A business case for resourcing a compliance assurance program for privacy and security should be possible solely on the basis of the need to respond to complaints made directly to a covered entity (CE) (or business associate (BA) acting as an agent of a CE). However, despite stepped-up enforcement and periodic audits required by HITECH, industry experts still anticipate that a more proactive process for compliance may not be taken until an untoward event occurs. Consequently, other avenues for substantiating the importance of privacy and security measures are necessary and readily available. Information privacy and security officials may find it necessary to go beyond information about HIPAA Privacy and Security Rule enforcement in making the business case. Monitoring the general security industry and relating those risks to healthcare privacy and security are important when doing so. Consider the following:
The implementation of Comprehensive APCs (C-APCs) in the 2015 OPPS final rule likely wasn't a huge surprise to most providers, given CMS discussed this concept in the 2014 final rule and indicated it expected to implement it the following year.
The January quarterly I/OCE update includes new modifiers, changes related to expanded packaging, and continued refinement of CMS' skin substitutes categories, but the biggest change for outpatient hospitals is the implementation of comprehensive APCs (C-APC).
RC.01.01.01, Content of the Medical Record, did not top the list of survey findings for hospitals in the first half of 2014, according to the September 2014 issue of Joint Commission Perspectives. Nor was it on the list for critical access hospitals at all! However, 49% of hospitals surveyed received a requirement for improvement for this standard, primarily in the EPs related to timing and dating entries. This indicates hospitals are still using a lot of paper records. That said, the downward swing is encouraging as more and more hospitals fully implement the EMR.
While organizations should focus on performing regular risk assessments and analyses, there are also other ways in which they must review their systems for compliance. Often, these other evaluations are overlooked despite their value, says Kevin Beaver, CISSP, an information security consultant in Atlanta. In particular, organizations should be careful not to forget about performing vulnerability assessments and penetration tests, which are components of an overall risk assessment or analysis, says Beaver, who is an editorial advisory board member for SHCC's sister publication Briefings on HIPAA.
