Posts Tagged ‘security’

Guest Post: Are You Preparing to Fail Healthcare Compliance in 2018?

December 19th, 2017 by Tim Feldman and Darci L. Friedman

A 2018 roadmap to healthcare compliance should focus on cybersecurity, vendor management and telehealth.

As the year winds down, we see numerous lists of priorities healthcare organizations should focus on in the coming year. However, if you are looking to those end-of-year lists for guidance on what your organization should pay attention to in 2018, you are already behind. If you do find yourself playing catch-up, drafting your 2018 compliance work plan is the best place to start.

As the roadmap for your compliance efforts throughout the year, your annual work plan should indicate key high-risk areas. The Office of Inspector General (OIG) of the Department of Health & Human Services (HHS) has indicated that developing an annual compliance work plan is integral to the administration of an effective compliance program (Measuring Compliance Program Effectiveness – A Resource Guide).

The annual work plan and compliance program administration are but one portion of what is required for an organization to have a robust and effective compliance program. The required elements of a compliance program are the following:

  • Standards, Policies and Procedures;
  • Compliance Program Administration;
  • Screening and Evaluation of Employees, Physicians, Vendors and Other Agents;
  • Communication, Education and Training;
  • Monitoring, Auditing and Internal Reporting Systems;
  • Discipline for Non-Compliance; and
  • Investigations and Remedial Measures.

These elements provide a broad framework for your organization to identify risk, proactively remediate and provide a response mechanism to mitigate when there is an exposure. Working the plan and program throughout the year helps your organization achieve a state of ongoing readiness.

Cybersecurity

Cybersecurity is one item that will likely factor more heavily in your work plan, and appropriately so. Last June, the HHS Health Care Industry Cybersecurity Task Force released a report on improving cybersecurity in the industry. The Task Force concluded that cybersecurity, at its core, is a patient safety issue and a “public health concern that needs immediate and aggressive attention.”

Some of the areas to address in the broader realm of cybersecurity include:

  • Ransomware;
  • Email security, including phishing;
  • Internet of Things (IoT) and devices;
  • Bring your own device (BYOD); and
  • Medical identity theft.

As the Task Force report notes, cybersecurity must be thought about across the continuum of care in your organization. Work to shift the culture and thinking that cybersecurity is simply a technology issue, of concern only to the IT department.

Do this by implementing policies and procedures for key cybersecurity issues and then communicating them across the organization. Follow that with training, including everyone in your organization, from staff to board members. The training should: define cybersecurity; explain how it may manifest in the organization, and address your policies and procedures, making it evident to all what they can and cannot do and how to respond.

Third-Party Vendor Management

The outsourcing of services to third-party vendors is increasingly common and for good reason. Such relationships offer great benefits, but at the same time, these relationships also carry legal, financial, reputational and compliance-related risks. Here are seven questions to evaluate your third-party vendor relationships:

  • Does your organization, as a covered entity (CE) under HIPAA, have a vendor compliance program to help you identify, manage and report on these risks?
  • Do you review and assess your vendors’ risk profile?
  • Are you familiar with each vendor’s hiring practices?
  • Do you know which vendors’ products connect to other IT systems that contain critical data, including protected health information (PHI)?
  • Do you have insight into each vendor’s information security and data privacy capabilities?
  • Do you know with which vendors you have a business associate agreement (BAA)?

For many healthcare organizations, the answer to several of these questions is likely “no,” which creates risk for those organizations. The OIG’s position is clear: healthcare entities have a responsibility to proactively identify, assess and manage the risks associated with their vendor relationships.

All vendors are NOT created equal. A good starting point in managing an effective and efficient third-party compliance program is to perform a risk-ranking of vendors based on their access to critical assets or information. By segmenting your vendor population into “risk tiers” you can focus limited resources on the most serious exposures.

Components of third-party compliance assessment should include, among other things:

  • Due diligence (background, reputation, strategy);
  • Knowledge of, and compliance with, security and privacy requirements;
  • Operations and internal controls (policies and procedures);
  • Workforce controls, background and exclusion checks; and
  • Training and education.

And, of course, with every vendor that meets the criteria of a Business Associate, ensure that a written BAA is in place. BAAs can be complex and are often daunting, but they must be carefully negotiated and acknowledged by both parties.

By ensuring your vendors have strong compliance programs in place and that they are following through on the BAA requirements, your organization is meeting its compliance obligations and doing its best to minimize its risks.

Telehealth

The compliance concerns related to the delivery of care via telehealth are numerous and include the following:

  • Licensing;
  • Credentialing;
  • Security;
  • Regulatory requirements for billing; and
  • Fraud and abuse.

