Healthcare // Security & Privacy
News
6/16/2014
02:42 PM
Connect Directly
RSS
E-Mail

Healthcare Organizations Prep For Increased Audits

With audits expected to increase this year, healthcare organizations increasingly invest in risk assessment software or services to ensure compliance.

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/20/2014 | 8:58:41 AM
Re: Increasing conplexity
Thanks for the additional information. I would have hoped that there'd be some shared liability. If I'm relying on an expert to help me down the path to compliance and that partner tells me we are currently in compliance, that partner should have some liability if problems are found. I would still need to do my due diligence to make sure I can trust what the partner says, though. I can't just hand off responsibility and wipe my hands clean. It's still my business and my data that's at play.
Art_Gross
50%
50%
Art_Gross,
User Rank: Apprentice
6/19/2014 | 5:41:49 PM
Re: Increasing conplexity
@jagibbons your question about partners being on the hook for penalties if there was a problem found in the audit is a good one. The key aspect is understanding that a security risk assessment identifies areas that an organization is lacking in terms of HIPAA compliance as well as protecting patient information. So by doing a security risk assessment the organization is not automatically HIPAA compliant. The security risk assessment might recommend that laptops and USB drives be encrypted or that the organization ensure that servers are stored in a locked server room or closet. It would be the organization's responsibility to implement the additional security that has been recommended in the security risk assessment.

With the above said, HIPAA Secure Now provides $100,000 of financial protection to our clients in the event they are audited and receive any HIPAA related fines or penalties. The financial protection also covers breach related expenses (forensics, patient notification, credit monitoring, etc.).  In addition we provide assistance to help the client through the audit. We refer to our compliance portal as a "book of evidence" where we can show auditors the organization's policies and procedures, risk assessment reports and work plans, their security incident response plan, executed business associate agreements, proof that employees have received HIPAA security training, etc.

Let me know if you have any other questions.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/19/2014 | 3:16:16 PM
Re: Increasing conplexity
Thanks for reaching out. It would be helpful to know for future business vendor relationships.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/19/2014 | 3:13:53 PM
Re: Increasing conplexity
I do not know but I've asked an expert to chime in. Hopefully he will do so. I wonder if it's comparable to a tax audit?
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/19/2014 | 12:24:43 PM
Re: Increasing conplexity
@Alison_Diana, do you happen to know if these partners would also then be on the hook for some of the penalties if there was a problem found in an audit? I know the client is still responsible for compliance, but how much liability does the service provider take on?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/19/2014 | 10:00:02 AM
Re: Complexity
It really is, @Steve. As an EHR consultant, do you provide this type of service or do you, perhaps, partner with other consultants that specialize in compliance and risk-assessment? I wonder whether your clients understand the risks they face if they don't implement all the necessary steps and how that knowledge level has evolved over the past few years? I'd imagine it's improving and that office managers now find it easier to get the resources they need to conduct risk assessments, whether it's by hiring a service provider or buying the software and tools they need to conduct them internally.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/19/2014 | 9:57:02 AM
Re: Increasing conplexity
I agree, @jagibbons, and that's exactly what service providers like HIPAA Secure Now are seeing. Although he wouldn't supply revenue figures, he did say the number of website visits had increased a lot since the Omnibus Rule went into place and practices became more aware of the risk and their responsibility. Given all the other work they must do and the knowledge required to achieve compliance, it makes sense for smaller organizations -- those without dedicated compliance, governance, or risk-management departments and execs -- to seek out partners dedicated to these topics. 
SteveRobbin
50%
50%
SteveRobbin,
User Rank: Apprentice
6/18/2014 | 8:35:24 PM
Complexity
Being an EHR consultant i also believe that it is really Complex .
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/17/2014 | 6:42:18 AM
Increasing conplexity
This is common across the entire regulatory landscape. It is becoming such a complex picture that SMBs will have to start outsourcing some risk and compliance management. There is too much out there for one person to keep track of, especially if that's only part of their job.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 23, 2014
Intrigued by the concept of a converged infrastructure but worry you lack the expertise to DIY? Dell, HP, IBM, VMware, and other vendors want to help.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.