july 29, 2015 | Post by William Trent | in HTG

Knowing the Difference Between HIPAA Compliance and EHR Compliance

“Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true,” stated by Tod Ferran, a security analyst at SecurityMetrics, Inc. in an article he wrote for Healthcare IT News. A lot of healthcare entities mistakenly think that if they are covered for EHR HIPAA compliance, then that coverage extends to all of HIPAA’s regulations as well. But, as experts have shown in recent years, HIPAA compliance and EHR compliance are two completely different umbrellas, even if you may be caught in the same storm. Ferran warns healthcare providers that the new HIPAA Security Rule requires that systems are required to be protected against 75 specific security controls. Ferran goes on to state that in order to ensure that your organization’ procedures, policies, and security measures are designed to protect patient health information (PHI) and defend against regulatory penalties, it is important for organizations to “ass/i>ess their security programs as a whole,” rather than just “simply checking a box”. So, how can an organization protect itself and do everything in its power to safeguard HIPAA compliance? Ferran recommends that organizations take the following actions right away:

Implement a regular, weekly routine, starting with as few as 30 minutes each session to meet and discuss priorities

Implement intrusion prevention

Install anti-malware

Utilize identity management

Integrate data-loss prevention tools

Designate a HIPAA compliance officer or team member

Conduct annual HIPAA security risk analyses

Check organizational policies and procedures against HIPAA requirements

Encrypt patient health information (PHI)

Use a key accessible only by authorized individuals

Implement workstation security

In his concluding statement, Ferran recommended that “No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.” To read Ferran’s full article, visit Healthcare IT News.