Briefings on HIPAA

Albert Einstein once said "The difference between stupidity and genius is that genius has its limits." To paraphrase Einstein, the difference between security and compliance is that compliance has its limits. With each high-profile breach that makes headlines, organizations likely question the link between compliance and security, wondering whether the two are one and the same.

As the use of electronic health records (EHR) surges and organizations work toward meaningful use attestation, more in-depth monitoring of electronic patient records is becoming increasingly necessary.

The intent of quality and safety programs is to evaluate and monitor performance and to improve results. Organizations develop annual quality and safety plans with measurable objectives that departments adopt and include as integral aspects of their performance improvement plans.

Q: I am familiar with the HIPAA Security Rule requiring information system review audits. Are there any HIPAA Privacy Rule requirements?other than to perform audits?that require the examination of inappropriate access for an alleged breach? Currently, our security team performs monthly information system review audits and issues reports to leadership on a quarterly basis. Will this suffice, or are there audits that the privacy team should perform as well?

In my experience, most organizations in the health-care industry?both covered entities and business associates?have taken the steps to put policies, business processes, and training programs in place to help ensure compliance with the HIPAA Security Rule. Still, there's a gaping hole in many healthcare compliance and security programs: a lack of technical security testing of Web applications, mobile applications, and network systems.

Tips from this month's issue

Privacy and information security programs in healthcare organizations have developed and matured to meet the requirements of HIPAA and other federal and state laws. In some organizations, providers and managers struggle to keep pace with the changes. Expanded focus on EHR technology and new threats to the security of personally identifiable information (e.g., healthcare, financial, educational, employment) will further affect privacy and information security programs in the future.

Mobile devices have changed the way people share and access information in their personal and professional lives. Smartphones and tablets may make it easier and faster for people to communicate, store, and access information, but they present risks if lost, stolen, or hacked. This can be especially challenging in the healthcare industry as it has become common for providers to use various mobile tools, including smartphones, laptops, notebooks, tablets, phablets, personal digital assistants, USB devices, digital cameras, and radiofrequency identification devices, to communicate with colleagues and access applications.