Cignet Pays A Heavy Price for HIPAA Violation!

A recent incident of HIPAA violation has reinforced the need for health care organizations to focus on creating and keeping the records efficiently for easy access; most do not create the records in the first place!  If they have not, the tendency has been to subdue their responsibilities towards enforcement of security compliance measures with HIPAA and HITECH regulations at times not knowing what to do and how to go about it. When a charge received, they then wake up to the fact. And in the case of Cignet, additional penalties were levied for not being co-operative with the investigative agency! As per report, Cignet Health of Prince George’s County Md. has been charged a whopping $4.3 million as civil money penalty (CMP) for denying accessibility to 41 patients to their medical records. Further it was also alleged that Cignet assumed a non co-operative stance willfully as it did not furnish the records when demanded by the Office for Civil Rights (OCR). Why and how did this happen? The law provides exceptions for not sharing the information. The organization had no such defenses for taking recluse under exceptions! If a set of policies and procedures had been there, perhaps, it would have been much easier for them – at least to have reduced the penalty – not 4.5 Million USD.

With such incidents and reports of severe penalties, the security compliance situation among healthcare organizations has become quite a talking point. Yet it is quite startling to see that despite the imposition of the HIPAA and HITECH rules there seems to be no change in the callous attitude of some health organizations. Conversely there are some who religiously try to follow the compliance regulations, but fail to deliver the desired output. This could be due to lack of visibility in assessing the security requirements of the organizations leading to engagement of incompetent strategies and solutions. Many a times organizations become victims of security breaches as they are incapable of purchasing new infrastructure that could help them remain compliant with the new and updated regulations. Most of them face massive pressures as they struggle to cope with revised and updated regulations while trying to maintain control over their budgets.

It does not matter whether the cause of the damage is intentional or accidental. But the repercussions can definitely matter a lot to any healthcare organization. It is difficult to recover from the penalties and is an uphill task to rebuild the years of reputation that can get washed away instantly with just one unfortunate accident. The SecureGRC SB is an ideal solution that helps all medical organizations to stay compliant not only with HIPAA/ HITECH requirements but also with other compliance regulations such as PCI, SOX and ISO. The unique approach to settle all security issues and tackle all data breach possibilities is laudable. This is a web-based solution that delivers services on the cloud. It deploys a monitoring system that constantly monitors and captures real-time information and keeps providing regular status through the front dashboard.

This solution does not entail the purchase of any new infrastructure and thus saves organizations from the worry of investing in new hardware. SecureGRC SB provides optimum healthcare regulatory compliance assistance as it is affordable, and due to its automatic updating capabilities organizations can modify their existing practices according to the revised regulations. It also facilitates tracking and monitoring the activities of business associates by providing the best HITECH compliance management solutions. Though negligence and callousness are unforgivable as far as a patient’s confidentiality is concerned the automated SecureGRC SB can help eliminate the possibility of such occurrences and provide safer and secure medical grounds for patients and providers.

Get more information about IT healthcare compliance here.

Safe and Secure Compliance Practices For Small Business

It is a strangely paradoxical situation that despite revised and stricter compliance regulations the number of security breaches seems to rise. The HIPAA mandate was enforced to tone down risks threatening patients’ personal records. But there has hardly been any positive report of effective progress towards a threat free environment.

As per a recent study conducted by Redspin – the leading service provider of HIPAA risk analysis and IT security, between August 2009 and December 2010 6 million people have been affected due to security breaches. The number accounts for only those security breaches reported to the Department of Health and Human Services, which means that the actual number may have exceeded 6 million.

It is an alarming fact that despite efforts to tighten security measures, medical organizations especially the small practices are constantly a soft target for various kinds of illegitimate activities. And this is not just because of hackers who use sophisticated technology to disarm the security system, but also due to loss and theft of mobile devices which have become predominantly a regular practice.

The freedom to use USBs, cell phones, laptops etc to keep pace with the competitive world has made the employees and organizations overlook the discreet use of such confidential data and its dire consequences. Business Associates have been identified as another vulnerable link resulting in security breaches.

The small medical practices are consistently faltering in being compliant with the HIPAA/HITECH regulations as they are incapable of stretching their budgets to employ new infrastructure and deploy solutions to curb all malpractices.

SecureGRC SB is a one-stop solution for all security and risk assessment needs without any additional costs for a new infrastructure. This service is provided on the cloud which therefore fulfills all HIPAA / HITECH compliance requirements pertaining to small business. Small businesses are provided with complete control to gauge the requirements for HIPAA and HITECH through a simple self assessment menu.

