Easing the Burden of Healthcare Compliance

Similar documents
HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Meaningful Use, ICD-10 and HIPAA 5010 Overview, talking points and FAQs

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September Nashville Knoxville Memphis Washington, D.C.

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

COMPLIANCE ALERT 10-12

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

HIPAA: AN OVERVIEW September 2013

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Somansa Data Security and Regulatory Compliance for Healthcare

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

OCR/HHS HIPAA/HITECH Audit Preparation

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist.

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

2012 HIPAA Privacy and Security Audits

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

BUSINESS ASSOCIATE AGREEMENT

Presented by Jack Kolk President ACR 2 Solutions, Inc.

HIPAA and HITECH Compliance for Cloud Applications

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

HIPAA PRIVACY AND SECURITY AWARENESS

University Healthcare Physicians Compliance and Privacy Policy

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Dissecting New HIPAA Rules and What Compliance Means For You

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Business Associate Management Methodology

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

HIPAA Violations Incur Multi-Million Dollar Penalties

Isaac Willett April 5, 2011

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA Security Rule Compliance

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

HIPAA Compliance: Efficient Tools to Follow the Rules

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Business Associates and HIPAA

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

Bridging the HIPAA/HITECH Compliance Gap

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

ELECTRONIC HEALTH RECORDS

M E M O R A N D U M. Definitions

Overview of the HIPAA Security Rule

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA Employee Compliance Program TRAINING MANUAL

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Health Information Privacy Refresher Training. March 2013

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

Transcription:

Easing the Burden of Healthcare Compliance In This Paper Federal laws require that healthcare organizations that suspect a breach of sensitive data launch an investigation into the matter For many mid-sized organization in and around the healthcare industry these investigations are slow, costly, and hamper productivity Affordable software tools now exist to conduct remote investigations quickly without paying a third-party service provider esecurity Planet Executive Brief A QuinStreet Executive Brief. 2014

The Healthcare Compliance Landscape Much of the news surrounding healthcare in recent years has centered on the Affordable Care Act (ACA), which radically changes the way healthcare is provided to millions of Americans. At more than 2,000 pages long, there is plenty in the ACA to keep healthcare professionals, insurers, and lawyers busy for some time to come. Care providers, compliance officers, and legal departments are all too aware that the ACA is only the latest in a series of legislation and regulations to affect the healthcare industry over the past 20 years. The healthcare industry has been faced with a steady stream of compliance regulations since the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. Given the pervasive use of information technology in society in general, and in the healthcare industry in particular, it does not take long for new regulations to impact the IT systems used by healthcare providers and others in the industry. The push toward electronic health records (EHRs), which were legislated into law as part of the 2009 economic stimulus package with the Health Information Technology for Economic and Clinical Health (HITECH) Act, is a perfect example. Clinicians did not spend years hauling stacks of paper records from room to room because they enjoyed the exercise. The healthcare industry relies heavily on legacy IT systems, which require a great deal of time and expense to adapt to 21st-century technology and regulations. Despite the efficiencies of EHRs, it required, quite literally, an act of Congress to convince some healthcare providers they needed to make the transition. Adapting IT infrastructures to comply with any number of healthcare regulations often requires the use of outside contractors, consultants, and others that need access to systems that store and process sensitive data. It also requires that employees of healthcare organizations become accustomed to new technology, which in many cases is more portable than what they previously used. Healthcare employees are now armed with tablets and laptops that travel with them, are left in parked cars and hotel rooms, forgotten on public transit, or left at home when they take a vacation. Data that previously existed on paper can now easily be sent anywhere using unsecure methods, like consumer cloud email services. Between contractors and employees, there is a great deal of risk surrounding the privacy and security of sensitive data in the healthcare industry. When a breach is suspected, the law requires that healthcare organizations quickly launch an investigation to find the source and scope of the issue. These investigations can be quite costly, to say nothing of the penalties for the breach itself and the damage to reputation and brand. 1

