The clock is ticking down to Sept. 23, 2013, the HIPAA final omnibus rule deadline. If you’re a hospital or health system, do you have “reasonable and appropriate administrative, technical and physical safeguards” in place to help protect your patient data, including medical images, as HIPAA requires?
Are you sure? If you do have them, are the safeguards up to date? Are they monitored and audited regularly? Is your staff compliant with the regulations and rules you have in place? Are your Business Associates compliant?
If you answered “no” or “I think so” to even one of the above questions, you could be putting your patient data at risk of a breach and your patients at risk of identity theft. And you’re not alone. In the past two years, 94% of healthcare organizations had at least one data breach, and 45% said they had more than five significant data breaches.
According to the final rule, you have until Sept. 23 to make sure your HIPAA house is in order. Per the rule, any impermissible use or disclosure of patient data is considered a data breach unless an official risk assessment concludes otherwise. It also extends requirements of the HIPAA privacy and security rules to organizations’ business associates, which are any people or companies that use or disclose protected health information on behalf of, or provide services to, a covered entity. This puts your organization on the spot – potentially with a HIPAA audit – to verify your business associates meet the requirements.
The right cloud partner can help you meet the HIPAA Sept 23rd deadline
Often in-house IT professionals lack the resources to manage all of the security projects necessary to keep protected health information (PHI), including medical images, safe. Working with a cloud services provider to manage the bulk of the back-end security can be a cost-effective solution. However, while a cloud services provider can help shoulder some of the load, it is absolutely critical to choose the right cloud partner. PHI can actually be more secure in the healthcare cloud than on your local server if you work with a cloud provider that:
- Meets technology and procedure best-practices in support of HIPAA and HITECH requirements
- Agrees to a contract that specifies best-practice security and privacy policies, breach notification/support processes and data protection even upon termination of contract
- Demonstrates that its technologies and procedures are consistently updated, monitored and audited by a third-party
- Provides solutions to give your staff reliable and highly secure remote and mobile access that meets industry and regulatory requirements
Here’s an overview of the administrative, technical, and physical safeguards a full-service cloud services provider should be able to provide you with, in support of HIPAA and HITECH compliance:
Risk analysis and roadmap
A HIPAA Security Rule risk assessment and roadmap showing what you need to improve and how to help achieve compliance.
Security policies that restrict physical access to the cloud services provider data center to authorized personnel; redundant back-up storage for PHI to support business and clinical continuity.
Proof that authorized administrators of your data are current with security training, including HIPAA security training; auditing tools for you to monitor the cloud environment as desired.
Multiple layers of security technology, from network and firewall security to data encryption; mobile security features such as authentication/authorization, encryption and data “sanitation” to wipe data from stolen or missing devices.
You’re still the boss
Regardless of how much a cloud provider can support HIPAA and HITECH compliance on the back-end, it is still your organization’s responsibility to drive the bus. Do the risk assessment. Get familiar with the HIPAA and HITECH requirements. Know your business associates inside and out, and only work with those who can prove they have best-practice policies in place. The risk to your organization — both financial and professional — and to your patients is too great otherwise.