The SecureGRC SB contains a central repository for all documentation purposes pertaining to HIPAA. It sends reminders to ensure compliance regulations are maintained. It follows an automatic updating schedule as per the latest and revised regulations. It provides reports regarding the compliance status for auditing. The solution ensures maintenance of a track record of the business associates and provides plug-ins in case of any PCI-DSS compliance requirement.
Small businesses can neither afford expensive solutions nor penalties for non-compliance. They need to adopt an astute approach towards IT healthcare compliance to achieve high scores. SecureGRC SB is the perfect solution – an affordable, precise and simplified option with guaranteed results.

To know more information read article on IT security compliance.

Pursuing The Right Lead Towards Healthcare Compliance

Intense competition and unscrupulous attempts have done a lot of damage to the credibility of the healthcare industry. With rampant reports of misplaced patient records and unethical access to confidential data, measures have been enforced to deal vehemently with compromising situations. Despite the enactment of the HIPAA laws hospitals and medical facilities are facing challenges to preserve the confidential records of their patients. This is because the healthcare organizations fail to implement an approach that can administer the processes and workforce in a comprehensive and cohesive manner.

In 2010 Rite Aid, the pharmacy chain was fined $1 million for violation of HIPAA. A recent statistics revealed that from Dec 18, 2010 to Jan 17, 2011, 16 data breaches were reported by OCR (Office for Civil Rights) which affected more than 500 patients and the number of events totaled up to 225. Regardless of the fact that these medical organizations endeavor to implement the best solutions for security purposes they fall prey because of the inability to keep up with the revised regulations due to faulty policy frameworks.

The organizations also have a persistent problem of adjusting their budgets according to the varying demands for a more secure and recent compliance healthcare framework. The HITECH and HIPAA complianceregulations have kept the organizations on their toes as they have to be prepared for any unforeseen incidents. This requires proactive planning and implementation of robust solutions to combat any unexpected security breaches.

Compliance entails meticulous maintenance of records management, continuous monitoring of the compliance status, scheduling audits, optimum management and control of data and extremely efficient analytical and reporting capabilities. All these virtues are present in the automated HITECH compliance management solution delivered through a cloud-based service. The solution provides some extraordinary capabilities such as automatic update of the policies as per the revised regulations, a regular update on the compliance status, identification of the HIPAA/HITECH requirements and remediation measures.

Business Associates have been identified as one of the prominent links for security breaches. Thus the web-based program has been designed to adhere to all hitech compliance regulations meant for business associates. The solutions provided are on the cloud which means there is no additional cost for new infrastructure which is a respite for the organizations reeling under tremendous financial pressures. The fear of bearing agonizing penalties is over for the healthcare industry. With the web-based IT security compliance program security issues and risk management can be handled effectively in a cost-efficient manner providing relief to the healthcare sector.

Know More on: Hipaa compliance.

Assured HIPAA and HITECH Compliance for Small Medical Practices

The imposition of increasing number of security and compliance regulations for the medical fraternity is a never-ending issue. Organizations struggle to keep their processes, policies and staff in-step with the vastly changing environment. The small medical practices suffer in comparison to the larger medical facilities as they do not have the finances to employ new solutions that are introduced constantly to keep their policies updated. This results in intentional and non-intentional violation of HIPPA and HITECH Acts invoking punishing penalties.

The use of mobile devices to facilitate the uninterrupted work flow of the employees has resulted in disastrous consequences such as loss and theft of the devices and caused concern about the security of the patient’s personal health information. The stringent HITECH Act has been enforced to ensure that this kind of callous attitude is shown no mercy. The penalty for violation of the HITECH Act can amount to $25,000 and can be raised up to $250,000 accompanied by a long term imprisonment.

The small medical practices are the worst affected as non-compliance portray them as inefficient and unreliable service providers, besides rendering a severe blow to their budgets. In order to save themselves from unfair penalties these small practices can employ the automated web-based application that helps achieve all regulations pertaining to HIPAA Compliance. This is an affordable solution which helps the small practices to compliance without any large investments.

This SaaS based solution ensures the privacy and security policies are in accordance with the HIPAA HITECH requirements and has an efficient system that provides proof of the compliance status for auditing purposes. It automatically updates the existing policies according to the new revised standards. It automatically sends reminders for assessment of the monitoring procedures. The HITECH Act specifically emphasizes on compliance regulations for business associates connected with the medical industry. The web-based solution has been designed to keep a track of all activities of the business associates.
 

