organization has the attitude that we’re just doing this because we have to, you have a very different result than an organization that realizes this is good for us and our patients.”

Use common sense and take an approach of protecting information, not just filling out a checklist, Pritts said. ONC gets a lot of requests for checklists “because people think it will make it easier but it doesn’t necessarily protect their information.”

Solid privacy and security efforts can serve as a good return on investment for many organizations, she said. “Notification can be quite expensive but those are things you can pay for and it won’t hurt too much. But, you can’t repay your reputation with a check. When people don’t trust that an organization has the right security in place, it reduces their trust in providers and reduces the amount of information they’re willing to share with their providers. In the business of healthcare, that is not where you want to be.”

Pritts said people have not paid enough attention to mobile technology to date. However, the human is important. “Unauthorized snooping is still one of the largest causes of breaches. We’ve always had some people doing that but we’ll have fewer if that behavior is not tolerated and there is an atmosphere that it simply is not acceptable.” She cited a time when President Bill Clinton went into the hospital and, almost immediately, 12 employees were caught snooping. More disturbing, however, was that other employees said they weren’t surprised because it happens all the time.

Future plans for her office are in flux because of budgetary constraints, Pritts said. “There is a list of things we’d like to do. I believe we’ll be able to do them but time will tell.”