Healthcare Organizations Prep For Increased Audits
With audits expected to increase this year, healthcare organizations increasingly invest in risk assessment software or services to ensure compliance.
10 Medical Practice Management Systems For 2014
(Click image for larger view and slideshow.)
As office manager of the Fertility Institute of Virginia, Pattie Carson needed to ensure the practice was compliant with laws related to mobile usage, emails, and security. But keeping up with changing laws while running the busy reproductive endocrinology practice was impractical, if not impossible.
Since Medicare and Medicaid don't cover fertility, the institute opted to continue using paper charts, but it must abide by HIPAA and other privacy and security regulations, Carson tells InformationWeek. She determined that the most affordable and cost-effective solution was to use a third party to conduct risk assessments and provide ongoing compliant services.
"With all the rules and regulations -- they're always changing -- I needed someone to help me, someone who specialized in this," she says. "HIPAA Secure Now gave us a risk assessment and makes sure we're complaint with everything."
In smaller practices the office manager is typically responsible for risk assessment, according to Art Gross, CEO of HIPAA Secure Now, in an interview. Organizations with fewer than 75 employees often outsource IT, with nobody to head compliance. With the advent of Meaningful Use, they're now overloaded with data, he said, but they have little insight into the dangers of backup, disaster recovery, mobile devices, or USB drives.
"You talk about a security risk assessment and people look at you as if you're talking French," Gross says. "This isn't something people embrace very easily. You start using words like encryption and disaster recovery. These are concepts a lot of practices truly don't understand. It's not their fault."
The threat of larger fines has increased awareness among smaller practices, however. Since the Omnibus Rule went into effect in March 2013, HIPAA Secure Now saw website activity grow to about 7,000 hits a month from 400, according to Gross, with 10 to 15 people per day signing up for the company's training.
Looking out for patient data is difficult these days, Gross points out, as it's often scattered throughout a doctor's office. "Everyone thinks of patient information as in their EMR, but when we go through and do a risk assessment, we find there's patient information in email, and all that information is sitting in laptops or smartphones or tablets," he says. "They don't realize there's patient information all over, and the risk grows with every device you put that information on."
That was certainly true at the Fertility Institute. Since the practice's physicians increasingly depend on their iPhones and iPads, HIPAA Secure Now ensured that these and other mobile devices were fully encrypted. In addition, the service provider enhanced email security to improve the practice's communication with patients -- a move that enhanced patient satisfaction, according to Carson.
"Before this we were careful -- there was certain information we just didn't send out. [Now] I can send information because it's encrypted," she says. "Some patients, that's how they communicate now. It's a lot quicker for them. [For] some people, with their work schedules, phones are impossible."
Each year HIPAA Secure conducts a risk assessment, auditing the Fertility Institute on areas of improvement, areas that need addressing,
Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio
Healthcare Data Breaches Cost More Than You ThinkHealthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.