Page 37 - CDM-Cyber-Warnings-January-2014
P. 37
compliance perspective. This will help identify overlaps and create a high level mapping, therefore maximizing ROI to avoid duplicating efforts. Following these recommendations will help organizations meet the C.I.A. benchmark (Confidentiality, Integrity and Availability) as well as surpassing all the current alphabet soup regulatory compliance requirements, and avoiding a baptism by fire. I recently interviewed three HIPAA subject matter experts; Gerry Blass CEO of Comply Assistant, a 35 year veteran of healthcare IT and compliance; the second is also a PCI-DSS subject matter expert and a former PCI QSA (Qualified Security Assessor) currently working as an information security officer within a large hospital; the third is a retired law enforcement officer currently working as a fraud investigator for a large healthcare organization supporting Medicare. The QSA and LEO have chosen to not be named in the article. I also chose the most relevant answers from the three subject matter experts, hence why they’re not all mentioned in each answer. 1. What do you think about the New HIPAA Security rules that went into full effect in September 2013 that includes HIPAA requirements to “business associates?” QSA: While the rules attempt to be flexible, they are too open to interpretation. Basic standards must be mandated in order to attain any sort of level playing field. Each covered entity is allowed to choose the safeguards that best meet its individual needs, the types of protections applied may not be the same across all participants exchanging electronic health information to or through a health information organization (HIO), and some participants may not be covered entities based on definition. The net: the Entity must fend for themselves, which in many cases may be expensive and/or time consuming. LEO: Most firms associated with Medicare for the past several years have been complying with similar standards. 2. What gaps do you find in the new HIPAA regulations? QSA: The Privacy Rule’s safeguards standard, while flexible, does not prescribe any specific practices or actions that must be taken by covered entities. The Accountability Principle contains Administrative Requirements, which includes workforce training. The rule speaks to privacy and policies. There are no rule sets for what policies should entail nor how the policies should be disseminated, updated, and acknowledged by the employee of Business Associate. These types of issues leaves an entity at risk as there is nothing, no metric, no standard, no “flag bearer” for an entity to compare themselves and the fulfillment of the requirement. 3. How have these new rules impacted the healthcare ecosystem? QSA: A common set of standards applied to covered entities may help not only to facilitate the efficient exchange of information, but also to foster trust among both participants and individuals. However, unless there are standards for communication (not only what can be transmitted but how and by whom to whom) there is risk to any ecosystem. Larger entities may + % %! ! & , ! . !( %+ ' "! "#+% ' - + % !& , ! % '& % & %) *"% *