Comments
Healthcare Organizations Prep For Increased Audits
Newest First  |  Oldest First  |  Threaded View
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/20/2014 | 8:58:41 AM
Re: Increasing conplexity
Thanks for the additional information. I would have hoped that there'd be some shared liability. If I'm relying on an expert to help me down the path to compliance and that partner tells me we are currently in compliance, that partner should have some liability if problems are found. I would still need to do my due diligence to make sure I can trust what the partner says, though. I can't just hand off responsibility and wipe my hands clean. It's still my business and my data that's at play.
Art_Gross
50%
50%
Art_Gross,
User Rank: Apprentice
6/19/2014 | 5:41:49 PM
Re: Increasing conplexity
@jagibbons your question about partners being on the hook for penalties if there was a problem found in the audit is a good one. The key aspect is understanding that a security risk assessment identifies areas that an organization is lacking in terms of HIPAA compliance as well as protecting patient information. So by doing a security risk assessment the organization is not automatically HIPAA compliant. The security risk assessment might recommend that laptops and USB drives be encrypted or that the organization ensure that servers are stored in a locked server room or closet. It would be the organization's responsibility to implement the additional security that has been recommended in the security risk assessment.

With the above said, HIPAA Secure Now provides $100,000 of financial protection to our clients in the event they are audited and receive any HIPAA related fines or penalties. The financial protection also covers breach related expenses (forensics, patient notification, credit monitoring, etc.).  In addition we provide assistance to help the client through the audit. We refer to our compliance portal as a "book of evidence" where we can show auditors the organization's policies and procedures, risk assessment reports and work plans, their security incident response plan, executed business associate agreements, proof that employees have received HIPAA security training, etc.

Let me know if you have any other questions.
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/19/2014 | 3:16:16 PM
Re: Increasing conplexity
Thanks for reaching out. It would be helpful to know for future business vendor relationships.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/19/2014 | 3:13:53 PM
Re: Increasing conplexity
I do not know but I've asked an expert to chime in. Hopefully he will do so. I wonder if it's comparable to a tax audit?
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/19/2014 | 12:24:43 PM
Re: Increasing conplexity
@Alison_Diana, do you happen to know if these partners would also then be on the hook for some of the penalties if there was a problem found in an audit? I know the client is still responsible for compliance, but how much liability does the service provider take on?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/19/2014 | 10:00:02 AM
Re: Complexity
It really is, @Steve. As an EHR consultant, do you provide this type of service or do you, perhaps, partner with other consultants that specialize in compliance and risk-assessment? I wonder whether your clients understand the risks they face if they don't implement all the necessary steps and how that knowledge level has evolved over the past few years? I'd imagine it's improving and that office managers now find it easier to get the resources they need to conduct risk assessments, whether it's by hiring a service provider or buying the software and tools they need to conduct them internally.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
6/19/2014 | 9:57:02 AM
Re: Increasing conplexity
I agree, @jagibbons, and that's exactly what service providers like HIPAA Secure Now are seeing. Although he wouldn't supply revenue figures, he did say the number of website visits had increased a lot since the Omnibus Rule went into place and practices became more aware of the risk and their responsibility. Given all the other work they must do and the knowledge required to achieve compliance, it makes sense for smaller organizations -- those without dedicated compliance, governance, or risk-management departments and execs -- to seek out partners dedicated to these topics. 
SteveRobbin
50%
50%
SteveRobbin,
User Rank: Apprentice
6/18/2014 | 8:35:24 PM
Complexity
Being an EHR consultant i also believe that it is really Complex .
jagibbons
50%
50%
jagibbons,
User Rank: Ninja
6/17/2014 | 6:42:18 AM
Increasing conplexity
This is common across the entire regulatory landscape. It is becoming such a complex picture that SMBs will have to start outsourcing some risk and compliance management. There is too much out there for one person to keep track of, especially if that's only part of their job.


Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Listen Now InformationWeek Live For the Week of December 14, 2014
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.