The HIPAA HITECH compliance management software solution provides exclusive advantages to the small practices. It is an incredible tool that helps deal with all Healthcare Compliance risks thoroughly as it deploys continuous processes that ensures security and compliance round the clock. With the excruciating HIPAA and HITECH regulations enforcement there is no pardon for any careless mistake or vile actions. The new web-based application is the best solution for small practices to achieve maximum compliance without fear of any penalties.

What’s New in Healthcare Regulatory

Did you know that HIPAA 5010 and ICD-10 rulings have impacted close to 80% of most enterprises’ health plans, business processes and systems? The administration has imposed definite deadlines for migration and completion of replacements and HIPAA 5010 involves the adoption of new claims guidelines, eligibility inquiries, payment advice, recommendation or referral authorizations and several other transactions. This migration process espouses a restructured version of the National Council for Prescription Drug Programs (NCPDP) standards and also the Medicaid pharmacy subrogation transaction standards. ICD-10 is the US Department of Health and Human Services (HHS) regulation that is set to replace ICD-9 clinical modification sets. It basically includes the revamping of existing coding systems in all healthcare enterprises. So while the timeline for HIPAA compliance  5010 is Jan 1, 2012, and for ICD-10 it is Oct1, 2013, it actually means that after these deadlines, all electronic claims and services (including medical diagnosis and in-patient procedures) should necessarily use version 5010 and ICD-10 respectively.

Meeting the migration and compliance timelines will require quite a bit of an effort from the healthcare enterprises because they will need to address all reforms successfully and to do that they need to enhance their operational agility to be able to see improved results. The major challenge in meeting all the compliance requirements remains in effective integration between web-based technology and organizational services to further enhance customer experience. Healthcare Enterprises need to initiate with some additional efforts in their overall healthcare compliance plans to comprehensively manage transitions and alleviate all risks away.

From healthcare enterprises, to physicians to pharmacy managers all are required to implement these new standards to be able to make possible the operability between systems and also to ensure total competency at all levels. HIPAA migration requires certain modifications in the way transaction data is collected and conveyed. This means that the eventual data that is to be transmitted needs to made much simpler and understandable. In addition to this, enterprises will also need to classify their aims and their rules connected to any transaction. ICD-10 migration will bring in changes which will include in the augmentation of the no of code sets which goes up from 18000 to 140000 along with an enhanced code size which will now no longer be the standard character length of 5 rather it will be 7, to permit greater quantities of data. Furthermore, this migration will also see structural alterations from the usage of numeric codes to that of the alphanumeric ones.

The new HIPAA 5010 and ICD-10 rulings ensure improved usability and efficacy of transactions which will also include claims, eligibility inquiries and several other transactions. It improves the security of personal medical information and also helps healthcare customers to buy the correct and effective health insurance. It therefore goes without saying that enterprises in the healthcare sector, need to be aware of all that the nuances and intricacies that exists within the healthcare regulatory compliance rules. Hopefully this article has helped in clearing some of the doubts away.

Also know more on:  Glba compliance.

The Significance of Healthcare Compliance

The US healthcare industry is governed by a different set of regulations for private and public companies, and federal agencies. However, in general all healthcare entities have to comply with constantly changing regulations. HIPAA or Health Insurance Portability and Accountability Act is the primary regulation that is applicable to all healthcare providers, employers, authorities responsible for public health, health insurers, clearing houses, billing agencies, health plans, vendors, information systems, hospitals and service organizations, as well as universities.

Failure to comply with HIPAA attracts civil and criminal penalties with fines up to $25,000 for recurring violation of the same standard in one calendar year and fines up to $250,000 along with a 10 year imprisonment for tampering and misuse of an individual’s identifiable health information. All healthcare organizations have to disclose the use of protected health information and show documented evidence with physical, administrative and technical safety metrics.

While the role of IT is unmistakably one of great relevance in regulatory compliance, customer satisfaction and cost control, the increasing demand to share and handle information diligently without increasing costs is an immense challenge for organizations. Moreover, since customers prefer the convenience of accessing information through the Internet the healthcare industry needs automated web-based solutions that can fulfill these needs, improve the efficiency of operations with tactful management of information, both internally as well as externally without affecting their costs.

