Tag Archives: HIPAA

Innovate and Comply: The Dual Frontiers of Healthcare Tech

Posted on by

In many ways, new compliance standards are a blessing in disguise for healthcare organizations. While HIPAA and others like it may initially seem limiting, forcing a care provider to shake up their infrastructure, it also gives them the opportunity to pursue other options in IT management and create scalable, secure systems that will serve them for years to come.

However, like any good frontier, innovation is fraught with danger. New technologies meant to improve aspects of healthcare such as patient data also open up new avenues of attack and new challenges to achieving compliance. We are at a point where these changes are necessary, but a balance must be struck to ensure that an organization is not waylaid while experimenting. There’s a lot at stake, but better options for healthcare organizations in IT makes it a bit easier to pursue improvements.

This is the unfortunate reality of technology in healthcare. Due diligence—particularly when handling sensitive information—is necessary, even if it slows down the speed of innovation. The risk of physical harm looms over healthcare systems as well. After all, if a monitoring device stops working, how will the already beleaguered doctors and nurses know to respond?

Even more concerning is the number of carers that believe that their security and compliance measures are up to snuff, even if many are not considered compliant. A lack of knowledge about modern standards and unknown gaps in data security both contribute to this figure.

This illustrates the need for healthcare organizations to bring in outside help—specialized auditors are often able to both identify weaknesses and give an organization the sense of what they can build on to deliver a better experience to their patients. It may be another cost an organization has to contend with, but the very real risk of endangering patient lives makes it very much worth it.

But when it comes to moving forward while staying secure, it turns out that it is wholly possible to work with solutions that are still HIPAA compliant. There’s no one segment that innovation is centered around—the beauty of this new frontier is that any healthcare organization with some savvy can start projects that will benefit them for years to come. However, any care provider should be aware of all of the strictures affecting them before they begin; for instance, an international company may need to comply with EU and HIPAA regulations.

If there’s one thing to take away from this shift, it’s that organizations should take the opportunity to improve rather than simply comply. The antiquity of many infrastructure elements means that they will likely need to make sweeping changes if they haven’t been keeping current. Tools such as cloud infrastructure, wearable technology, and better patient-side systems can all revolutionize the way a care facility functions. It all comes down to analyses of patient and employee needs to figure out which solutions will make the biggest impact.

There is no reason that healthcare organizations should have to choose between compliance and innovation, but they should still learn to do both safely. There’s a lot of work that goes into both, but new HIPAA regulations mean that organizations will need to make changes one way or another—and they may as well put in work that will lead to better outcomes for their patients.

Healthcare Compliance—A Short Guide for Businesspeople

Posted on by

When healthcare companies try to achieve operational compliance, expertise regarding physical offices is usually fairly well-known. However, when it comes to online and cloud operations, the requirements are much more obscure. Generally, when we talk about cloud compliance in healthcare, we’re considering ways to drive risk avoidance, increase revenue, and improve patient outcomes. Naturally, these three objectives don’t just apply to technology, but are a good starting point when considering technology plans. Beyond this, the primary objective of any healthcare company when it comes to technology should be data protection for any and all stakeholders, and there are a few ways of going about this.

HIPAA

The Health Insurance Portability and Accountability Act, or HIPAA, is a federal statute mandating requiring adequate security for any healthcare information. Complying with this act is highly important for any organization possessing Protected Healthcare Information (PHI), and can apply to a company even if it only has custody of a small amount of electronic PHI.

This is because the HITECH Act allows HIPAA to cover more businesses; including business associates that aren’t healthcare providers or payers.

EHNAC

EHNAC, the Electronic Healthcare Network Accreditation Commission, is an organization dedicated to helping companies determine whether or not they are HIPAA compliant and assist them with setting up proper information security measures.

Of course, there’s nothing stopping a healthcare company from completing their own compliance assessment, but generally, unless a company already has a large staff dedicated to operational compliance, auditing, and analysis, it’s more financially sound to leverage the services of an existing hosting provider. Note that, if a healthcare company chooses to strive for compliance on their own, they will likely still need a third party to conduct a comprehensive risk analysis.

EHNAC is a great way for companies to provide themselves with a strong compliance framework without the need to hire full-time specialists.

HITRUST

Similar to EHNAC, HITRUST is another organization dedicated to helping businesses meet health data compliance standards. HITRUST is more expensive, but their Common Security Framework (CSF) covers HIPAA, HITECH, and a number of other standards such as ISO, PCI, CMS, and COBIT.

HITRUST certifications are difficult to obtain and even more difficult to maintain given the ever-changing standards of the industry. However, if a company successfully does both of these things, they are guaranteed a good reputation when it comes to data security.

Existing BAAs

BAAs, or Business Associate Agreements, can also be gained from public cloud companies such as Amazon or Microsoft. Unfortunately, these services will not provide you with the compliance measures that you need. For instance, some general utility BAAs will not provide companies with the minimum breach notification as specified under HITECH, leaving the burden squarely on the company to detect any sort of breach. Look for providers willing to assume some or all of the risk associated with compliance measures.