The HIPAA Omnibus Final Rule, released January 2013, introduced some significant changes and updates. The 2012 HIPAA audits, performed by KPMG, concluded with some initial findings released by the Department of Health and Human Services (HHS) Office of Civil Rights, OCR. These two events may impact how you govern your internal organization and network for patient privacy and protection of PHI.
Here are nine network considerations to address in the new HIPAA landscape. I will discuss the first consideration in this blog.
- HIPAA Audits will continue
- The HIPAA Audit Protocol and NIST 800-66 are your best preparation
- Knowledge is a powerful weapon―know where your PHI is
- Ignorance is not bliss
- Risk Assessment drives your baseline
- Risk Management is continuous
- Security best practices are essential
- Breach discovery times: know your discovery tolerance
- Your business associate(s)must be tracked
Read More »
Tags: healthcare, HIPAA, PCI Compliance
The HIPAA Omnibus Final Rule, released January 2013, greatly expands the number of organizations that must comply with HIPAA beyond the known ‘Covered Entities.’
The Final Rule expands the definition of a Business Associate to include an organization that ‘creates, receives, transmits or maintains’ PHI. Adding the term ‘maintains’ into the definition makes a big difference and will include a lot more businesses than before. The Department of Health and Human Services (HHS) estimates that 250,000 – 500,000 additional entities will be considered a Business Associate and therefore must comply with HIPAA. Read More »
Tags: Cisco Compliance Solutions Framework, Cisco Security, compliance, covered entities, HIPAA, HIPAA omnibus final rule
This post is part of a new series featuring Brian Higgins, Principal Healthcare Consultant at Comstor US. Comstor is a recognized global leader in Cisco product distribution and an established provider of networking and advanced technology solutions. Brian is a sales and business development executive with 35 years of experience in the global healthcare information technologies industry. He has a proven and successful track record of establishing and executing go-to-market strategies for both start-ups and well-established companies in the healthcare space. He is also a trusted sales and business development advisor to information and medical technology companies selling into all segments of the healthcare industry.
I recently hosted a webinar on the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) for a community of technology resellers.
HIPPA and HITECH are the US version of “privacy and security” laws that are getting so much attention in our industry. I thought I had a reasonably good grasp on the subject, but my intuition was that the subject was complex enough to warrant an expert. We brought in a nationally recognized expert by name of Bob Chaput, Founder and CEO of Clearwater Compliance LLC, and (luckily for me) he did an outstanding job of explaining a very complicated set of rules and regulations in a simple and easy to understand way.
While it was interesting to learn more about specifically who is covered by these laws and what their specific obligations are, the more enlightening discussion related to how far behind most industry stakeholders are in their compliance and the resulting economic ramifications.
For those of us in the channel that recognize the enormous opportunity of delivering technology to the healthcare sector, this is an important subject about which to have a first level of understanding. It not only gives us the credibility that our healthcare end users are looking for in a vendor, it also represents an opportunity to deliver valuable advice and services. Finally, it’s a law that we might fall under if we are in the business of maintaining healthcare communications or information technology (HCIT) platforms, or delivering cloud services.
Similar privacy and security laws exist around the world, requiring partners to play close attention to what is occurring in their regions relative to this topic. Read More »
Tags: ciscochannels, comstor, HIPAA, HITECH, PIMS
There’s a natural struggle between those who write rules around compliance to a standard and those who must implement IT systems to ensure compliance with that standard. The former want to create guidelines rather than hard and fast requirements so there’s flexibility in how to achieve compliance. Plus, they want guidelines that allow for advances in technology. The latter want technical specificity – do X and become compliant.
With a compliance standard like PCI DSS, which specifies credit card information security requirements, there’s a great deal of technical specificity about what is required in order to become PCI DSS compliant. In fact, all but a handful of PCI DSS’s 211 sub-requirements call for specific technical actions. But even then, some PCI DSS sub-requirements are subject to interpretation by the various auditing authorities.
Most compliance mandates, especially those imposed by governments, aren’t as cut and dried as PCI DSS and they always include many specific requirements around acceptable compliant behavior in addition to non-specific requirements around technology-oriented compliant safeguards.
The privacy and security of health information in the U.S. is governed by a Federal law called the Health Insurance Portability and Accountability Act (HIPAA). As written, HIPAA is vague in many behavioral and technological areas. The law turned over “rule-writing,” whose aim is to provide more specificity, to the U.S. Department of Health and Human Services (HHS). HHS wrote a key rule – the HIPAA Security Rule – that is relevant to information security professionals.
But alas, even the HIPAA Security Rule is ambiguous! Read More »
Tags: due care, HIPAA, pci, PCI Compliance, security
On June 6-7, the National Institute of Standards and Technology (NIST) co-hosted a conference focused on HIPAA, the foundational U.S. health care information law. I attended the conference and came away with the sense that a) health care entities have begun to see clarity in the things they must do from an IT perspective to abide by the law’s requirement to protect patient information and b) they are motivated to do so through Federal moves to enforce the law.
The links between vague laws and concrete technical requirements to support them are usually ambiguous because the laws are written by non-technical lawyers and they often turn over implementation details to government departments.
Read More »
Tags: compliance, HIPAA, security