Medical information of any individual includes unique identifiers, demographic data, medical conditions, health care provider’s details, billing information as well as immediate family members’ details and medical history. The growth of technology has paved way for storage of these records in electronic formats with quick access from any location. Even as every individual approaches doctors trusting the safety of his/her personal, sensitive and private data, in reality the increasing data breach occurrences belies this trust.
To control such loss of data, governments stressed on HIPAA and HITECH Act compliance as a mandatory feature of the electronic health information exchange. The medical practitioner working through a digital environment therefore deploys systems for risk assessment and encryption of data. However, besides the doctors, and healthcare professionals, there are insurers, transcribers, pharmacologists and practice management services who also access EHI. Under such circumstances, even if the doctors adhere to the HIPAA compliance requirements, data breaches may also result from any loopholes present in the systems of contractors and business associates.
With incidents of large number of data loss cases resulting due to loopholes in third party providers systems, the US government recently brought in changes to HIPAA Act that extends and imposes the privacy and security requirements on business associates and covered entities. The recent incident, where 11 hospitals of a major health system failed to qualify as per the certification of EHR systems and had to return $31 million in meaningful use payments, brings to light that non-compliance to HIPAA and HITECH even by the BA’s might also jeopardize a professionals medical practice. Studies from the Office of Civil Rights supports this by showcasing that 45% of healthcare providers and covered entities have data breaches of which two-thirds of the incidents involve business associates.
Bound by severe financial impact both for the patient and the health care providers, healthcare entities should take up proactive steps to ensure that their medical practices are not put to risk. With the healthcare industry working on a globalized platform, it is not always easy to monitor the global BA’s and their security systems on their devices even with a business associate agreement in place. To ensure that these BA’s comply with the HIPAA security rules, the HIPAA Omnibus Rule addresses the privacy and security requirements. While the HIPAA/ HITECH compliance requires covered entities to implement controls and safeguards to protect health information, the HIPAA Omnibus rule demands an increased focus on the way covered entities work in conjunction with their Business Associates.
Enterprises from the healthcare sector should therefore make use of technologies that will help them to continuously monitor the security and compliance levels of Business Associates on a global scale. Solutions such as Aegify SecureGRC, a IT compliance management and continuous security monitoring solution are built on a framework approach and allows enterprises to control and improve compliance levels across more than 400+ regulations and covers HIPAA, HITECH, PCI, SOX, ISO, COBIT and other country-specific regulations. The built-in vulnerability scanning technology facilitates effective security and continuous monitoring. This ensures compliance to various regulations across various locations and demystifies the complexity of the compliance challenges.