An area to focus some attention on is payment under federal healthcare programs. The OIG currently has two active work items on telehealth, one for Medicaid and one for Medicare. Both of the items relate to the propriety of payment for telehealth services.

If your organization provides telehealth services, consider conducting a risk assessment to determine if you have any exposure in the area. Risk assessments are not strictly one of the 7 required elements of a compliance program, but they are often referred to as the “8th Element” given the focus on them in the Federal Sentencing Guidelines and OIG documents.
Risk assessments, along with the other elements of a compliance program, provide your organization the means to identify, prioritize, remediate and/or mitigate the myriad on-going risks it will encounter. If you are not working your compliance program and specific risk areas throughout the year, you are failing to adequately prepare for an event. By failing to prepare, as one wise man said, you are preparing to fail.

About the Authors: Tim Feldman is Vice President and General Manager of Healthcare Compliance & Reimbursement at Wolters Kluwer Legal & Regulatory U.S. He oversees product development across a vast suite of practice tools and workflow solutions to help professionals stay ahead of regulatory developments and effectively manage compliance activities. Darci L. Friedman, JD, CHPC, CSPO, PMC-III, is the Director of Content Strategy & Author Acquisitions for Healthcare Compliance, Coding & Reimbursement at Wolters Kluwer Legal & Regulatory U.S. She is responsible for supporting the overall strategy for developing new content and features, innovating new product models, and recruiting top content contributors.

HIN Disclaimer: The opinions, representations and statements made within this guest article are those of the author and not of the Healthcare Intelligence Network as a whole. Any copyright remains with the author and any liability with regard to infringement of intellectual property rights remain with them. The company accepts no liability for any errors, omissions or representations.

Infographic: Hidden Encrypted Threats Impact Healthcare

November 11th, 2016 by Melanie Matthews

Healthcare organizations are increasingly targeted by cyber criminals seeking to steal electronic protected health information, electronic health records, personally identifiable information and other confidential patient data, according to a new infographic by A10.

The infographic examines the healthcare cyber threat, the need for SSL, why healthcare organizations have been slow to adopt SSL and the top SSL decryption tools.

2016 Healthcare Benchmarks: Digital HealthPerson-centric health management is slowly acknowledging the device-driven lives of patients and health plan members and incorporating these tools into care delivery and management efforts.

2016 Healthcare Benchmarks: Digital Health examines program goals, platforms, components, development strategies, target populations and health conditions, patient engagement metrics, results and challenges reported by healthcare organizations responding to the February 2016 Digital Health survey by the Healthcare Intelligence Network.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today.

Have an infographic you’d like featured on our site? Click here for submission guidelines.

Infographic: Cyber Attacks Hit Healthcare

April 4th, 2016 by Melanie Matthews

The healthcare industry is under pressure to advance its use of technology to control costs, digitize patient information and streamline operations. But with significant increases in cyber attacks and the sensitive nature of healthcare data, security is a growing concern, according to a new infographic by ESET.

The infographic examines: which threats healthcare organizations fear most; how healthcare breaches affect consumer behavior; and what security solutions are most effective.

Covered Entity Manual Covered Entity Manual is a template-style download manual that can be easily adapted to align with your compliance needs as a covered entity. All content complies with the Omnibus Rule.

Covered Entity-Specific Manual provides you with a generic, comprehensive set of policies and procedures: 33 privacy policies; 30 security policies; 6 policies that address common requirements of both the privacy and security rules; 1 breach notification policy; and 12 forms and templates, including a notice of privacy practices.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today.

Have an infographic you’d like featured on our site? Click here for submission guidelines.

Infographic: Healthcare Information Security

December 17th, 2014 by Melanie Matthews

Safeguarding healthcare information is everyone’s a shared responsibility across a healthcare organization. With well-publicized and recent cyber attacks affecting all industries, healthcare organizations need to take proactive steps to safeguard information, according to a new infographic by HIMSS and the National Cyber Security Alliance (NCSA).

The NCSA-HIMSS infographic can serve as a guide for healthcare organizations to help keep patient information safe and secure.

HIPAA Training for Employees DVD

HIPAA Training for Employees DVD provides training on the following HIPAA privacy and security compliance, including: privacy rule basics; use and disclosures; patient rights; employee behaviors to safeguard patient information; security rules; safeguards to protect patient information electronically; HITECH; breach identification and notification; enforcement and level of fines.

Get the latest healthcare infographics delivered to your e-inbox with Eye on Infographics, a bi-weekly, e-newsletter digest of visual healthcare data. Click here to sign up today.

Have an infographic you’d like featured on our site? Click here for submission guidelines.