Security Practices and Regulatory Compliance in the Healthcare Industry

From Clinfowiki
Jump to: navigation, search

This is a review of Kwon and Johnson's 2013 article, Security Practices and Regulatory Compliance in the Healthcare Industry.[1]


The authors of this article conducted a study to explore whether there are relationships between the characteristics of different healthcare facilities and their compliance with regulations on the implementation of health information security.


The authors utilized data previously gathered by the Kroll/Healthcare Information and Management Systems Society (HIMSS)[1] for a study regarding health information security in US healthcare. This data consisted of 250 telephone interviews of privacy and security managers representing 250 randomly selected hospitals; for this study, the authors selected only 204 of the interviews as applicable.


Analysis showed that the 204 hospitals could be categorized into 3 levels of health information security implementation: the leaders, the followers, and the laggers. The leaders and followers are typically larger general, critical access, or academic hospitals, while the laggers are composed mainly of smaller general and critical access hospitals. All 3 levels implemented all of the 4 security practices which are: (1) safeguarding information, (2) auditing, (3) human resources management, and (4) third-party security management.[1] The difference is in the intensity with which the 3 different levels practiced the security measures. For example, all 3 levels would have signed confidentiality agreements with third-party affiliates; but the followers would go one step beyond the laggers by consistently conducting security audits of the third-parties, and the leaders would go one more step further than the followers by not only conducting audits, but also consistently training third-party affiliates in security and information breach practices.


The authors conclude that US hospitals are compliant with all the baseline regulations regarding health information privacy, and that varying levels of security implementation could be attributed to factors such as limited budgets and safety culture practices.


Clinical information systems have been deemed safer than paper records because they could not be as easily stolen or destroyed. However, sophisticated technology also breeds sophisticated security breaches, and this compels us to be vigilant in safeguarding protected health information(PHI). This article gives excellent information on the different ways that information could be protected: it is not merely through the use of firewalls[2] and encryption; it could also be through policies that promote a culture of safety: as simple as not sharing passwords and always logging off.


  1. 1.0 1.1 Kwon, J., & Johnson, M. E. (2013). Security practices and regulatory compliance in the healthcare industry. Journal of the American Medical Informatics Association, 20(1), 44-51. doi: 10.1136/amiajnl-2012-000906.