The Regulations Here are three regulations currently affecting organizations working in or supporting the healthcare industry. HIPAA: Violating the privacy and security regulations set forth in HIPAA can result in civil and criminal penalties. HIPAA uses a tiered system of civil penalties, the lowest of which governs an individual that did not know (and with reasonable diligence would not have known) he or she violated HIPAA. Fines in this tier range from $100 per violation to $50,000 per violation. The fines increase from there (with a cap for annual maximum fines in place): Violation due to reasonable cause and not willful neglect: $1,000 minimum/$50,000 maximum per violation Violation due to willful neglect but corrected within required time period: $10,000 minimum/$50,000 maximum per violation Violation due to willful neglect and not corrected: $50,000 per violation HIPAA fines can add up quickly. In April 2014, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it collected a total of $1,975,220 from just two entities to resolve potential violations of the HIPAA Privacy and Security Rules. Both cases involved data stored on mobile electronic devices that went missing and was not properly protected. Criminal penalties for HIPAA violations which usually center on knowingly violating the law, obtaining information under false pretenses, buying or selling data, and more range from up to $50,000 to $250,000 in fines and prison terms of one to 10 years. The International Classification of Diseases, 10th Revision (ICD-10): This is the system physicians and other providers use to code all diagnoses, symptoms, and procedures. IDC-9 had some 13,000 codes; IDC-10 has more than 68,000 codes, twice as many categories, and gets into specific details, such as separate codes for the right and left leg of a patient. HHS originally required implementation by Oct. 1, 2014. On April 1, 2014, President Obama signed a law that prevents HHS from establishing ICD- 10 as the standard before Oct. 1, 2015. As you might expect, IT systems across the healthcare industry need to be re-programmed before the new codes can be used, and because the codes affect systems across the healthcare landscape (when a doctor bills an insurance company, each needs to use the same codes, for example), adoption needs to be synchronized for the system to work properly. Unlike HIPAA, the risk around which the adoption of ICD-10 revolves is more business-oriented as opposed to legal. Failure to comply with ICD-10 can result in the inability to bill and receive payments if the new standard is not adopted. The potential loss of revenue can cripple a healthcare organization from a financial standpoint. The work required to implement ICD-10 might also require the use of consultants or contractors who have access to IT systems, creating a potential security risk. The HITECH ACT: As mentioned earlier, the HITECH Act was passed in 2009 as part of an economic stimulus package, with the hope that firms in the healthcare industry would have to buy software and create opportunities for jobs related to the meaningful use of healthcare IT, especially the conversion to EHRs. Since EHRs present new risks around patient privacy and data breaches, part of the HITECH Act strengthened the HIPAA fines and penalties (mentioned above). In addition to previously mentioned risks related to HIPAA violations, firms that don t demonstrate meaningful use of EHRs by 2015 could face non-compliance penalties. On the other hand, starting in 2011, the HITECH Act offered financial incentives for organizations that did demonstrate meaningful use of EHRs, so there is something to be gained by complying with the regulations. 2

Regulation Commonly known as When What Risk for healthcare organizations The Health HIPAA Enacted Aug. 21, Far-reaching Civil and criminal Insurance 1996 healthcare bill penalties for Portability and that is perhaps disclosing sensitive Accountability Act best known for information; of 1996 provisions that corrective actions protect the security to protect privacy and privacy of and security. Civil data like personal penalties as high as healthcare records $50,000 per violation The International ICD-10 By federal law, Establishes Business risk Classification of cannot become extensive new around loss of Diseases, 10th new standard system for coding revenue when non- Revision before Oct. 1, all diagnoses, compliance leads 2015 symptoms, and to an inability to procedures in the receive payments healthcare industry Health Information HITECH Act Enacted Feb. Aims to expand the Expands the HIPAA Technology for 17, 2009, as part use of healthcare IT, requirements Economic and of the American including the use around privacy and Clinical Health Act Recovery and of electronic health security, updates Reinvestment records HIPAA penalties, Act of 2009 and imposes new requirements for notifications of breaches Summary of important healthcare industry regulations In April 2014, the U.S. Department of Health and Human Services OCR collected $1,975,220 from just two entities to resolve potential HIPAA violations. 3

