Healthcare // Security & Privacy
News
6/16/2014
02:42 PM
Connect Directly
RSS
E-Mail
50%
50%

Healthcare Organizations Prep For Increased Audits

With audits expected to increase this year, healthcare organizations increasingly invest in risk assessment software or services to ensure compliance.

10 Medical Practice Management Systems For 2014
10 Medical Practice Management Systems For 2014
(Click image for larger view and slideshow.)

As office manager of the Fertility Institute of Virginia, Pattie Carson needed to ensure the practice was compliant with laws related to mobile usage, emails, and security. But keeping up with changing laws while running the busy reproductive endocrinology practice was impractical, if not impossible.

Since Medicare and Medicaid don't cover fertility, the institute opted to continue using paper charts, but it must abide by HIPAA and other privacy and security regulations, Carson tells InformationWeek. She determined that the most affordable and cost-effective solution was to use a third party to conduct risk assessments and provide ongoing compliant services.

"With all the rules and regulations -- they're always changing -- I needed someone to help me, someone who specialized in this," she says. "HIPAA Secure Now gave us a risk assessment and makes sure we're complaint with everything."

In smaller practices the office manager is typically responsible for risk assessment, according to Art Gross, CEO of HIPAA Secure Now, in an interview. Organizations with fewer than 75 employees often outsource IT, with nobody to head compliance. With the advent of Meaningful Use, they're now overloaded with data, he said, but they have little insight into the dangers of backup, disaster recovery, mobile devices, or USB drives.

[Could a massive health record database network help improve healthcare and reduce costs? Read ONC Releases Healthcare Interoperability Roadmap.]

"You talk about a security risk assessment and people look at you as if you're talking French," Gross says. "This isn't something people embrace very easily. You start using words like encryption and disaster recovery. These are concepts a lot of practices truly don't understand. It's not their fault."

The threat of larger fines has increased awareness among smaller practices, however. Since the Omnibus Rule went into effect in March 2013, HIPAA Secure Now saw website activity grow to about 7,000 hits a month from 400, according to Gross, with 10 to 15 people per day signing up for the company's training.

Looking out for patient data is difficult these days, Gross points out, as it's often scattered throughout a doctor's office. "Everyone thinks of patient information as in their EMR, but when we go through and do a risk assessment, we find there's patient information in email, and all that information is sitting in laptops or smartphones or tablets," he says. "They don't realize there's patient information all over, and the risk grows with every device you put that information on."

That was certainly true at the Fertility Institute. Since the practice's physicians increasingly depend on their iPhones and iPads, HIPAA Secure Now ensured that these and other mobile devices were fully encrypted. In addition, the service provider enhanced email security to improve the practice's communication with patients -- a move that enhanced patient satisfaction, according to Carson.

"Before this we were careful -- there was certain information we just didn't send out. [Now] I can send information because it's encrypted," she says. "Some patients, that's how they communicate now. It's a lot quicker for them. [For] some people, with their work schedules, phones are impossible."

Each year HIPAA Secure conducts a risk assessment, auditing the Fertility Institute on areas of improvement, areas that need addressing,

Next Page

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/20/2014 | 8:58:41 AM
Re: Increasing conplexity
Thanks for the additional information. I would have hoped that there'd be some shared liability. If I'm relying on an expert to help me down the path to compliance and that partner tells me we are currently in compliance, that partner should have some liability if problems are found. I would still need to do my due diligence to make sure I can trust what the partner says, though. I can't just hand off responsibility and wipe my hands clean. It's still my business and my data that's at play.
Art_Gross
50%
50%
Art_Gross,
User Rank: Apprentice
6/19/2014 | 5:41:49 PM
Re: Increasing conplexity
@jagibbons your question about partners being on the hook for penalties if there was a problem found in the audit is a good one. The key aspect is understanding that a security risk assessment identifies areas that an organization is lacking in terms of HIPAA compliance as well as protecting patient information. So by doing a security risk assessment the organization is not automatically HIPAA compliant. The security risk assessment might recommend that laptops and USB drives be encrypted or that the organization ensure that servers are stored in a locked server room or closet. It would be the organization's responsibility to implement the additional security that has been recommended in the security risk assessment.

With the above said, HIPAA Secure Now provides $100,000 of financial protection to our clients in the event they are audited and receive any HIPAA related fines or penalties. The financial protection also covers breach related expenses (forensics, patient notification, credit monitoring, etc.).  In addition we provide assistance to help the client through the audit. We refer to our compliance portal as a "book of evidence" where we can show auditors the organization's policies and procedures, risk assessment reports and work plans, their security incident response plan, executed business associate agreements, proof that employees have received HIPAA security training, etc.

Let me know if you have any other questions.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/19/2014 | 3:16:16 PM
Re: Increasing conplexity
Thanks for reaching out. It would be helpful to know for future business vendor relationships.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/19/2014 | 3:13:53 PM
Re: Increasing conplexity
I do not know but I've asked an expert to chime in. Hopefully he will do so. I wonder if it's comparable to a tax audit?
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/19/2014 | 12:24:43 PM
Re: Increasing conplexity
@Alison_Diana, do you happen to know if these partners would also then be on the hook for some of the penalties if there was a problem found in an audit? I know the client is still responsible for compliance, but how much liability does the service provider take on?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/19/2014 | 10:00:02 AM
Re: Complexity
It really is, @Steve. As an EHR consultant, do you provide this type of service or do you, perhaps, partner with other consultants that specialize in compliance and risk-assessment? I wonder whether your clients understand the risks they face if they don't implement all the necessary steps and how that knowledge level has evolved over the past few years? I'd imagine it's improving and that office managers now find it easier to get the resources they need to conduct risk assessments, whether it's by hiring a service provider or buying the software and tools they need to conduct them internally.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/19/2014 | 9:57:02 AM
Re: Increasing conplexity
I agree, @jagibbons, and that's exactly what service providers like HIPAA Secure Now are seeing. Although he wouldn't supply revenue figures, he did say the number of website visits had increased a lot since the Omnibus Rule went into place and practices became more aware of the risk and their responsibility. Given all the other work they must do and the knowledge required to achieve compliance, it makes sense for smaller organizations -- those without dedicated compliance, governance, or risk-management departments and execs -- to seek out partners dedicated to these topics. 
SteveRobbin
50%
50%
SteveRobbin,
User Rank: Apprentice
6/18/2014 | 8:35:24 PM
Complexity
Being an EHR consultant i also believe that it is really Complex .
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/17/2014 | 6:42:18 AM
Increasing conplexity
This is common across the entire regulatory landscape. It is becoming such a complex picture that SMBs will have to start outsourcing some risk and compliance management. There is too much out there for one person to keep track of, especially if that's only part of their job.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.