Patient Health Information (PHI) is as important an asset as any other. Healthcare providers and business associates therefore have to ensure that they protect patient records as they would protect any other significant business asset. David Holtzman, a former senior official at an agency that enforces HIPAA, offered useful insights on safeguarding PHI as a business asset.
According to Holtzman, who recently joined the security consulting firm CynergisTek after eight years as HIPAA and HITECH Act Policy Adviser at the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), health information should be viewed and safeguarded just like any other business asset. Hence, covered entities have to clearly understand the requirements of the HIPAA privacy and security rules and take a realistic approach to identify potential threats and vulnerabilities in their systems that could put the confidentiality, integrity and availability of health information at risk.
In his interview with the Information Security Media Group, Holtzman stressed the importance of being aware of threats, particularly those associated with relying on subcontractors who hold/process health information, and taking appropriate measures to mitigate those threats.
While the HIPAA Omnibus rule does not change the relationship between covered entities and their business associates, it makes vendors and subcontractors directly liable under the rule. So, according to Holtzman, covered entities should understand the importance of having business associate agreements in place with all those hired to perform services related to PHI. In cases where a vendor/subcontractor refuses to sign an agreement, it should be taken as a sign to find another vendor who will agree to sign a business associate agreement.
Hotlzman also stresses the importance of breach prevention, especially in light of the changes in the breach notification rule in HIPAA Omnibus. Healthcare entities should therefore take a proactive approach to information security, rather than reacting to data breach incidents. Which is why, a comprehensive information security solution such as Aegify Security Posture Management or Aegify SecureGRC is a prerequisite. Adopting such a solution can help safeguard health information throughout its lifecycle, and detect potential threats and vulnerabilities at an early stage thus helping entities take measures to curb them before they lead to a breach incident.