According to the Patient Protection and Affordable Care Act enforced by President Obama on March 23^rd, 2010, there are several regulations to check fraud and abuse and to ensure provider compliance. As per this act all providers must be aware and adhere to the new regulation changes. In such a precarious environment it is advisable to invest in a robust compliance program that can execute the best operational practices, maintain and monitor optimum records management for the safety of individuals.

The program provides quality solutions for healthcare regulatory compliance and fosters data control, compliance enforcement, regularized auditing schedules, recording and reporting analysis and remediation measures. With a standardized process in force healthcare organizations can be in sync with the changing regulations and maintain a high standard of compliance.

With the introduction of automated systems, healthcare organizations are in complete control of their processes. Accessibility to personal health information is restrained without ambiguity, thus providing security to individuals, and making IT healthcare compliance a truly competent and effective approach.

Importance of HITECH Compliance

HIPAA has been enforced to safeguard the confidential personal health information of medical patients. It has strict guidelines making regular security monitoring and assessment mandatory and recommends encryption as an essential security parameter.

With a rising number of security breaches there is a lot at stake for both patients as well as healthcare organizations. The HITECH (Health Information Technology for Economic and Clinical Health) Act came about as an extension of HIPAA extending itself to business associates such as those offering legal, IT or accounting services, those providing financial support or those involved in marketing etc.

The new rule also requires healthcare entities to give specific notification to patients about data breaches. Business Associates and healthcare providers have to undergo audits from time to time to ensure overall HITECH compliance. Non-compliance can result in heavy penalty up to $250,000 while for repetitive and non-rectified violations the penalty can go up to a maximum of $1.5 million. Therefore in order to ensure that all their security parameters are in tandem with HITECH requirements, healthcare organizations need to take care of certain vital elements:

1. Assessment of Risks – The healthcare providers need to conduct an extensive analysis on existing practices that are related to personal health information to assess risks in data breaches. Maintaining a PHI inventory with accurate information can help in identifying risks in policies and procedures as well as in IT systems. Identifying business associates with accessibility to PHI is also vital.

2. Secured Metrics- Healthcare organizations need to ensure that risk assessment information is secure by following the HITECH guidelines. The amount of personal data revealed should be only as per the requirement of any business process. Encryption of information systems is the ideal approach to reduce risks of data breaches and to tackle data breach notification requirements.

3. Contract Scrutiny– As per HITECH law all business associates have to clearly state the utilization of personal information that they have been allowed to access. An assessment of procedures provides an insight on which associates pose the highest threat. As a result healthcare organizations can make changes in the contract and initiate processes for negating high risk contracts.

4. Breach Detection Plan – According to HITECH Act a notification must be provided within 60 days in the event of any data breach. This includes minor losses or revelation of either single records or any amount of personal information. If an organization is reported to be incapable of detecting a breach it would mean fines up to $1.5 million.

5. Breach Response Plan – Notification of the smallest data breach is mandatory according to the HITECH Act. A record of every breach has to be submitted to the Department of Health and Human Services.

Healthcare organizations have to shoulder immense responsibilities in providing security to their patients’ data. Hence it is important for them to invest in competent and aggressive HITECH compliance management software that can detect breach early and maintain IT audits to check for irregularities in patient records.

Top HIPAA Compliance Tips for Small Practitioners

The Health Information Technology for Economic and Clinical Health (HITECH) Act has brought about significant changes in the healthcare industry’s approach to data protection. According to the Ponemon Institute’s benchmark study on Patient Privacy and Data Security, of Nov 2010, “data breaches were responsible for huge costs for healthcare organizations that amounted to an average of close to $1million annually.” However, the HITECH Act is expected to change this scenario soon. 

Now referred to as HIPAA-2, the HITECH Act has stringent requirements for compliance, penalties and incentives for the adoption of Electronic Medical Record keeping (EMR). The new and stronger Act is designed to ensure that data breaches are reduced drastically. Since the HITECH Act makes it mandatory for healthcare organizations to reveal patient privacy breaches to their patients, these organizations including small medical practices are looking for a cost-effective HIPAA/HITECH compliance solution. Here are a few tips to help small medical practitioners pick the right solution to meet HIPAA/HITECH compliance requirements and benefit the small medical practitioners:

• Choose a compliance solution that can cover both privacy and security standards
• Opt for a solution that can provide documented proof/evidence of compliance, which they can produce to auditors and other authorities if needed
• The solution must provide menu-driven assessment to assist in comprehending and controlling HIPAA/HITECH requirements
• The solution must offer a comprehensive policy framework and customized templates for easily attaching evidence
• The HITECH compliance management solution should offer medical practitioners a central repository for all HIPAA compliance related documentation
• Offer automatic updates on new or revised policies, procedures, and forms that reflect changes in standards or changes in regulatory requirements
• Send out periodic reminders for assessment for monitoring compliance.
• Provide appropriate tools for tracking and managing business associates with a simple plug-in option for all PCI-DSS compliance requirements.

