Taming the HIPAA/HITECH Beast
In this our second post in a series outlining some new health care related services we're now providing, we're going to review what we can do for you and your organization regarding HIPAA/HITECH compliance. First off, when we say HIPAA/HITECH we're referring to all requirements of the HITECH Act as it relates to HIPAA including the Omnibus rule updates. Furthermore, we're not going to go over the details of HIPAA or the Hitech security rule. There are many resources that have already covered that.
What we would like to do is provide some details of how we approach HIPAA/HITECH and how we could help you accomplish your goals. In our opinion, it is more about developing a proper mindset of securing your Electronic Protected Health Information (ePHI) and having the proper processes and procedures in place to back that up than it is about having a defined checklist of requirements that you can simply review and check off and call it done. We believe it is a living process that if followed in your day to day IT work should align with the requirements when your work is complete.
Key Points
Before going any further, it makes sense to understand a few key points:
- To be clear, there is no official HIPAA/HITECH certification requirements a la PCI/DSS or similar. While there are plenty of places out there willing to sell you certification, essentially they would be selling you the same thing at most likely a much higher price. And buying that certification, stuffing it in a folder, and saying your compliant without continual review and adjustments will not get you very far into the future.
- HITECH applies to ePHI only. Simply put, ePHI is any PHI from plain old HIPAA that is stored and/or transmitted in an electronic form. Or to think of it another way, if you only ever have patient data that is filled out on a piece of paper and never scanned into a database or stored as a file, then while you have HIPAA requirements, technically you have no requirements for the HITECH rule. Though lets be honest it would be hard to find a business like that in today's high tech economy.
- The guidelines of the security rule are just that, guidelines for doing the right thing for your environment. Most likely not every HIPPA/HITECH guideline will be required in a given environment and that's OK so long as you can show that you reviewed those requirements and documented why it is not required in your case. Simply put there is no need to make everything applicable to you, and we think this is a key point to doing the right thing.
Our Approach
The very first thing we'd do is a risk assessment of your environment using the security rule as a guide to determine what areas you may already have covered, what areas you may have minimally covered but need some work, and of course what areas you would be considered non compliant. This would be a review done along with any existing IT and compliance staff you may already have. The result being a list of areas that need to be addressed, their potential risk of breach, and some sort of cost/complexity rating to use as a guide in planning next steps.
The next step, is planning the next steps. One thing that isn't uncommon at all is that you may already be doing a lot of things right, but you just don't have any official processes and procedures documenting that you do. That is key and creating those documents sure is easier and cheaper than having to make changes to your infrastructure. Though nobody is perfect and you will definitely have areas that need addressed. Now we can review the results of the risk assessment in more detail, specifically in terms of risk vs reward vs cost to formulate a plan to improve your compliance. We also feel that the last point there is important. For example, lets say you are non compliant in a particular area, and realistically your risk of breach is relatively low compared to the cost. You would want to make sure that you are addressing items of higher risk first.
Once a plan of remediation is in place, then its time to make improvements. This can be done by your existing IT staff and we can most definitely help with the technical aspects and documentation if needed. Once improvements are made, its time to circle back to the risk assessment and re-assess. This is what we mean by its a living process. Technically this risk assessment should be done yearly and once your level of compliance is satisfactory that should be just fine. However, sometimes that initially push to get there will require multiple reviews. The main point is that some sort of periodic review be done to ensure you are still compliant. A very important decision given the speed at which technology changes in today's businesses. New risks will surface and old risks will go away frequently and keeping up with those changes is much easier than starting over from scratch due to not maintaining your compliance.
In our opinion, the key is in the case of a security breach having completed the risk assessment and documented why you made the choices you did in regards to re-mediating deficiencies. While you still may not be technically compliant, it shows you are working towards it and are in spirit meeting your compliance needs. Obviously a much better place to be than having nothing to show for why you had a lapse in security that allowed the breach. We feel this approach makes the most sense in today's landscape where almost all IT/security/compliance budgets seem to shrink constantly. Sensible compliance is achievable by all, 100% total compliance is usually not an option for everyone though.
Why us?
So why would you want to work with us to meet your HIPAA/HITECH needs? One easy reason is cost. We bill this service the same as we do any of our services, at a flat hourly rate based on the size and complexity of your environment. Whatever that rate may be I can guarantee it will be less than any other competitor out there providing a similar service, quite possibly considerably less. Another reason is as mentioned above we treat this compliance as an ongoing effort and will be right there to adjust with your business as needed. Sure, if you just want a quick risk assessment and nothing else we could do that, but realistically we don't see that as meeting your overall HIPAA/HITECH needs.
To put it into one line, we want to work with you to do what is right for your business, not tell you what is right for everyone else's business.
And if you're located in Pittsburgh or a surrounding area, that's a big plus!
So give us a call, or drop us a message if you'd like to discuss your HIPAA/HITECH needs in more detail.