By Megan Williams, contributing writer
Your clients likely have concerns around the Health Insurance Portability and Accountability Act (HIPAA) that extend beyond the reach of your influence. Unfortunately, many may be thinking those concerns are being covered by the HIPAA compliant EHR (electronic health records) solutions you offer.
Healthcare IT News explores that topic in an article by Security Metrics security analyst, Tod Ferran. The piece is written as an advisory to healthcare entities tackling HIPAA compliance and EHR implementations, and is good insight for solutions providers looking to address the deepest needs of their clients.
“Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them — it’s just not true.”
Advice To Maintain Security
Ferran makes sure to advise organizations to prioritize security, warning them about the new HIPAA Security Rule that requires they protect their system against 75 specific security controls.
He urges them to “assess their security programs as a whole” and make sure that procedures, policies, and security measures are best configured to protect patient information and shield them against potentially costly regulatory penalties. At the same time though, he acknowledges that organizations frequently do not prioritize addressing risks to electronic patient data, and stresses the importance of an approach that goes beyond “simply checking a box.”
Selling The Importance Of Risk Management
Ferran frames approaching risk management in an organization around two timelines, the reality of the present and the optimal future.
“No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they should be doing in the future.”
He puts the responsibility of understanding the features of their medical devices and IT assets directly on their shoulders — a weight solutions providers could easily help them bear. Some of the areas they will need help with include:
Attaining True Compliance
Ferran also includes a basic roadmap for attaining HIPAA compliance, and suggests that organizations implement a regular, weekly routine, starting with as few as 30 minutes each session to meet and discuss priorities. Other specific actions he suggests include:
For solutions providers who do communicate regularly with their clients, this would be an article many would likely find useful, and a good way to start a conversation about current and future solutions they’re considering.