Andrea White
Is Nashville the Health Care Mecca?
by Andrea White on July 8, 2010 | no comments
in Healthcare, Lovell, Nashville
It turns out that Nashville’s health care industry contributes nearly $30 billion and 210,000 jobs to the local economy, securing Nashville’s position as a health care industry hub. This week the Nashville Health Care Council released an updated economic impact study that shines a spotlight on the role of the health care industry in Nashville.
Health care is the engine of growth for Nashville’s job base and directly accounts for one in eight jobs, with health care companies paying more than 20% of the local tax base and providing more than 20% of local personal income.
At Lovell, we have the privilege of being a part of this growth engine every day, working with dozens of health care companies (locally and across the country) from many different sectors of the industry.
We consider ourselves very fortunate to have been on the front lines as Nashville’s health care scene for more than two decades as it has built critical mass, bred its own successes, and inspired possibilities for Nashville’s future in projects like the Medical Trade Center.
95 percent of Council member CEOs indicated that a Nashville headquarters location is important to their company’s positive performance, and approximately half believe that health information technology is the most promising sector to enter today. Having seen our community and industry leaders in action, we know it is no coincidence that the anchor tenant for the Trade Center, the Health Information and Management Systems Society (HIMSS), will very specifically attract vendors from the health I.T. sector and their customer base, which includes pretty much every company in America that remotely touches patient information.
Perhaps the moniker of America’s “Health Care Mecca” is not so far off, after all.
No, really. They are serious about it.
by Andrea White on May 14, 2010 | no comments
in Crisis Communications, Healthcare, Organizational Behavior
HIPAA Enforcement is Hiring and Gearing Up for More Activity
Alerting all healthcare communications staff: we have fresh confirmation that a new era of diligence has begun at the Office of Civil Rights (OCR) for HIPAA enforcement of privacy and security. And as you know, security breaches lead to public relations nightmares, especially when a regulatory investigation is involved. And, officials are reminding us that they can now impose penalties of up to $1.5 million per violation.
Since the enforcement of HIPAA regulations moved from HHS to OCR in 2009, and actual enforcement began in February of 2010, there have been more than 75 health information security breaches reported that affect 500 or more people. OCR is taking this trend very seriously. In fact, Susan McAndrew, deputy director for privacy for OCR, made some enlightening comments earlier this week at an OCR-sponsored conference held in Washington, D.C.
It turns out OCR has added more investigators to their staff in 10 regional offices with the goal of investigating even more security breaches per year than had been projected when the office first staffed up. Right now they are conducting “compliance reviews” to help the 75 organizations with existing data breach issues to take corrective and preventative actions.
But consultants from Booz Allen Hamilton are in the process of helping OCR launch a new model for security rule audits – one that prioritizes pre-emptive action. Later this year OCR plans to begin these proactive audits of covered entities and business associates. Their goal is to identify and address security weaknesses in advance so that breaches are prevented.
Reports from the conference indicate that the auditors will be checking to see if organizations have completed their risk assessment and implemented appropriate administrative, technical and physical safeguards for protected health information (PHI). They will also be evaluating the organization’s efforts to uphold an individual’s right to access their own medical record and confirming that internal controls have been put into place to control unauthorized access to PHI.
Advice from the Information Security professionals on the front lines?
- Create comprehensive security policies and procedures based on thorough risk assessments;
- Train and re-train staff on steps to keep information secure;
- Consider whether to store sensitive patient data on fewer mobile devices; and
- Be sure to shred paper documents before disposal and destroy hard drives no longer in use.
Most of the security breaches to date have been the result of hardware theft – laptops, hard drives, thumb drives, etc. As a result, most information security officers are starting with enhanced protocols around encryption and making strategic determinations about what data should be stored on these devices, as well as enhancing physical security.
This doesn’t end at the doors of your organization. A new report from New Mexico serves as a warning to healthcare organizations nationwide to check on the security protocols of subcontractors. The New Mexico Medicaid program is currently advising almost 10,000 people that their medical data has been compromised due to a computer theft from the car of a subcontractor.
Some other risk factors have come up that are less obvious. Leased copiers with a hard drive may be a security risk if the hard drive is not wiped before returning it at the end of the lease. Likewise, phones and voice mail, as well as email, are not generally encrypted, leading to another set of risks. And in one case, a security patch download for one software program endangered the security of PHI held in another program on the same system.