Introduced in conjunction with the American Recovery and Reinvestment Act of 2009, the HITECH Act makes it mandatory for healthcare entities to follow Electronic Medical Recordkeeping (EMR) methods. To ensure that healthcare companies comply with these requirements, several attractive incentives are being offered. However non-compliance attracts very heavy penalties and fines that could amount to $1.5 million per year, or criminal prosecution. Healthcare practitioners should therefore keep these tips in mind while choosing a compliance solution- because, it’s better to be safe than sorry!

Also read articles on:  IT Compliance  

Understanding HIPAA and HITECH Compliance

The healthcare industry is now governed by stringent regulations that will change the way the healthcare organizations have been operating. Here is an overview of the Laws that govern the healthcare industry today.

The American Recovery and Reinvestment Act (ARRA) is an economic stimulus bill enacted on the 17 February 2009 to help the United States economy recover from recession. Apart from health care, the other sectors where ARRA has its bearing are education, infrastructure, energy, and social welfare.

ARRA and the Health Care Industry

The American Recovery and Reinvestment Act of 2009 not only modifies an already existing federal law but also introduces a new one with the aim to improve economic efficiency in the healthcare industry by encouraging increased use of technology in the sector. Through the HIPAA compliance and HITECH Acts, ARRA makes it mandatory for all doctors, dentists, chiropractors, psychologists, nursing care, or anyone who handles Patient Health Information (PHI) to be compliant with the regulations laid down in both these Acts. Not only lone medical practitioners but also small medical groups are bound to comply with these Acts.  Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, health care data breaches will attract significantly stiffer penalties than they used to with the Department of Health & Human Services (HHS) seriously committed to enforce those penalties and publicize all major data breaches. The HITECH Act also broadens the definition of a covered entity under the Health Insurance Portability and Accountability Act; many organizations that had not been required to comply with HIPAA privacy and security rules must now do so.

HIPAA and the HITECH Acts

HIPAA or the Health Insurance Portability and Accountability Act was enacted in 1996 to enhance the efficiency of the healthcare system by ensuring insurance coverage for employees and workers, forbidding discrimination based on health status, protecting the privacy of patients’ health records and  promoting the use of technology. The data privacy and security requirements of HIPAA came into effect in 2003. As per the amendment, all businesses in the medical and healthcare sector are not only required to protect the medical information of patients, but also to make their systems compliant with the standards set forth in HIPAA.

The HITECH or the Health Information Technology for Economic and Clinical Health Act, on the other hand, was enacted in 2009 as part of ARRA. As per this act, from 2011, financial support will be provided to all those who take steps to embrace technology in the healthcare space by maintaining electronic health records (EHR). However, from 2015 onwards those who fail to comply with the HITECH Act have to face heavy penalties. The Electronic Health Record Incentive program offers cash incentives to hospitals and other eligible professions (EPs) who can successfully demonstrate the meaningful use of EHR technology.

HIPAA/ HITECH Compliance

The need to comply with HIPAA and HITECH Act has placed increased pressure on medical groups and practitioners who not only have to ensure but also prove that their systems and practices are competent enough to protect patient health information. Since lack of a comprehensive security framework can cause irreparable damages, healthcare organizations need a solution that can handle healthcare regulatory compliance effectively. Such a solution would come as a relief for all healthcare providers and practitioners by making healthcare compliance simple and hassle-free.

Top 3 Healthcare IT Challenges

IT is a good investment- especially for healthcare organizations. A study conducted in 2007 by the Florida State University revealed that patients treated in hospitals which employed IT systems had better health outcomes. While the benefits offered by IT systems are quite apparent, managing an increasing number of computers and other devices and the information they hold, poses significant challenges mainly concerning information security. Here are the top three challenges that healthcare organizations should be prepared to tackle:

·         Challenge 1 – Securing the Growing Volumes of Electronically Stored Medical Records: With PCs and mobile devices quickly replacing traditional patient charts, the number of electronic medical records (EMRs) has skyrocketed. And with multiple systems and networked devices, security becomes a huge concern. Determining access rights, implementing effective controls, and managing change can be immensely challenging. Moreover, many healthcare organizations extend beyond a single physical location for off-site services, home-health services etc. In such cases, EMRs are constantly on the move and security of databases and network systems is a major challenge.   

