The ongoing responsibility of managing patient data throughout an organization requires an organized, well-thought-out approach to risk management. No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.
We provide detailed technology analytics and intelligence reports to you during our Quarterly Business Reviews (QBRs). Here we discuss IT performance and metrics. This also gives you, the client, an opportunity to communicate long-term technology goals, roadmaps or technology changes. We will then provide you with the best tools and latest technology to achieve success.
With antivirus at the end of it's replacement cycle, the threat of targeted and increasingly sophisticated cyber-crime is the new reality for healthcare providers worldwide. It is not a matter of if you will be targeted, it is a matter of when. Unfortunately most providers are not proactive in their approach to information security; until they have been breached.
Unfortunately, what many healthcare organizations don’t realize that just because their EHR system is compliant with HIPAA security standards, their entity as a whole may not be fully compliant. Every healthcare organization is responsible, under the law, for the protection of patient data, regardless of whether they use a 3rd party vendor to process or store their patient records.
If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true.
It is truly frightening when we hear a healthcare provider, or EHR Vendor, or even worse, an IT vendor, claim an EHR system eliminates the need for IT or covers all of your HIPAA requirements. Even for cloud-based EHR systems, this just simply is not the case. The newly revised HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for the purpose of protecting PHI. We include annual security audits and penetration testing against these specific security controls absolutely free of charge to all of our healthcare clients.
Virtually every business that falls under the category of health care—from private practice therapists to small doctors’ offices to health insurance companies—has to comply with HIPAA. Although many of these organizations think primarily about their in-office software and hardware, the truth is that HIPAA extends beyond those boundaries. For example, if a doctor has access to corporate information or even electronic medical record systems on his or her cell phone, then that device needs to be compliant as well.
Although the first pass point in HIPAA regulations dates back to 1996, it’s clear that there’s been a real push toward compliance more recently. One of the reasons for this is the new set of requirements that now must be met under the HITECH Act as of September 2013. Among other things, the HITECH Act requires that managed IT service providers sign a business associate agreement. By doing so, the managed IT provider assumes all liability; without a business associate agreement in place, it is illegal for any IT company to work on a clients’ systems if they require HIPAA compliance. This extends not only to vendors as covered entities but even to subcontractors.
If you’re functioning as part of the ecosystem of vendors and providers that are required to maintain HIPAA compliance, you’re also part of the liability chain. Violating HIPAA regulations results in fines from $1,000 to $5000 per instance on the low end of the spectrum up to $1.5 million for willful neglect (those companies who know the requirements, but violated them anyway). HIPAA compliance is not a luxury; it’s the law.