Navigating Healthcare Compliance

With malicious data breaches on the rise, esoteric government regulations and the rising cost of operational expenses, What Should a Healthcare Organization Do About Compliance?

Earlier this month the Ponemon Institute released their fifth annual report on the Privacy & Security of Healthcare Data. The independent study contained material that identified current healthcare industry risks and trends, cost estimates of potential risks and provided suggestions for strategies to help reduce and mitigate risks.

The study found that Protected Health Information (PHI) data breaches are costing the healthcare industry an estimated $7 billion a year. Of the 472 healthcare entities surveyed in the study, more than 90% of healthcare organizations represented in the study had a data breach in the last year. And of the 90% of healthcare organizations who experienced a breach, 69% of respondents said the data breach was discovered by an U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR ) audit, 44% said an employee detected the data breach and 30% said the data breach was discovered via a patient complaint (poll permitting multiple responses).


“In the past two years, healthcare organizations spent an average of more than $2 million to resolve the consequences of typical data breach”
— 2015 Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data from Ponemon Institute

This year was the first time that criminal attacks were the number one cause of data breaches in healthcare; a whopping 57% of those breaches were caused by a party with malicious intent. As mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), every Covered Entity (healthcare providers, health insurance companies, health clearinghouses…etc) are required to have a HIPAA Compliance/Privacy Officer and in 2013 with the amendment of the Final Omnibus Rule, this mandate was further extended to all Business Associates (an entity that performs any functions that involve the use or disclosure of protected health information on behalf of a Covered Entity) with increased penalties for any violations.

“This Final Omnibus Rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes…strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
— Leon Rodriguez, Director of HHS Office for Civil Rights

With HIPAA Audits being such a successful mechanism for detecting PHI breaches the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just recently entered into their next phase of ongoing Random Audits and throughout 2015 many Covered Entities (CE) will be receiving pre-audit-surveys from the OCR. The OCR has stated the process will continue with select CE's being audited as well as all the CE, Business Associates (BA).

With these staggering statistics and the challenging regulations in mind, the healthcare industry has been realizing the absolute and critical necessity for a HIPAA Compliance Privacy Officer with an Information Security background within their organizations. The duties and responsibilities associated with a HIPAA Compliance Privacy Officer require an individual with wide breadth of knowledge and expertise to oversee ongoing compliance activities within their organization; this involves the development, implementation and maintenance of privacy policies and operations to ensure the organization is within full accordance to Federal and State privacy laws.

Unfortunately, this can be very difficult for many small to medium-size business’s (SMB’s) whom must overcome daunting challenges like lack of time, resources, and expertise. In many cases with SMB organizations, the individual who is designated as the organization HIPAA Officer is typically performing other duties and has primary role responsibilities; often faced with too much responsibility and challenged by a lack of sufficient time and resources.

At the same time for SMB organizations, hiring someone to be exclusively devoted to HIPAA Compliance is prohibitively expensive for the ongoing duties, especially once an effective compliance program has been established. The U.S. Department of Labor, Occupational Employment and Wages of May 2014 reports that the mean annual wage of a Compliance Officer in the NY-NJ Metropolitan region to be $83,590 excluding employee benefits and $108,886 for an annual median wage.

“If you handle protected health information, you may be able to get by without understanding the details of health reform, but you cannot survive in your job if you do not understand and comply with the HIPAA/HITECH rules. Anyone involved in the health care business who does not comply with these laws is a walking liability.”
— James C. Pyles, Board of Directors of a National Physician House Call Association

Put succinctly, many organizations just do not have the size to warrant the expense of having a full time Privacy Officer, and a part time Privacy Officer as a secondary duty does not work due to the need to stay current with the complexities of the Federal and State privacy regulations.

It is today’s challenging regulatory laws coupled with the growing threat of security breaches and the dilemma of expensing a full time Privacy Officer, which is the drive for many organizations to turn to outside HIPAA Compliance Experts for assistance. The decision to outsource HIPAA Compliance is recognized by several independent studies and healthcare analyst’s to have significant advantages.

GoVanguard and get back to business.