Who is at Risk? Large healthcare organizations such as those that run large hospitals or multiple hospitals, or health insurance providers clearly have a lot to lose if they fail to comply with any of the regulations mentioned above. These organizations, however, employ small armies of lawyers, establish entire departments devoted to compliance issues, and have the resources to bring in outside help if needed. Because of the amount of data they handle, investigations into how information is handled or the circumstances surrounding a breach or possible breach are rather routine. Mid-sized organizations that operate in the healthcare industry are not quite as fortunate. They often lack the internal resources to easily conduct investigations of data breaches. In addition, they are rarely equipped financially to weather the cost of investigations and potential penalties. Some of these mid-sized healthcare organizations are firms that run clinics and large private practices. But they do not need to be directly involved in providing healthcare to incur risk. An entire ecosystem of businesses exists to provide services to healthcare organizations and their patients, including records management businesses that serve healthcare organizations, firms that provide medical billing services to healthcare providers, and law offices that handle medical-related claims and lawsuits that require them to handle healthcare records. These firms also need to manage their risk and find ways to ease the burden of compliance. For these organizations, violating regulations like HIPAA and paying fines are just part of the risk. Complaints require investigations, so healthcare organizations are liable for the time and costs of an investigation even when no wrongdoing is eventually found. Between April 2003 and March 31, 2014, HHS received more than 94,445 HIPAA complaints and resolved 94 percent of them. More than 22,000 of those cases were resolved through investigation and enforcement. For 10,057 of those complaints, an investigation was required but no violation was found. More than 56,000 complaints were not eligible for enforcement. In the same timeframe, the two most common HIPAA complaints revolve around impermissible uses and disclosures of protected health information and a lack of safeguards for protected health information. The most common healthcare industry entities that need to take corrective action in that timeframe are general hospitals, outpatient facilities, health plans, and pharmacies. How Investigations are Typically Handled When many of these mid-sized healthcare organizations need to conduct an investigation into a possible breach involving sensitive data, they turn to a service provider that specializes in such investigations. For a handsome fee, these contractors will travel to the site(s) involved, take possession of any computers, storage 4

drives, or equipment they need, and conduct an investigation of the matter. Organizations with the resources to handle such an investigation internally may take many of the same steps. Either way, there are a number of disadvantages to the way these investigations are currently handled, including the time it takes, the costs, the travel, and the disruption to the business when hard drives, workstations, and other assets are unavailable. How EnCase Enterprise Can Help EnCase Enterprise from Guidance Software is a powerful tool that can be used by healthcare organizations and associated firms to conduct remote investigations into possible breaches. It allows organizations to easily search, collect, and preserve the data on servers and workstations connected to their network without taking physical possession of a device. Rather than outsourcing an investigation to a third party, healthcare organizations that use EnCase Enterprise can allow their own security professionals, incident response teams, or litigation specialists to investigate a possible breach in less time and with fewer expenses. EnCase Enterprise can be used remotely, which means healthcare HIPAA violations due to willful neglect that are corrected within the required time period carry a fine ranging from $10,000 to $50,000 per violation firms that are de-centralized or EnCase Enterprise servlet essentially operate multiple locations can take remains dormant on the machine advantage of their in-house expertise until needed. It is then activated by even if it is located in a different an investigator and works behind physical location than the one involved the scenes to uncover the activity in an investigation. This ability to that took place on the equipment remotely conduct an investigation and may possibly shed light on also means investigations can be a possible compliance violation. completed more quickly and there is The data is collected and stored in no need to pay for travel expenses. the background, invisible to users, allowing normal business activities to A thorough investigation related continue undisturbed. to compliance with healthcare regulations can take a toll on the To further protect against risk and productivity of employees. Business to establish the integrity of the must go on despite an ongoing information collected as part of the investigation, and when employees investigation, EnCase Enterprise have their workstations or laptops collects potential evidence in a taken away, it often negatively forensically sound manner and impacts their productivity. preserves it in a court-accepted format that proves the chain of custody. To eliminate such downtime, EnCase Enterprise relies on a small servlet Many mid-sized healthcare that is installed on every machine organizations outsource investigations and server connected to the network. of compliance issues because EnCase Enterprise is not monitoring they lack access to the tools they software; it does not track user need or find them priced for larger activity in real-time. Instead, the organizations or specialists. EnCase 5

Enterprise is available at a price point designed to appeal to mid-sized organizations that lack an army of compliance officers and investigators. Given the potential penalties and other costs involved in performing investigations, mid-sized healthcare organizations can achieve positive return on their investment in EnCase Enterprise after just a few uses. Conclusion The healthcare industry has seen an increase in regulation over the past 20 years, which means healthcare organizations are devoting a significant number of resources to their compliance efforts. Regulations regarding patient privacy, the increased use of EHRs, and upgrades to existing technology often mean employees need to be re-trained and outsiders brought in, both of which increase the risk of data breaches or other incidents that incur costly penalties. Many mid-sized organizations in the healthcare industry currently outsource their investigations of potential breaches and other compliance issues to third-party specialists, or they conduct costly, time-consuming investigations using internal resources that can negatively affect normal business operations. EnCase Enterprise from Guidance Software is an affordable, easy-to-use tool that allows mid-sized healthcare organizations to remotely conduct investigations into breaches without incurring the costs of travel, outside experts, or business downtime. It can be used by security experts, litigation experts, and compliance officers to collect and store information from any server or workstation on the network and preserve that information for successful use in legal proceedings. To learn more about EnCase Enterprise, visit: www.encase.com/ enterprise. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information