Healthcare // Security & Privacy
News
6/16/2014
02:42 PM
50%
50%

Healthcare Organizations Prep For Increased Audits

With audits expected to increase this year, healthcare organizations increasingly invest in risk assessment software or services to ensure compliance.

and new rules, based on a questionnaire and Web-based videoconference, Carson explains. Education alone helps address one weakness discovered in the government's expanded audit capabilities.

This year the Department of Health and Human Services (HHS) is expected to launch its HIPAA Audit Program to include business associates. The Office of Civil Rights (OCR) will expand beyond the pilot created with partner KPMG, which focused on 115 providers. Early results of the pilot show that providers have limited awareness of compliance as well as outdated policies and procedures, and that they fail to properly implement policies and procedures.

The complexity of today's systems makes it more challenging for healthcare to audit, says Tim Sedlak, senior product manager at Dell Software, which develops compliance tools, in an interview. "It used to be, you could audit your IT department, and everything was on-site," he says. "Now IT has blossomed and gone in every different direction. You have things like SharePoint and mobile devices, let alone the introduction of cloud-based services. That has a lot of people shaking in their boots. I think we're seeing a lot of concern in those areas."

Often Dell works with IT administrators and IT managers on a mandate from their chief compliance or chief security officer, Sedlak said. "People felt very comfortable even two, three years ago that, 'My IT guys know what to do around HIPAA, HITECH.' Now we've got the introduction of cloud services, SharePoint, Dropbox, SkyDrive, and tablets and smartphones," he said. "People realize they could have [personal health information] everywhere. They're concerned they don't know where data's gone. They're concerned they don't have the controls in the places where data's gone."

More awareness often translates into more funding -- for education, resources, and tools, whether internal solutions or external services. The need to manage and control risk will continue to grow in proportion to the data pouring into healthcare organizations' many devices, networks, and applications.

Nobody wants to be the next data breach headline. But ensuring that cyber security defenses are operating effectively and efficiently is a monumental challenge, given the sheer volume of information coming at us. Here's how to streamline your program. Get the Metrics That Work: Practical Cyber Security Risk Measurements report today (registration required).

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/20/2014 | 8:58:41 AM
Re: Increasing conplexity
Thanks for the additional information. I would have hoped that there'd be some shared liability. If I'm relying on an expert to help me down the path to compliance and that partner tells me we are currently in compliance, that partner should have some liability if problems are found. I would still need to do my due diligence to make sure I can trust what the partner says, though. I can't just hand off responsibility and wipe my hands clean. It's still my business and my data that's at play.
Art_Gross
50%
50%
Art_Gross,
User Rank: Apprentice
6/19/2014 | 5:41:49 PM
Re: Increasing conplexity
@jagibbons your question about partners being on the hook for penalties if there was a problem found in the audit is a good one. The key aspect is understanding that a security risk assessment identifies areas that an organization is lacking in terms of HIPAA compliance as well as protecting patient information. So by doing a security risk assessment the organization is not automatically HIPAA compliant. The security risk assessment might recommend that laptops and USB drives be encrypted or that the organization ensure that servers are stored in a locked server room or closet. It would be the organization's responsibility to implement the additional security that has been recommended in the security risk assessment.

With the above said, HIPAA Secure Now provides $100,000 of financial protection to our clients in the event they are audited and receive any HIPAA related fines or penalties. The financial protection also covers breach related expenses (forensics, patient notification, credit monitoring, etc.).  In addition we provide assistance to help the client through the audit. We refer to our compliance portal as a "book of evidence" where we can show auditors the organization's policies and procedures, risk assessment reports and work plans, their security incident response plan, executed business associate agreements, proof that employees have received HIPAA security training, etc.

Let me know if you have any other questions.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/19/2014 | 3:16:16 PM
Re: Increasing conplexity
Thanks for reaching out. It would be helpful to know for future business vendor relationships.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/19/2014 | 3:13:53 PM
Re: Increasing conplexity
I do not know but I've asked an expert to chime in. Hopefully he will do so. I wonder if it's comparable to a tax audit?
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/19/2014 | 12:24:43 PM
Re: Increasing conplexity
@Alison_Diana, do you happen to know if these partners would also then be on the hook for some of the penalties if there was a problem found in an audit? I know the client is still responsible for compliance, but how much liability does the service provider take on?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/19/2014 | 10:00:02 AM
Re: Complexity
It really is, @Steve. As an EHR consultant, do you provide this type of service or do you, perhaps, partner with other consultants that specialize in compliance and risk-assessment? I wonder whether your clients understand the risks they face if they don't implement all the necessary steps and how that knowledge level has evolved over the past few years? I'd imagine it's improving and that office managers now find it easier to get the resources they need to conduct risk assessments, whether it's by hiring a service provider or buying the software and tools they need to conduct them internally.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/19/2014 | 9:57:02 AM
Re: Increasing conplexity
I agree, @jagibbons, and that's exactly what service providers like HIPAA Secure Now are seeing. Although he wouldn't supply revenue figures, he did say the number of website visits had increased a lot since the Omnibus Rule went into place and practices became more aware of the risk and their responsibility. Given all the other work they must do and the knowledge required to achieve compliance, it makes sense for smaller organizations -- those without dedicated compliance, governance, or risk-management departments and execs -- to seek out partners dedicated to these topics. 
SteveRobbin
50%
50%
SteveRobbin,
User Rank: Apprentice
6/18/2014 | 8:35:24 PM
Complexity
Being an EHR consultant i also believe that it is really Complex .
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/17/2014 | 6:42:18 AM
Increasing conplexity
This is common across the entire regulatory landscape. It is becoming such a complex picture that SMBs will have to start outsourcing some risk and compliance management. There is too much out there for one person to keep track of, especially if that's only part of their job.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.