Read Whitepaper

The post Achieve HIPAA Omnibus Compliance in Five Easy Steps appeared first on Aegify.

The HIPAA Privacy rule was aimed to protect the privacy of individually identifiable health information. Along with this the OCR also brought out the HIPAA Security Rule, which sets national standards for the security of electronic protected health information. The HIPAA Breach Notification Rule requires covered entities and business associates to notify following a breach of unsecured protected health information and the confidentiality provisions of the Patient Safety Rule that protect identifiable information used to analyse patient safety events and improve patient safety.

HIPAA is a set of complex federal rules and regulations that govern how medical institutions and their business associates treat private health information. With penalties for HIPAA violations being substantially high, legal experts are analysing the impact of Connecticut Supreme Court’s ruling whether plaintiffs can sue a healthcare provider for negligence if HIPAA regulations have been violated by not protecting the privacy of patients. As per the HIPAA Security Rule, OCR has set national standards for the security of protected health information (PHI) that is created, stored, transmitted, or received electronically.

However, as methods to ensure the confidentiality, integrity, and availability of ePHI data, the HIPAA Security Rule requires medical practitioners, covered entities, business associates and consumers to implement a series of administrative, physical, and technical safeguards when working with ePHI data. The Connecticut case of Emily Byrne vs. Avery Centre for Obstetrics and Gynaecology which involved a patient who sued a healthcare clinic that released her medical records to a third party without her authorization, falls into one of 10 types of HIPAA violation. Failure to comply with HIPAA requirements leads to civil and criminal penalties that applies to both covered entities and individuals.

The covered entities and business associates should therefore take adequate steps to ensure that the patient data is safe from any sort of data breach. The HIPAA/HITECH Security and Compliance management solution, Aegify, is a continuous security monitoring and compliance management solution that is built on a framework approach and allows covered entities and business associates to gain control and improve compliance levels across HIPAA, HITECH, PCI, SOX, ISO, COBIT including country-specific regulations. Its built-in vulnerability scanning technology makes security and compliance monitoring simple and effective and is designed to facilitate both large hospitals as well as small and medium healthcare establishments and their business associates to continuously monitor security of PHI against any data breaches.

The post Don’t let ePHI make your business another Connecticut case of HIPAA Negligence appeared first on Aegify.

To control such loss of data, governments stressed on HIPAA and HITECH Act compliance as a mandatory feature of the electronic health information exchange. The medical practitioner working through a digital environment therefore deploys systems for risk assessment and encryption of data. However, besides the doctors, and healthcare professionals, there are insurers, transcribers, pharmacologists and practice management services who also access EHI. Under such circumstances, even if the doctors adhere to the HIPAA compliance requirements, data breaches may also result from any loopholes present in the systems of contractors and business associates.

With incidents of large number of data loss cases resulting due to loopholes in third party providers systems, the US government recently brought in changes to HIPAA Act that extends and imposes the privacy and security requirements on business associates and covered entities. The recent incident, where 11 hospitals of a major health system failed to qualify as per the certification of EHR systems and had to return $31 million in meaningful use payments, brings to light that non-compliance to HIPAA and HITECH even by the BA’s might also jeopardize a professionals medical practice. Studies from the Office of Civil Rights supports this by showcasing that 45% of healthcare providers and covered entities have data breaches of which two-thirds of the incidents involve business associates.

Bound by severe financial impact both for the patient and the health care providers, healthcare entities should take up proactive steps to ensure that their medical practices are not put to risk. With the healthcare industry working on a globalized platform, it is not always easy to monitor the global BA’s and their security systems on their devices even with a business associate agreement in place. To ensure that these BA’s comply with the HIPAA security rules, the HIPAA Omnibus Rule addresses the privacy and security requirements. While the HIPAA/ HITECH compliance requires covered entities to implement controls and safeguards to protect health information, the HIPAA Omnibus rule demands an increased focus on the way covered entities work in conjunction with their Business Associates.

Enterprises from the healthcare sector should therefore make use of technologies that will help them to continuously monitor the security and compliance levels of Business Associates on a global scale. Solutions such as Aegify SecureGRC, a IT compliance management and continuous security monitoring solution are built on a framework approach and allows enterprises to control and improve compliance levels across more than 400+ regulations and covers HIPAA, HITECH, PCI, SOX, ISO, COBIT and other country-specific regulations. The built-in vulnerability scanning technology facilitates effective security and continuous monitoring. This ensures compliance to various regulations across various locations and demystifies the complexity of the compliance challenges.

The post A disruption-free Medical Practice in a BA dependent industry appeared first on Aegify.