·         Challenge 2 - Issues Concerning Data Storage: With EMRs multiplying every day, data storage is a growing concern. Hence online, and offline data storage, and storage virtualization are adopted to tackle the problem of data storage. However, these solutions may further add to the security concern if carefully defined data storage policies are not in place. And to manage and improve the storage environment, which stores the enormous amount of medical data generated every day, healthcare organizations have to adopt a centralized and standardized storage management solution.  And identifying such a solution by itself is a challenge.

·         Challenge 3 - Compliance with Multiple Changing Regulations: Storage of large volumes of medical records brings with it several risks, and consequently a number of compliance issues. Governing access to sensitive data, keeping track of who has access, when and how, and who can retrieve and process confidential records are all concerns surrounding security and compliance. With more and more stringent regulations laid down by the government in the form of HITECH, HIPAA compliance etc, healthcare compliance is now a major concern.

Irrespective of these challenges, healthcare entities cannot neglect the role of technology in providing superior services in patient care. While on the one hand the healthcare industry has to adopt technological solutions to provide better medical services, on the other they have to abide by HIPAA HITECH compliance. By employing a comprehensive, automated compliance solution, healthcare entities can enjoy the benefits offered by technology while also mitigating the risks that it may pose.

EHR Incentives: A Catalyst for IT Security

In 2005, when HIPAA came into effect, healthcare organizations were required to mitigate risks by conducting periodic risk assessment. But until recently a significant number of healthcare entities did not put this into practice. According to a recent survey 14 percent of hospitals and 33 percent of clinics were yet to conduct their first risk assessment. However, the EHR program funded by the federal economic stimulus package has been a catalyst for information protection.

The billions of dollars worth of incentives set aside for hospitals and physicians for implementing secure Electronic Medical Recordkeeping (EMR) have spurred security initiatives in the healthcare industry. Many healthcare entities are now ramping up their security measures in risk assessment, encryption and email security, data loss prevention, and providing formal security training to employees.

To qualify for these incentives however, healthcare organizations must use an EMR system that has been certified to include specific functions comprising a strong set of security features. Hence, issues including threat mitigation, risk analysis, and compliance with HIPAA and HITECH Acts have now come to the forefront. However, a significant challenge stems from the fact that most medical practitioners are unfamiliar with encryption and user authentication technology, and the idea of conducting a risk assessment is foreign to them.

Sole practitioners and small healthcare entities especially face issues in achieving and maintaining compliance with HIPAA and HITECH Acts. With HITECH redefining the responsibilities of Business Associates, creating stricter notification standards, tightening enforcement, and raising penalties for non-compliance, small healthcare entities are in need of a solution that can manage these elements efficiently and in a cost-effective manner.

Moreover, with the HITECH Act promoting and offering incentives for the adoption of secure EMR, small medical practitioners face a growing dilemma since adopting an EMR system not only means government incentives, but also greater security risks and bigger penalties for non-compliance.  This is where eGestalt’s SecureGRC SB comes in handy.

SecureGRC SB: Simplified HIPAA/HITECH Compliance Solution for Small Medical Practices

A unified security monitoring and compliance management solution delivered on the cloud, SecureGRC SB is the first of its kind. It offers an inexpensive, easy-to-use, automated system of compliance, specially designed for small medical practices, and their Business Associates to identify, remediate and maintain their HIPAA and HITECH compliance.

With built-in HIPAA/HITECH support, SecureGRC SB efficiently addresses all HIPAA/HITECH requirements, and also helps manage Business Associates with a simple wizard-driven automation tool. SecureGRC SB can be easily extended and automatically kept up-to-date with latest versions and revisions of these Acts

Addressing Healthcare Compliance: The HITECH Act

With a dramatic increase in the number of security breaches and Patient Health Record (PHR) thefts, there is mounting pressure on healthcare organizations to implement a thorough access governance framework to protect electronically stored PHR. This called for the extension of The Health Insurance Portability & Accountability Act (HIPAA) to accommodate a more preventive rather than reactive approach to security; the end result being The Health Information Technology for Economic and Clinical Health (HITECH) Act, which imposes much more stringent requirements in addition to the privacy and security norms of HIPAA.

