A recently performed survey of healthcare providers conducted by the Healthcare Information Security Today indicated that training and educating staff is the biggest compliance issue that faced them. Two other issues were of major concern to providers:
While the web and bring your own device technology is amazing by allowing access to health records from any device, it creates untold problems for healthcare providers. The first is loss of a personal device that has or accesses personal health information (PHI). Staff must be educated on the necessity of not storing personal health information on computers nor storing password and usernames for accessing that device at the healthcare provider’s site.
Consequences for a breach are costly. A May 7, 2014 release from Health and Human Services describes the results of breaches that totaled 4.8 million.
A single physician employed by Columbia University Hospital which has an affiliation with New York Presbyterian Hospital caused a possible breach of electronically stored personal health information (ePHI) while trying to deactivate a personally owned computer network on the joint network run jointly by Columbia University Hospital and Presbyterian Hospital. The breach was uncovered by a complaint filed by the partner of a deceased patient from Presbyterian Hospital while surfing the Internet.
Both of the two hospitals failed to let know the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) appropriately about the breach and, impermissible disclosure of electronic personal health information on the internet by both hospitals.
“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” said Christina Heide, acting deputy director of health information privacy for OCR. “Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems.”
Presbyterian Hospital paid OCR a cash settlement of $3.3 million and Columbia University Hospital paid a settlement of $1.5 million.Source: Healthworks Collective
“Many covered entities are still tackling the challenge of making sure their business associates are HIPAA compliant,” he said. “But a lot of covered entities don’t even know who their business associates are.”
Under the 2015 HIPAA Omnibus rules, business associates are directly responsible directly for HIPAA compliance. This means that while most business associates or vendors have done business with healthcare providers since HIPAA’s passage they now must meet a number of provisions of HIPAA. Business Associates who are not in compliance are subject to fines that can range up to $1.5 million per HIPAA compliance violation.
Although business associates have been under HIPAA compliance requirements since 2013. Data storage in “the cloud” billing companies or has access to any health records kept by a provider are considered business associates. The new rules allows the OCR to audit the business associates, and for some vendors it simply is not worth the cost. Finding replacements for those vendors is difficult for healthcare providers. Equally difficult for healthcare providers is the negotiation and signing of contracts or other agreements with proper HIPAA language and making sure that business associates fall within HIPAA compliance.
Choosing the right partners for business associates goes a long way towards cutting the worries of IT executive of keeping their backend structures in HIPAA compliance.
abeo Management Corporation (abeo) serves as a leading source of revenue cycle management and practice management with a specialization in anesthesia. The company leverages its people, processes, and software to serve independent practices, surgery centers, hospitals and healthcare systems with a scope of services that include billing, coding, transcription, practice management, and business consulting.