OCR has been offering lessons to the healthcare industry over the past few years emphasizing the areas where compliance is required. This was done using several methods, one of which was the first round of HIPAA audits that demonstrated that there was widespread failure to comply. The second method used was a judicious imposition of monetary penalties. Here, OCR chose a particular compliance issue such as encryption, or breach notification policies, and imposed penalties on those that failed to meet these requirements.

The third big step was the promulgation of the HIPAA Omnibus Rule. This rule was put in place with modifications called for by the HITECH Act. Once these final standards came into effect, covered entities and their business associates had to fully implement the necessary policies and procedures, and could not argue that they were waiting for the government’s final rule to come into effect. OCR also provided guidance on some important aspects of the Omnibus rule.

These steps clearly indicate that OCR is very serious about enforcing HIPAA. Three recent occurrences also demonstrate this fact. On June 10th, OCR posted its 2011 and 2012 reports about the breach notification program and compliance with privacy and security rules. These reports provide a glimpse into the issues that OCR sees with HIPAA compliance, and describe the types of breaches that have occurred and the number of individuals affected by these breaches. These details highlight the need to have a robust compliance plan and program in place. Moreover, the reports also bring out the most common causes of breaches including lack of security and encryption.

Also, in a recent conference of American Bar Association Health Law Section, a Chief Regional Civil Rights Attorney from OCR warned healthcare entities that HIPAA enforcement is likely to increase dramatically. And with the increase in enforcement, the monetary penalties are also likely to go up significantly. Following this statement, OCR announced its latest settlement on June 23rd, where Parkview Health System Inc. was fined $800,000 for dumping medical records on a physician’s driveway. Although this violation occurred back in 2009, the security requirements of HIPAA were not new back then, and protected health information was subject to HIPAA even then. Hence there was a clear obligation to protect health data, which the entity had failed to do.

These events have reinforced the need to comply with HIPAA guidelines immediately if entities have not already done so. Firstly, an assessment of the compliance status is necessary to understand what policies and procedures are in place and whether they are adequate and effective. If required, new policies and procedures should be implemented, and entities can seek external help from advisors, peers, consultants, and other security experts to get a HIPAA compliance program into shape. They can also adopt a complete data security solution such as Aegify Security Posture Management or Aegify SecureGRC or Aegify Risk Management for a comprehensive view of their security and risk posture, and end-to-end compliance support.

But one thing is very clear at this point. Covered entities should act immediately. OCR will begin a new audit program soon and may try to recover enough money from defaulting entities to keep the program running. So, healthcare entities can leave no stone unturned in trying to demonstrate complete compliance with HIPAA. They have to look in the mirror, and do what is necessary at the earliest.

The post Not HIPAA Compliant Yet? Time to Look in the Mirror appeared first on Aegify.

OCR will soon launch a survey of 1200 organizations as the first step towards selecting those to be audited. Organizations that would undergo the audit will be chosen from a large database, and the survey is intended to verify details such as whether the organization is still in business, and is genuinely the healthcare entity indicated in the database, etc. These details will not only help OCR determine if the entities chosen are suitable for the audit, but also give them a good idea of the size and complexity of the entity. Amongst other things, the survey is aimed at collecting recent data about the number of patient visits or insured lives, use of electronic records, business locations, and revenue.

Although McAndrew did not disclose the number of organizations to be audited, she said that the 1200 surveyed organizations will be an oversupply as not all of them will end up being suitable candidates. According to an OCR spokesperson, the survey will be targeting nearly 800 covered entities and 400 business associates.

OCR, with the help of KPMG had conducted a pilot HIPAA audit program in 2012, involving 115 covered entities. However, according to McAndrew, the next round of audits will be in-sourced. But details such as whether OCR will conduct these audits by training the existing staff or by hiring new auditors, and whether these activities will be carried out from the regional OCR offices or from the central office, are still unclear.

Focus Areas for Upcoming Audits

According to McAndrew, one of the primary areas of focus in the 2014 audits will be whether covered entities have conducted timely and thorough security risk assessments as per HIPAA requirements, because this was one of the common weak spots found during the pilot audits as well as previous breach investigations. Moreover, the upcoming audits will have a revised protocol to fit the changes brought about by the HIPAA Omnibus rule that came into effect in 2013.

So the time is ripe for healthcare entities to do a reality check and prepare themselves with thorough risk assessments. Comprehensive security management solutions like Aegify Security Posture Management and Aegify SecureGRC can prove handy at this juncture, and help entities face the upcoming audits with confidence.

The post OCR Gears-Up to Resume HIPAA Audits appeared first on Aegify.