The HITECH Act takes a broader and more preventive approach by enforcing specific control requirements for the protection of PHR. Additionally, HITECH compliance not only requires a system of recording evidence of compliance, but also an audit trail of who has access to Electronic Health Records (EHR), and how and when these records were accessed. With all these regulatory standards to be addressed, healthcare organizations need a comprehensive security monitoring and compliance management solution that can effectively deal with access control and other requirements. Here are some features to look for:

Automated Access Controls: Healthcare organizations need a solution that can implement automated controls to ensure authorized access, and address change management with regard to users’ roles within, and relationships with the organization. It should facilitate maintenance of policies in a consistent fashion to avoid access-related risks.

Preventive, rather than Detective Approach: Applying access-control policies in an environment that is subject to constant change is a formidable challenge. And hence effective change management becomes a growing challenge. Hence the security solution adopted by healthcare organizations should be able to simplify the change management process by assigning pre-determined compliant roles, and by ensuring a closed-loop validation process which can make sure that access rights not required for a certain role are remediated. This helps in taking a preventive approach and helps mitigate risks.

Complete Compliance Support: Complying with multiple regulations is always a challenge for organizations of all sizes. And only more so for healthcare organizations which process electronically stored patient records. While on the one hand they need to ensure overall information security, on the other they have to abide by the stringent requirements of HIPAA Compliance and HITECH Acts. And to ensure healthcare compliance organizations have to adopt a solution that can offer complete support with simple, easy-to-use tools, offering scalability and easy plug-in capabilities to accommodate new regulations.

Some compliance solutions also enable automatic updates on new policies and procedures, and on modified regulations and requirements. They also keep track of the compliance status and send out periodic reminders for compliance maintenance. With such an integrated compliance solution and a strategic policy framework in place, healthcare organizations can gain complete visibility and control over information access, and effectively mitigate risk of unauthorized access to sensitive PHR.   

Top Tips to Avoid Healthcare Compliance Risks in 2011

In 2010, the Obama Administration specially focused on regulatory measures in the healthcare sector, and 2011 is perhaps slated to be the breakthrough year for healthcare compliance. So the healthcare industry should prepare itself to face numerous challenges lurking in the compliance scene. Doctors, dentists, chiropractors, psychologists, and other medical practitioners have to abide by the regulations set forth in the HIPAA and HITECH Acts. With new reforms in place healthcare entities need to be proactive in abiding by compliance standards and changing regulations. Here are some tips that can help healthcare organizations avoid compliance risks:

·         Establish an appropriate policy and procedure framework. An unclear set of policies or compliance framework could go against the organization. Hence it is essential that medical practitioners and healthcare organizations dedicate efforts towards being HIPAA and HITECH compliant. They should ensure that the right policy framework and guidelines are in place to help the implementation of systems and practices that can keep patient’s health records safe.

·         Select a compliance solution that offers centralized up-to-date services. They should ensure that the compliance solution adopted is future proof: A healthcare compliance management system is most effective if it can work anytime, anywhere. Therefore it is important to opt for a solution delivered on the cloud. This also means that the solution is capable of sending timely alerts and updates regarding new versions of security monitoring/compliance management software and techniques. More importantly, it should provide complete in-built HIPAA & HITECH support which can be easily extended if the need arises. Also, the healthcare compliance solution chosen should be easy to deploy and manage.

·         Select a compliance solution that automates audit processes. Healthcare regulatory compliance is essential even if medical practitioners and organizations are not using technology in their medical practice. Small medical practitioners should proactively deploy a healthcare compliance solution that can automate audit processes and provide tangible evidence of compliance. Therefore, they should opt for a solution that has the ability to build a repository of all HIPAA Compliance related documentation and provide automatic updates on revised policies and procedures.

It is well known that ever since HITECH was enacted as part of the American recovery and Reinvestment Act of 2009, organizations abiding by the Act were offered incentives for Electronic Medical Recordkeeping (EMR). However from 2015, non-compliance with these standards would attract criminal penalties. So medical practitioners and healthcare entities which abide by HITECH and HIPAA are likely to face fines that can amount to a formidable sum of $1.5 million per year or more along with criminal prosecution. So being healthcare compliant is certainly a safer bet!