A business case for resourcing a compliance assurance program for privacy and security should be possible solely on the basis of the need to respond to complaints made directly to a covered entity (CE) (or business associate (BA) acting as an agent of a CE). However, despite stepped-up enforcement and periodic audits required by HITECH, industry experts still anticipate that a more proactive process for compliance may not be taken until an untoward event occurs. Consequently, other avenues for substantiating the importance of privacy and security measures are necessary and readily available. Information privacy and security officials may find it necessary to go beyond information about HIPAA Privacy and Security Rule enforcement in making the business case. Monitoring the general security industry and relating those risks to healthcare privacy and security are important when doing so. Consider the following:
Even organizations with sound policies, procedures, training, and safeguards can experience a breach. When?not if?a breach occurs, traditional insurance may not be enough to cover the damages. Ensuring that your organization has adopted the appropriate cyber insurance can be valuable in the event of a breach.
Q: As part of the audit controls policy at my organization, we hired an external security vendor to collect and review logs from several critical servers. The vendor creates tickets for our IT staff when a potential incident is discovered during the daily log review. This supplements our own activity reviews of internally generated reports, and the vendor then uses them for its own review. Our internal staff never sees the reports the vendor uses for its review. Do the reports the vendor uses fall under the HIPAA requirement for retaining logs for six years? Should we compel the vendor to retain these reports?
There are many misconceptions about HIPAA throughout the healthcare industry. In particular, business associates (BA) who provide cloud services to covered entities (CE) often have the misconception that they do not need to be concerned with HIPAA if they are compliant with the Payment Card Industry Data Security Standard (PCI-DSS). BAs with this school of thought should be prepared to get their checkbooks out when the Office for Civil Rights (OCR) comes calling.
The Office for Civil Rights (OCR) announced December 8, 2014 that it fined an Alaska behavioral health service $150,000 for potential HIPAA violations. OCR entered into a resolution agreement with Anchorage Community Mental Health Services (ACMHS), a nonprofit behavioral healthcare service, per the announcement (see www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/acmhs/amchs-capsettle...).
At this point, there are no federally recognized HIPAA certification standards for covered entities (CE) and business associates (BA). However, that doesn't mean there are no good assessment tools out there to gauge information security and regulatory compliance. The Health Information Trust Alliance (HITRUST) published its first common security framework (CSF) in March 2009 with the goal of focusing on information security as a core pillar of the broad adoption of health information systems and exchanges.
As the new year kicks off, many opt to make resolutions for the months ahead. BOH asked some privacy and security professionals to share their best tips for a productive 2015. What advice would they offer others in the industry to ensure the year ahead is a success?