Introducing vCompliance Services
A Synergy of Health Information Privacy Compliance with Leading IT Services and Security Experience

Benefits of vCompliance over in-house Health Information Privacy Compliance:

  • Reduced cost of recruiting, supporting full-time staff and employee benefits
  • Full regulatory compliance with regular Executive-level reports on all compliance functions
  • Detailed knowledge of all Healthcare Information related Federal and NY,NJ State Laws and Regulations
  • Hands on experience in dealing with privacy issues in various settings including mitigating OCR audits
  • Predictable and accurate budgeting for exactly the compliance services you need

What Differentiates vCompliance from others?

  • Expertise
    IT security expertise and best practices that compliment HIPAA Compliance for true End-to-End compliance including policies, procedures, reporting, risk management, user training and IT safeguards
  • Experience
    Experience in supporting hundreds of healthcare providers and thousands of clinical staff
  • Knowledge
    Healthcare Information Systems Engineers with functional background knowledge and experience with a myriad of EMR, PMS, PACS, RIS, LIS and HIE systems
  • Trust
    Healthcare Information and Management Systems Society member with HIPAA-HITECH-Omnibus certification

Evaluate and Assess Your HIPAA Compliance for Free
HIPAA compliance assessments evaluate regulatory obligations, current level of compliance, and gaps with respect to HIPAA-HITECH-Omnibus Privacy and Security.
Contact us at (212) 915-0590 for a HIPAA Compliance Assessment that will provide you with a report of your compliance gaps, a priority ranking of your risks, and recommendations for mitigating your risks.
Do not risk the medical and financial well-being of your patients and the credibility and future business of your healthcare organization.

The Hidden Cost of an Aging IT Infrastructure.

With the proliferation of virtualization & cloud services, businesses now have access to IT solutions previously only afforded to Fortune 500 budgets & staff. Businesses are benefiting from the Infrastructure as a Service (IaaS) model to quickly deploy & develop IT solutions, while capping & managing IT costs.

All these solutions and technologies can be overwhelming to some SMB owners, whom often times decide to continue using their aging, but working, IT solutions/infrastructure. Old systems typically require more maintenance/upkeep and critical hardware should be refreshed every 3 – 5 years to ensure business continuity. Unfortunately, most businesses don't realize the hidden costs of relying on these antiquated systems until it's often times too late and they are forced to deal with downtime. Downtime that typically occurs at the worst possible moment and affects their businesses bottom line.

In a best case scenario, good backup practices exist and services can be restored within 24 hours with minimal data loss depending on hardware availability. In this scenario, there will typically be a large cost attributed to the time and manpower required to bring services back online, repair existing hardware or purchase new hardware, and a profit loss attributed to having to stop business until systems are back online. This is the best case scenario and it's still enough to put a noticeable ding in most businesses balance sheets.

In a worst case scenario, good backups don't exist, your find yourself in an exorbitantly expensive data recovery scenario, and your business grinds to a halt for days, maybe even weeks or months. The fact is, most businesses that do not have backups or a business continuity plan in place, never recover from such a catastrophic failure and are forced to shut down.

Business Continuity plans used to be cost prohibitive for the SMB market and so they would rely on their standard backups. This is no longer a reality and many savvy businesses are moving their critical infrastructure to the cloud to avoid the aforementioned scenarios. Some businesses are taking advantage of Hybrid Cloud deployments, leveraging their existing onsite infrastructure with a connected cloud solution; something previously only accomplished by hosting servers at a costly datacenter, colocation, or remote office.

Every business has different needs and budget requirements. Cloud solutions may work for some businesses where as some may need to have onsite infrastructure. We here at Vanguard recognize this and will work with you to design customized solutions to help your business avoid the aforementioned costly scenarios and mitigate potential downtime.

We create secure business focused solutions for our clients every day and strengthen our offerings by partnering with companies/services like Microsoft Azure, Amazon AWS, Rackspace and more.

Don't become a statistic by not realizing the hidden cost of aging infrastructure before it's too late.

Contact us today for a free discovery to understand your options.