By Richard Bailey, lead IT strategist, Atlantic.Net.
covered entity and a business associate. It is a HIPAA law created to ensure that all of the HIPAA compliance risks (administrative, physical, and technical) are identified, and a roadmap is designed to plan the fixes necessary to resolve the issues found.
The risk assessment was not part of the original Health Insurance Portability and Accountability Act of 1996. Instead, it was first introduced in the 2003 Privacy Rule and Security Rule amendments and was then further expanded upon in the Final Omnibus Rule of 2013.
HIPAA legislation defines a Covered Entity (CE) as anyone that handles PHI during day-to-day business operations. Most businesses working in the healthcare industry are considered Covered Entities.
The U.S. Department of Health and Human Services (HHS) officially defines a CE as; Healthcare Providers such as doctors, dentists, nursing homes, pharmacies, health insurance companies, HMOs, Medicare, Medicaid, and Clearinghouses.
A business associate is any third party business or organization that handles individually identifiable health data on behalf of a covered entity, and the risk assessment is often considered the starting point to achieve HIPAA compliance.
What is a risk assessment?
A risk assessment is commonly the first task undertaken when a covered entity and a business associate enter into Business Associate Agreement (BAA). Its purpose is to identify areas within the business that process, store, and transmit protected health information (PHI) that are in the scope of HIPAA compliance.
PHI is patient data that the law is meant to safeguard, such as data that can be used to identify an individual personally. Examples may include patient names, email addresses, social security numbers, insurance certificates, and so on.
Areas of risk are highlighted, and a roadmap is created for the CE to become HIPAA compliant. Most risk assessments follow the NIST cybersecurity framework, and the NIST schema is a straightforward but highly productive process. There are five essential parts of the NIST framework, and these are; Identify, Protect, Detect, Respond, and Recover. The OCR takes this further with the nine essential elements of Risk Analysis but either framework covers similar topics.
It takes a pandemic to reveal how much digital technologies are ignored in the healthcare sector. The COVID-19 pandemic is dramatically transforming the healthcare sector and how professionals gather medical intelligence. Almost every physician worldwide has been part of a telemedicine movement to encourage patients to embrace safe and virtual appointments.
Consequently, preparing for a virtual appointment requires some getting used to. As a rule of thumb, patients can struggle to explain some of their symptoms, even in face-to-face interaction. That’s where real-time medical examination can help reduce misunderstandings.
In the virtual world, gathering evidence such as taking photos or filming a video that shows your symptoms and asking the right questions can guide the doctor to the appropriate diagnosis.
However, while we focus on making telehealth more accessible to patients, we also need to prepare doctors to make the most of it.
Find reliable HIPAA-compliant hosting
Gathering and storing digital data is not a novelty for healthcare centers. Nevertheless, keeping data storage HIPAA-compliant can become a challenge with the increased number of telehealth appointments. Protecting patients’ records in a fully digital world means relying on a highly secured data hosting strategy, as per Atlantic.net.
Contrary to common belief, there is no such thing as a HIPAA hosting body that can verify the compliance claims of each provider. For healthcare centers that need to adapt to the growing telemedicine demand, the quest for a robust, reliable, and HIPAA hosting provider becomes tricky and expensive.
By Rahul Varshneya, founder and president, Arkenea.
Rahul Varshneya
Cloud computing has become the new watchword for healthcare organizations across the globe. The adoption of cloud technology has been escalating at a frenetic pace and, as recent research suggests, the global market for cloud technologies in the industry is expected to reach $35 billion by 2020.
The underlying reason behind the recent hype in this technology is simple though. If healthcare institutions were plainly service providers before, today, they’re true technology organizations that now depend on their IT departments for administrative, clinical, and financial purposes.And that’s not all. As new payment models are added to the equation and patient expectations change, technology has become vital to drive efficiency and improve patient care.
In this article, we’ll be looking at a few things that have been made possible in healthcare due to the rapid adoption of cloud technology.
1) Reduced Costs of Data Storage
On-premises healthcare data centers not only demand an investment in hardware ahead of time, but they also come with ongoing costs of maintaining physical spaces, servers, and cooling solutions among many other things.
“Cloud solutions are very beneficial from the standpoint that as you migrate data, you don’t need to maintain your own datasets which can be costly and expensive,” explains Forward Health Group CTO Jeff Thomas. “Maintaining datasets on-site can also be expensive in that it takes up real estate which can sometimes be used for something else.”
By managing the structure, harmonious functioning and maintenance of cloud storage services, cloud computing vendors can significantly aid organizations in lowering their data storage costs and enable them to concentrate their efforts on caring for their patients.
Healthcare organizations can also leverage custom cloud EMR or EHR software to fit the needs of their specific practice. That way, they get exactly what they’re looking for without them having to dig a hole in their pockets.
The scale of the coronavirus pandemic is impacting every facet of daily life. As COVID-19 continues its global spread, authorities are restricting large gatherings of people and enforcing stay at home protocols. This crisis is forcing us to adapt to a “new normal,” and technology is taking center stage to help us through the transition.
