Tuesday, March 1, 2016
HIPAA…. Oh, we’re covered!
By: Chad Sizemore, Managing Partner, ICS Medtech
“Our attorneys have validated our policies, our accounting firm produced our procedures, and our IT vendor installed our network and systems integration to be HIPAA compliant. So we are covered and have nothing to worry about…….”
This is a small subset of the discussions we have with practice managers, security administrators, IT staff, CFO’s, and even doctors with various size practices in regard to HIPAA compliance.
Are you sure? And can you prove it?
By definition, HIPAA is a U.S. law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other health care providers. It was developed by the Department of Health and Human services as a standard to provide patients with access to their medical records and more control over how their personal health information is used and disclosed.
We have all read the rule/law, but what does it really mean?
HIPAA is the basis for privacy standards, but it is cumbersome and hard to understand. And it is very important to remember, it is the baseline for protecting patient data, and we should all treat it as an evolving means to protect all data as if it were our own. We continue to see news reports of large organizations being exposed to data breaches. If large organizations are affected by a breach, it could happen to organizations of all sizes. These large organizations spend millions each year to secure data in their infrastructure, yet we are still seeing examples of exposure. To be HIPAA compliant, you must have third party verification of your policies and procedures, the technology they were designed to administer, and you must be able to show that all internal standards are met. All policies must be followed, and demonstrated to have sufficient documentation to meet the guidelines set forth by the HIPAA/HITECH acts.
Recently the U.S. Department of Health and Human Services’ (“HHS”), Office for Civil Rights (“OCR”), and the Federal Trade Commission (“FTC”) levied fines over $500,000 for HIPAA violations and misrepresentation of encryption levels of services offered by a software provider. OCR has the authority to levy fines from $50,000 to 1.5 million depending on the severity of the case, as well as seek criminal charges against the violators. Vendors and system integrators continue to sell their products as secure. We are living in a time where cyber-attacks are increasing and many organizations believe they have been sold a compliant solution.
There is an increasing gap between IT professionals and executives when it comes to HIPAA compliance. A majority of executives believe they are HIPAA compliant, while few understand what that means or what it provides them. If your organization received government funding for Meaningful Use, you stand a 1 in 20 risk of being audited. To be compliant you must address process and procedure requirements, technology standards, and show that they are consistently monitored and improved if needed. Beyond the potential for fines and legal fees, we must make sure we as a society are diligent in our ability to safeguard all data and maintain compliance in policy, procedure, and technology.
So this means we must spend a ton of money to maintain compliance right?
Compliance should be standardized process and should be priced at a standard cost based on the size of the practice. The total cost should be stated up front for the annual assessment and for ongoing documentation management. The cost should reflect the full effort to address all of the OCR published audit protocol points and to manage the process for continuous audit readiness. No one wants to be audited, but if you apply the principals and proof that a legitimate compliance vendor can provide, the audit process becomes much easier. That vendor should supply the customer with a standardized, automated, and complete process to guide the organization through the compliance process that requires minimal input from the organizations staff. The service should include all the required analysis, evidence, documents, training certifications, and network verifications in a HIPAA compliant offsite storage facility. All organizations should have the option to purchase a monitoring service that alerts them to potential attack at a reasonable cost.
Our process makes it easy on the practice manager, helps you gain or maintain compliance, provides a needed service at an affordable upfront cost, documents checks and balances to keep you audit ready all the time, and allows you to get something for your money. With this process, you can truly answer “Oh, we’re covered” when asked about HIPAA.
About the Author: Chad Sizemore is the Managing Partner of ICS Medtech, LLC. A subsidiary of ICS Inc. a technology systems integrator since 2006 in Birmingham, Alabama. ICS Medtech combines the technology expertise as well as federal and state regulatory audit experience to provide healthcare clients reliable professional services. Contact ICS Medtech at 205-423-6958 or email Chad at firstname.lastname@example.org for additional information.