But honestly, the most prevalent risks stem from inadvertent actions by employees. One of the most important things that an organization can do to avert breaches is to adequately train employees and provide clear guidelines about protocols, the reasons for those protocols, and the risks associated with breaking those protocols.
As the person charged with communicating the value of the brand, you are in a unique position to assist in this kind of employee communications in a way that will bring it all home to them and people will remember what is at stake when protocols are inconvenient.
The bottom line is that communicators have a key role to play. Let’s face it. For all of their good intentions the CIO, CFO, and legal officers of a healthcare organization may not be able to provide a good calculation of the impact this kind of breach will have on your market reputation and the costs required to repair it after a breach. Patient loyalty, brand reputation, and good relations with other health information business associates are assets with value, and this value needs to be reflected in the organization’s thorough risk assessment.
So is your healthcare organization ready for an OCR audit?
Have you included all of the true risks in the risk assessment?
What are you doing to better protect your data, train your employees, and prevent data breaches?
Any advice for your peers in other organizations?
Andrea White specializes in communications issues related to health information technology and the HITECH Act. Stay tuned for more blog entries on this subject in coming weeks!
Sources:
“Breach List: A Call to Action? With so many incidents, security funding could get a boost,” http://www.healthcareinfosecurity.com/p_print.php?t=a&id=2505
“HIPAA Audits: A Status Report,” http://www.healthcareinfosecurity.com/articles.php?art_id=2517&rf=2010-05-12-eh
“OCR Boosting Security Enforcement,” http://www.healthdatamanagement.com/news/privacy_security-40268-1.html?ET=healthdatamanagement:e1267:25859a:&st=email&utm_source=editorial&utm_medium=email&utm_campaign=HDM_Daily_051210
“N.M. Medicaid Breach Affects 9,600,”
http://www.healthdatamanagement.com/news/breach-theft-laptop-medicaid-40279-1.html?ET=healthdatamanagement:e1269:25859a:&st=email&utm_source=editorial&utm_medium=email&utm_campaign=HDM_Daily_051310
“Civil rights office steps up health privacy enforcement,” http://govhealthit.com/newsitem.aspx?nid=73735
Healthcare Marketers: Get to Know Your CIO
by Andrea White on April 13, 2010 | no comments
in Crisis Communications, Healthcare, Organizational Behavior
The HITECH Act has significant implications for communicators
A whole new area of risk is coming to the fore as the country rapidly moves to digitized personal health information (PHI). Physicians and hospitals will soon receive enhanced reimbursements for using electronic medical records and earn incentives for sending electronic prescriptions. As usage of electronic PHI grows, there are new risks for breach of that very sensitive data, and healthcare communicators need to be ready.
Since new notification regulations went into effect on February 22, fifty-six data breaches have been reported in which the PHI of 500 or more people has been put at risk. I know this because it is posted on the HHS web site mandated by the HITECH ACT. But for even more information on the subject all I have to do is turn to HealthInfoSecurity.com and the Open Security Foundation, both of which search primary and online news sources to gather information on new data breaches and further spread the news. It is easy research to do…for me or for a reporter.
Professional healthcare communicators know that a large PHI breach requires at least a substantive and reassuring press release and similar notification for affected individuals. But did you know that there are now regulations for exactly what that press release and personal notification must include, when they must occur, and what resources must accompany them? If you post an announcement on your web site, utilize a 1-800 number, or make resources available online, there are additional guidelines that must be followed.
As communicators charged with restoring your organization’s reputation once a crisis has occurred, this may be an opportune time to go have lunch with your CIO, become familiar with the security safeguards that are in place for PHI, and learn about the regulatory requirements. Think of it as business continuity or disaster planning.
The potential costs are real. The Poneman Institute conducts an annual study across industries to measure the real costs of data breaches including legal expenses, the cost of investigation and consultants, loss of customers, and other factors. In 2009, the average cost per compromised record was $204 — which adds up very quickly since any breach generally impacts large numbers of records. 2009 incidents studied by Poneman ranged in cost from $750,000 to nearly $31 million. And, predictably, they observed more volatility around healthcare customer churn than in any other industry.
Here are some steps you can take now to prepare for a possible PHI breach in the future:
- Understand the potential cost to the organization’s brand, to patient loyalty, and in actual expended dollars.
- Work with your I.T. department to conduct a technical risk assessment and understand the scope of data that might be affected.
- Learn about the security safeguards already in place in your organization and get a high level understanding of how the data systems are structured. Draft some talking points in advance for quick reference.