In fact, as the popularity and usefulness of video delivery over the internet grows, reports reveal that live streaming has already attracted 47% more users than this time last year. Through the influx of telehealth, remote learning, remote video conferencing and canceled events, live streaming has become a versatile — and essential — tool that is changing the way we stay in contact with others, particularly in the age of social distancing.
Live streaming is gaining in popularity across many different industries. Until the advent of live streaming technologies, 911 operators only had one source of information to assess an emergency situation: the caller. Now, thanks to advances in live streaming technologies, 911 operators are empowered with unprecedented access to emergency situations via live video.
Carbyne, a technology company that delivers actionable data from connected mobile devices to emergency communications centers, uses live streaming to enhance critical response capabilities. Through the combination of real-time video and location data, Carbyne provides emergency personnel with a more accurate assessment of the scene before they arrive, reducing emergency response times by more than 60%.
While Carbyne’s technology has proven beneficial across the globe for several years, the COVID-19 pandemic has brought additional benefits to the technology. Carbyne is effectively able to remotely evaluate potential COVID-19 cases and forward potentially infected individuals to medical professionals via telehealth services while maintaining HIPAA compliance.
Additionally, the Carbyne platform has been used in some cities to help track COVID-19 cases, delivering a heat map that details coronavirus-related calls so the municipality can better allocate resources and prevent the disease from spreading. As one hotspot hit hard by the virus, New Orleans uses Carbyne’s COVID-19 service to manage emergency calls and help individuals who have contracted the virus contact telehealth professionals instead of flooding emergency rooms. Carbyne has been fielding 70% of the city’s emergency calls, a majority of which were related to COVID-19 symptoms.
By Heather Annolino, senior director healthcare practice, Ventiv.
As hospitals are working vigorously to address the health care needs of its patient population during the COVID-19 pandemic, they are unintentionally leaving themselves and their patients exposed to cybersecurity risks.
Measures implemented to protect workers and patients, including expanded use of telehealth and telemedicine, remote work and bringing new equipment such as ventilators online can leave data exposed, and institutions vulnerable to hackers and scammers. These cyberattacks can affect supply chains and the ability to leverage healthcare data from the COVID-19 pandemic for use in the future for other crises.
In March 2020, the Office for Civil Rights announced it would not enforce penalties for HIPAA noncompliance against providers leveraging telehealth platforms that may not comply with privacy regulations. This measure rapidly expanded the use of telehealth and telemedicine over the past several weeks, allowing providers to utilize videoconferencing platforms, including WebEx, Zoom and Skype.
The use of telemedicine improves patient access and assists with alleviating the additional burden on healthcare systems by limiting in-person care during the COVID-19 pandemic. If any incidents do occur, they should be entered into the facility’s health care risk management/patient safety software system. This technology is designed to help healthcare organizations see all of their data in one place, making it easier to learn from the incidents through analysis. While doing that now might be difficult, it is essential to capture this data to improve preparation for the next disaster and prevent patient harm.
Although telemedicine presents a lower risk from a risk management perspective, it is still important to provide consistent processes and protections to mitigate potential threats. During these uncertain times, telemedicine is the best option for providers to continue treating select segments of their patient population, as well as triage potential COVID-19 cases. Whether health care organizations are looking to expand (or even begin) the use of telemedicine capabilities, it is crucial to outline best practices for consent, credentialing, and security and privacy to assist with mitigating potential risks.
Here are a few strategies facilities should consider:
Security and Privacy
Under normal circumstances, healthcare facilities have difficulty bringing key equipment online securely. As facilities are currently working tirelessly to address COVID-19 patients’ needs in addition to continuing to provide care to non-COVID-19 patients, there is a potential increase of security risks as additional medical equipment and medical IoT devices integrate into the network.
By investing in and deploying cybersecurity procedures and protections, including backup and downtime procedures, healthcare facilities can reduce the risk of potential phishing and ransomware attempts. These measures should include ensuring all practitioners are using communication apps recommended by the U.S. Department of Health & Human Services Office for Civil Rights and secure telephone connections as well.
By Carl Kunkleman, senior vice president and co-founder, ClearDATA.
Carl Kunkleman
Working in the world of healthcare security and compliance, I find one of the biggest dangers organizations face is having a false sense of security that their PHI is adequately protected. I’ve done hundreds of security risk assessments, and I have yet to find one single organization that did not have a security gap they were unaware they had in one or more of their administrative, technical or physical safeguards.
Add to this, the complicated current state of healthcare battling COVID-19, and we are likely to see administrative systems that have gaps in off-boarding or off-boarding employees, technical infrastructures that didn’t have time or resources for patch management, and physical scenarios in makeshift triage units with compromised physical safeguards that simply cannot be addressed in the current haste to stop the spread of the virus.
Sadly, this sense of chaos creates the ideal conditions for the hackers of the world looking to infiltrate via phishing, malware and ransomware and more. Once this spread is arrested and we all get a moment to catch our breath and assess business practices, a good move would be to conduct a security risk assessment known as an SRA. Your internal teams and resources are stressed, overworked and possibly burned out and an SRA can identify security gaps that will inevitably arise and present an actionable plan to remediate. This will help reduce risks while protecting your organization’s finances and reputation while we all find out what “getting back to normal” will mean.
