Some of the newest findings on HIPAA compliance represent the top challenges faced by companies and health care institutions dealing with the laws on sensitive patient data. As the Department of Health and Human Services gears up to perform 2014 audits for HIPAA compliance, provider administrators and others are looking at issues like HIPAA-compliant hosting for Web-delivered systems, compliance for cloud security and other HIPAA requirements.
Some of the newest findings on HIPAA compliance represent the top challenges faced by companies and health care institutions dealing with the laws on sensitive patient data. As the Department of Health and Human Services gears up to perform 2014 audits for HIPAA compliance, provider administrators and others are looking at issues like HIPAA-compliant hosting for Web-delivered systems, compliance for cloud security and other HIPAA requirements.
Common Challenges with HIPAA
One recent survey conducted by Healthcare Info Security looks at the challenges healthcare businesses face in implementing the HIPAA Omnibus Rule and what they are doing to improve compliance and protect themselves from risk. One of the top findings in this particular study is that there are several consistent pain points that providers and other medical offices report in their efforts to achieve HIPAA compliance.
Training and Educating Staff
The biggest challenge noted in this survey revolves around training and educating staff on aspects of HIPAA compliance. A full 50% of respondents claimed this as the single biggest hurdle related to the new HIPAA Omnibus Rule and other regulations in the industry. This kind of training may involve teaching staff to use secure technologies for digital transmission or to protect display information within an office or out in the field.
Healthcare professionals should not underestimate the severe consequences of an uneducated staff attempting to maintain HIPAA compliance. A recent release by U.S. Department of Health & Human Services describes a breach caused by a physician attempting to deactivate a personally-owned computer server on a network containing protected health information (PHI). When the server was deactivated, a lack of technical safeguards in this employee-administered network made the information of 6,800 individuals available on the major search engines. The breach resulted in a hefty $4.8 million settlement.
Business Associate Agreements
The next biggest challenge reported involved business associate (BA) agreements. 46% of respondents cited the challenge of creating and maintaining business associate agreements, and another 45% also mentioned the challenge of getting business associates to comply with all HIPAA regulations. Changes to HIPAA in 2013 put third-party businesses under the umbrella of HIPAA regulation, labeling them as business associates. Any third-party business, such as a cloud computing provider that handles health data for a medical office is considered a business associate. Under HIPAA regulations, business associates must comply with aspects of the HIPAA privacy law and will be subject to audits by the Office for Civil Rights (OCR). They will also be held accountable in case of any violations or breaches. BA agreements should explicitly state the permitted and required uses and disclosures of protected health data and explain how a BA will report and respond to a security breach.
These challenges and pain points emphasize the importance of healthcare organizations partnering with the right HIPAA cloud provider. The right partner will have extensive experience signing business associate agreements and a complete HIPAA certification alleviating IT administrators’ worries of maintaining compliance of their backend infrastructure.