Governance Dual-Usability Obligation


Angela GamalskiBy Angela I. Gamalski, MHSA, CHC
This post originally appeared on the Health Privacy & Security Compliance Lawg

Leaders in health care are likely familiar with the concept of a ‘dual-fiduciary role’. This administrative responsibility for senior leaders and organizational governance requires the balance of resources to assure the organization resources to provide high quality care to today’s patient in balance with maintaining reserves for tomorrow’s needs. This blog proposes that, as privacy and security is of equal weight to the organization’s financials, there is a requirement that administrators must balance in terms of IT security: the dual-usability role. This dual usability role requires that administrators and governance assure the following:

1. End-user accessibility of health care systems. Interoperability and integration are the latest buzzwords regarding the information systems that help health care professionals to provide high-quality medical care. The Meaningful Use program challenges health care technology platforms to certify their ability for users to demonstrate that the computer is not just a box in the room; rather, the computer and its systems are an active tool in use to provide high quality and timely patient care. The program requires providers demonstrate that patients can have access their own medical records through a portal, and to share information with others through information transfer between inpatient and outpatient care settings.

2. Physical and cyber security of information systems to prevent unauthorized access. The claim that privacy and security are equal to the bank account is a bold one; however, who would honestly trust a provider that was known to have lax security standards protecting the privacy of their medical record? The privacy of the doctor-patient relationship is essential; patients assume that office staff will not be gossiping to their friends and neighbors about their medical conditions, or allowing their medical information to fall easily into the hands of criminals and identity thieves. Again under Meaningful Use program requirements, providers must document that they have completed a security risk assessment during their attestation period. HITECH and the HIPAA Omnibus Rule require careful handling of PHI, analyzing breaches, and providing appropriate notification.

Health care providers, and their leadership, must carefully balance the two aspects of usability. Tipped too far to the side of security, with security protocols hindering a user’s abilities to access the patient information, usability is compromised. If a system is too accessible, and information is available without limitations based on patient assignment or job duties, then security is at fault. Health care administrators and governance can measure financial health and responsible fiduciary oversight through concrete metrics, for example: days cash on hand, operating margin. Security, conversely, is measured by what we do not have – breaches and angry individuals. Measuring and monitoring the balance of usability requires new metrics. Lawyers working in the healthcare space, with an understanding of technology, may be uniquely qualified to design these metrics given their training to minimize client risk within the limits of what today’s information system capabilities.

[bctt tweet=”Governance Dual-Usability Obligation #privacy #compliance @angelagamalski” via=”no”]

Angela Gamalski is a first year law student at Michigan State University College of Law.  Angela can be reached at