Here at Compass, we have seen a huge upswing in the number of HIPAA / HITECH risk assessments we have been conducting over the last year. Covered entities (Doctors, Hospitals, Pharmacies) and health plans are obviously storing PHI (protected health information) and ePHI (electronic protected health information) on behalf of patients, however, there has been a huge upswing of assessments around “Business Associates”. According to the Health and Human Services website, a business associate is defined as, “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity”. Because of the outsourcing of everything from IT support to call center management, many companies now encounter both PHI and ePHI as part of their jobs, and clients are asking they go through a HIPAA Risk assessment.
If you work in the healthcare industry, there is zero doubt that you have heard about HIPAA Compliance thousands and thousands of times. The importance of keeping electronic protected health information confidential is pounded into us on a daily basis and for good reason. But what is HIPAA Compliance? We all know that it is a Federal Regulation specific to two types of organizations:
HIPAA is in the news all the time. Whether it is the tragedy that struck Orlando last weekend, the news of the HIPAA Audits coming, or a new healthcare breach being reported, we are constantly bombarded with why HIPAA compliance is critical. As with any organization, protecting and safeguarding the sensitive information that you possess is not only essential, it is your responsibility to the customers that you serve. This sensitive information can be a variety of different types, from personally identifiable information like your name, address, email address, and answers to security questions, to credit/debit card information, to protected health information. What makes Healthcare Organizations, both covered entities and business associates unique, is that they possess all of the information above. A covered entity has a significant amount of data on a patient, not only their PHI but also their PII and payment information (in most cases). When you think about it, that is a significant amount of information for one organization to hold and be responsible for.
Healthcare Security, particularly IT Security, is dominating the news cycles recently, for a number of reasons. The primary reason, however, is that the healthcare sector continues to be a prime target for hackers, organized crime entities, and nation states due to the significant amount of sensitive information that they possess on their patients. When you combine the risk associated with these various pieces of information with the myriad of Federal (HIPAA), State (Breach Laws), and Industry (PCI Compliance) regulations, it can be very confusing to determine what systems and information take priority and require immediate attention. On top of this, round 2 of the famed HIPAA Audit program is in full swing. What does this mean for healthcare organizations? Well, it means that many organizations are scrambling and trying to figure out exactly what they have done in the past and what they need to do to ensure they are successful, should they be picked for the HIPAA Audit program. But where does a healthcare organization start? What challenges are they facing and what should they be doing about it? Here are some areas to consider:
Healthcare breaches are nothing new, in fact they have become quite common in the news on a weekly basis. As an example of this, a Central Florida Oncology provider recently announced that it suffered a data breach at the hands of a hacker, resulting in the compromise of the personal information of 2.2 million individuals. In fact, if you want additional proof around the seriousness of Healthcare IT Security and subsequent data breaches, take a journey over to the Department of Health and Human Services Wall of Shame where you can see all the information related to all Healthcare breaches involving over 500 individuals.