The following is a guest blog post by Jason Carolan, CTO for ViaWest.
HITECH and HIPAA compliance are incredibly important to the bottom lines of many companies. But what exactly does this compliance entail? In 2009, the HITECH Act (Health Information Technology for Economic and Clinical Health) was passed, expanding the scope of the previous Health Insurance Portability and Accountability Act (HIPAA). HITECH enforces the rules of HIPAA, while invoking stiff fines for non-compliance. Now more than ever before it is absolutely imperative that companies working with healthcare organizations ensure they have all the facts before designing IT solutions. And one of the keys to having all the facts is knowing the core terminology.
A Covered Entity under the HIPAA privacy rule refers to health plan groups, health care clearinghouses and health care providers that transmit health information electronically, including, doctors, dentists, chiropractors, insurers, Medicare, medical plans and billing services. These Covered Entities face the additional challenge of managing their Business Associates, revisiting agreements and ensuring privacy, security, enforcements and breach notification updates in order to meet the requirements of the Final Rule.
A Business Associate (BA) under the HIPAA privacy rule refers to a person or organization that conducts business with a Covered Entity that involves the use, access or disclosure of protected health information (PHI). HITECH also specifies that an organization that provides data transmission of PHI is a BA. Examples of BAs include vendors, subcontractors and IT service providers that provide managed hosting services requiring access, use or disclosure of PHI.
All HIPAA Covered Entities and Business Associates must comply with security controls to safeguard PHI through the following due diligence efforts:
- Ensure the confidentiality, integrity, and availability of PHI
- Protect against any reasonably anticipated threats and hazards
- Protect against reasonably anticipated uses or disclosures of PHI that are not permitted
- Ensure compliance by its workforce through Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements and Policies and Procedures
- Documentation of breach notification procedures and timeliness of breach notification
Covered Entities and Business Associates who have a strong security posture and can prove their due diligence through establishments and audit of controls and breach preparedness have a lower risk of fines than those companies that do nothing. Proven due diligence includes:
- Prioritizing compliance efforts
- Culture awareness
- Implementing security policies
- Conducting risk assessments
- Enforcing and validation of controls to protect PHI
IT departments are dealing with the same or shrinking budgets. So, with a larger component of IT budget consumed by compliance, CIOs and CTOs are getting pressure from a resource standpoint but shrinking budgets. Failing on compliance can bring stiffer punishments and fines, so, more and more companies are looking at outsourcing so that they can share the burden and ensure they aren’t missing important components.
An audit may not be a pleasant experience, but it’s a reality, and being prepared is the key. The right technology provider can help you not just with a compliance checklist, but can take it a step further and provide a comprehensive set of solutions to be “baked in” upfront – minimizing the risk of audit or the “pain” of the audit if you are in the midst of one.
With increased regulation comes increased risk and complexity surrounding HIPAA compliance. Are you confident in your company’s data security?