Glacial Ridge Hospital, Tyler Healthcare Center/Avera, and Valley Community Health Center share their experience with meeting privacy and security requirements for meaningful use

Glacial Ridge Hospital staff take a break to celebrate their continual progress toward meaningful use.

Glacial Ridge Hospital staff take a break to celebrate their continual progress toward meaningful use.

Most of the privacy and security requirements for meaningful use are common sense from an IS perspective—systems need to be as secure as possible and information access is limited to only what people need.

"Nothing about HIPAA is a surprise, nothing about privacy and security is a surprise," said Sharon Ericson, Valley Community Health Center (VCHC) CEO, a federally qualified health center (FQHC) in Northwood, North Dakota. "Having an electronic health record makes you think about how effective you are at it all. If privacy and security didn't work well before, meaningful use helps you ramp up. It's a wake-up call to all of us on what we should be doing."

Through telephone meetings with its REACH HIT field consultant over the course of three weeks, VCHC reviewed the REACH privacy and security checklist. "We have anywhere from 15 to 25 policies for HIPAA privacy and another 15 to 25 for HIPAA security. It takes time to weed through it all. Now we have our laundry list and we know what to do," said Stacey Jacobson, VCHC clinical coordinator. "The new steps are not difficult. We just need to make the time to do them."

VCHC needed to change the wording on some of its documents and add a few new policies. It is improving some procedures, such as checking security logs, checking backup tapes, and checking on why some data are not backed up.

Glacial Ridge Hospital used the Privacy and Security eBox learning tool from REACH to develop comprehensive HIPAA security and privacy policies. "From what we have seen, most sites only have three policies written on this topic, so it was a
lot of work to get where we needed to be," said Heidi Engle, CIO, Glacial Ridge. To help with this, the hospital incorporated weekly calls with its REACH HIT consultant and peers.

With direction from its REACH HIT consultant, Tyler Healthcare Center/Avera, Tyler, Minnesota, established a privacy and security committee that is working to complete a security risk analysis by gathering current policies and reviewing them to see what needs to be revised or added. The REACH privacy and security checklist helped them prioritize. "There’s so much information. You can get overwhelmed and not know what to focus on," said Rhonda Newton, information technology director at Tyler Healthcare Center.

The HITECH Act has a lot of policies geared toward natural disasters and how to get back up and running. Tyler Healthcare Center started its 90-day attestation period on July 1 - the same day a tornado came through town. "Although it caused
no major damage, it could have been a huge problem. It really reinforced that we need to get everything in place," said Newton.

Valley Community Health Center invited its REACH HIT field consultant out to talk to the entire staff on meaningful use. "We used that as an opportunity to launch our privacy and security changes, refocusing everything on what we need to be doing and why we need to worry about privacy and security," said Ericson. "The real challenge is getting people to do it."

Some physicians raise concerns that an EHR system creates an environment where people can access information inappropriately. EHRs may increase ease of access, but HIPAA isn't new. Unlike with paper files, where there’s no knowing who accessed information, an EHR logs who accesses a record. And some hospital employees are finding out that health care providers take patient privacy and security very seriously. In May, Allina Hospitals & Clinics, Minneapolis, terminated 28 employees for inappropriately accessing patient information, and in February, a hospital in Iowa City terminated three employees.

The work of privacy and security is never complete; it just continues to evolve. "No matter how secure we think our systems are, there are things we can do better, and we need to keep up with the pace of technology," said Newton.


  • Use the REACH privacy and security checklist. Start early—it can take a long time to go through.
  • Establish
    a privacy and security committee to review current policies.
  • Participate in REACH user group calls to touch base with other people who use the same EHR software to ask questions and discuss issues.
  • Use sample policies and procedures provided by REACH.
  • Educate staff on the reasons behind the privacy and security policies and procedures.

Glacial Ridge Health System consists of a 19-bed Critical Access, trauma hospital in Glenwood, Minnesota within Pope County, with clinics in Brooten and Glenwood.

Tyler Healthcare Center consists of a critical access hospital, clinic, long term care facility, home care and ambulatory services, with two physicians and one PA. Tyler is affiliated with the Avera Health System, receiving various mobile services, but is on a separate EHR system. Tyler is currently focused on its hospital EHR and will be implementing the clinic EHR at the end of the calendar year.

Valley Community Health Center has the equivalent of 3.6 full-time providers - part-time physicians, nurse practitioners and a certified nurse midwife - who serve about 3,900 patients at two locations. Last year, VCHC went live with its practice management system and this April, it went live with its first EHR.