Right now, we are all doing everything we can. And the Department of Health and Human Services recognized that with their decision last week to waive penalties for providers that are serving patients through everyday communications technologies during the COVID-19 public health emergency. A security risk assessment this summer will help you put the compliance health of your organization back in order. In addition to the HIPAA requirement that you have an SRA on file annually, it helps unite your team in a strategic path forward by articulating what your highest and lowest risks are, before a hacker uncovers them.
Because an SRA covers administrative, technical and security safeguards, your entire organization will benefit from the process. I continue to find organizations who think their PHI is protected because they have password protected their computers and mobile devices. Our penetration testing has revealed that passwords are relatively easy to defeat. We continue to find gaps in encryption, patch management and even with PHI inventories. If you don’t know where all of your PHI resides, how can you protect it?
Virtual visits help providers increase productivity by adding revenue and reducing travel to different clinical settings. However, despite these obvious advantages, 2019 saw an abysmally low utilization rate of less than 10%. Things have monumentally changed. As a local physician characterized telehealth today, convenience is the new quality. Love it or hate it, telehealth is here to stay.
The primary care collaborative conducts a weekly survey of physicians, nurse practitioners, and physician assistants working in primary care on how their practices are responding to the COVID-19 outbreak. Over 80% of respondents indicate their patients accept telehealth visits and nearly half of the respondents plan to continue using telehealth after the COVID-19 crisis is controlled.
Prior to the pandemic, telehealth was seen as convenient and time efficient for patients. It also showed promise for providing access to care for various underserved populations. Today we’ve gone beyond convenience as telehealth has become a necessity for both patients and providers. Increased utilization has been made possible by the relaxation of rules and requirements by both government and commercial health plans. Notably, the use of telehealth had been restricted by design.
Health plans wanted to control how and where telehealth was offered along with who could provide the service. For the duration of the COVID-19 health emergency, most health plans are allowing telehealth to be used in place of in-person encounters. Many are waiving patient cost share and paying providers the same rate as an in-person visit.
Medicare has made the following changes effective during the COVID-19 health emergency: telehealth can be used with both new and established patients, telehealth via telephone will be reimbursed, and providers are allowed to treat patients across state lines. In addition, the Centers for Medicare and Medicaid Services (CMS) is waiving HIPAA violation penalties for utilizing technologies such as FaceTime or Skype.
There are several regulatory compliance requirements that healthcare organizations must follow. Even so, it’s the Health Insurance Portability and Accountability Act (HIPAA) that gets the most recognition. If your organization is involved in the healthcare industry, you should ensure that it complies with the Health Information Technology for Economic and Clinical Health Act (HITECH) as well.
These two compliance requirements are somehow interrelated. However, HITECH is meant to enhance information technology in the healthcare industry while protecting the security and privacy concerns regarding ePHI. HITECH significantly modified HIPAA and the Social Security Act. Therefore, it can be difficult to understand how these regulatory compliance frameworks complement each other.
How HITECH And HIPAA Are Similar
HITECH and HIPAA compliance is overseen by the Health and Human Services Department (HHS). Typically, healthcare organizations tend to focus on HIPAA compliance since it is the backbone of the Privacy Rule that sets national standards regarding PHI and medical record protection. The Privacy Rule was adopted in 2000. Since then, HHS has only made one modification. That was in 2002 when the Privacy Rule was modified to become one of the initial information privacy and security regulations.
The Office of the National Coordinator for Health Information Technology (ONC) is mandated to promote the quality of healthcare by advancing health IT. ONC is also tasked with the role of securing ePHI and establishing procedures for electronic health records (EHRs) to promote privacy.
Therefore, while HITECH and HIPAA complement each other, they are dissimilar. HITECH focuses on information technology as well as the preservation of electronic information, whereas HIPAA dwells on protecting privacy as well as expanding beyond information systems.
How HITECH And HIPAA Differ
Although HITECH and HIPAA have many similarities, the two regulations also differ on various vital details. HITECH was meant to expand HIPAA. Even so, the latter remains focused on addressing privacy and breach notification issues to protect against identity theft and fraud. On the other hand, HITECH differs from HIPAA because it established restructured criminal and civil compliance penalties. Furthermore, HITECH extended HIPAA’s breach notification requirement beyond covered organizations also to include business associates.
From an IT perspective, compliance managers ought to focus on the significance of robust encryption. In case malicious actors breach the ePHI, effective encryption will mitigate rule violations. Therefore, if the encryption makes the information unreadable, the organization won’t be fined. Nonetheless, proving effective encryption means complying with the NIST Federal Information Process Standard. Therefore, healthcare regulatory compliance can only be realized if you fully understand your organization’s IT infrastructure.
Virtual visits help providers increase productivity by adding revenue and reducing travel to different clinical settings. However, despite these obvious advantages, 2019 saw an abysmally low utilization rate of less than 10%. Things have monumentally changed. As a local physician characterized telehealth today, convenience is the new quality. Love it or hate it, telehealth is here to stay.