- Assist employee training efforts to prevent inadvertent data breaches. As a professional communicator and steward of the organization’s brand, you should be the perfect person to develop the messages regarding what is at stake.
- Get a working knowledge of the regulatory language around data breach notification to individuals and to the media.
- Develop a quick reference plan encompassing practical steps and regulatory requirements for what to do after a breach.
So far, planning for HITECH has stayed in the CIO’s court, but it is time for Communications to get in the game as well. Don’t wait for a breach to happen before learning about your data systems and related regulations. Just think how much easier it will be to translate it all into English now rather than waiting until you are in the crunch.
Andrea White specializes in communications issues related to health information technology and the HITECH Act. Look for more blog entries on this subject in coming weeks!
Here’s a Hint: Develop a Crisis Plan Before You Have a Crisis …especially if you work with protected health information (PHI)
by Andrea White on February 24, 2010 | no comments
in Crisis Communications, Healthcare
Healthcare marketers need to know that yesterday the U.S. Department of Health and Human Services launched a web site designed specifically to bring attention to companies that have recently experienced a data breach related to protected health information (PHI).
As good stewards of our healthcare brands, we know that any hint or perception of a PHI data breach has the potential to spur a broad and vocal response among the media, not to mention the reaction from patients, providers, payers, board members, investors, and any other partners. Loyalty is hard won and patient trust is an asset that you can’t afford to risk.
The HHS web site is designed to “keep us honest.” And it is just one step in the evolution of HIPAA enforcement and mandates for public notification about PHI data breaches, all of which have gotten a massive shove into the next decade by the HITECH Act. HITECH is the insiders’ name for the section of the stimulus package (the American Reinvestment and Recovery Act; ARRA) that involves health information technology (HIT).
Predictably, the notification requirements go much further than just posting the information on a federal web site. While healthcare CFOs, CIOs, and legal teams have been wrestling with other aspects of HITECH long into the night for months, most have neglected to bring their communications team into the loop.
Now that there is a central resource for reporters to follow and regulatory requirements where even the most well intentioned healthcare entity might get their wires crossed, the communications professionals have a definitive role to play.
This is a perfect opportunity for healthcare communications teams across America to begin building their crisis communications plans – in conjunction with their stakeholders – before a crisis arrives. If there has to be an issue there is no substitute for being able to frame the issue yourself. In this context, playing defense is a losing proposition.
Andrea White specializes in communications issues related to health information technology and the HITECH Act. Look for more blog entries on this subject in coming weeks!
Something Old, Something New but to Your Brand You Must be True
by Andrea White on January 5, 2010 | no comments
in Advertising, Branding, Facebook, Marketing, Social Media
Social media, and its closely related cousin mobile marketing, are the new frontier for marketing and advertising and, for many, have secured a significant presence in strategic communications plans for 2010. While it is wise to develop strategies and tactics utilizing a full spectrum of effective tools, the use of these new technologies should be more evolution than revolution.
Savvy C-Suite executives and marketing strategists know that putting all of your eggs in one proverbial basket is a risky strategy, at best, and rarely maximizes your potential return – even if the basket is as tempting as Facebook, Twitter and Smartphone applications. These are all valuable tools, but they do not individually constitute a well rounded strategy.
The goals of new media technologies are to expand your reach, to develop and deepen relationships with your customers and stakeholders, and to help you stay relevant and top-of-mind with a targeted audience. But it is important to realize that while the audience of social media users is rapidly expanding, it has not yet reached 100 per cent. Current Facebook statistics show nearly 1/3 of Americans are using this platform but most social media aficionados are still fairly casual users; only a distinct minority have achieved the status of power user.
As it turns out, ‘old’ media may still have a very relevant role to play in your 2010 marketing strategy. Traditional media still has greater reach and offers the opportunity to develop content that can be further leveraged electronically. Television, radio, outdoor and other traditional channels also offer tools to promote your social media and mobile marketing initiatives and pull more prospects into your electronic universe of ‘followers.’
As the options to connect with customers proliferate, it is more important than ever to find ways to integrate old and new tools and to cross-pollinate tactics. Here are some of the ways you can double-check your perspective as planning season commences:
Have you appropriately incorporated both ‘one-way’ communications (traditional media) and ‘two way’ communications (social media) into your strategic thinking?
Have you considered the reach into your targeted audience for each channel?
Have you built tactics into your strategy that leverage the strengths of both social and traditional media so that the integration of these strategies achieves maximum impact?
And as a final double-check: Does the integrated tactical approach you are considering ultimately support and achieve your larger strategic goals.