With malicious data breaches on the rise, esoteric government regulations and the rising cost of operational expenses, What Should a Healthcare Organization Do About Compliance?
Earlier this month the Ponemon Institute released their fifth annual report on the Privacy & Security of Healthcare Data. The independent study contained material that identified current healthcare industry risks and trends, cost estimates of potential risks and provided suggestions for strategies to help reduce and mitigate risks.
The study found that Protected Health Information (PHI) data breaches are costing the healthcare industry an estimated $7 billion a year. Of the 472 healthcare entities surveyed in the study, more than 90% of healthcare organizations represented in the study had a data breach in the last year. And of the 90% of healthcare organizations who experienced a breach, 69% of respondents said the data breach was discovered by an U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR ) audit, 44% said an employee detected the data breach and 30% said the data breach was discovered via a patient complaint (poll permitting multiple responses).
“In the past two years, healthcare organizations spent an average of more than $2 million to resolve the consequences of typical data breach”
— 2015 Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data from Ponemon Institute
This year was the first time that criminal attacks were the number one cause of data breaches in healthcare; a whopping 57% of those breaches were caused by a party with malicious intent. As mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), every Covered Entity (healthcare providers, health insurance companies, health clearinghouses…etc) are required to have a HIPAA Compliance/Privacy Officer and in 2013 with the amendment of the Final Omnibus Rule, this mandate was further extended to all Business Associates (an entity that performs any functions that involve the use or disclosure of protected health information on behalf of a Covered Entity) with increased penalties for any violations.
“This Final Omnibus Rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. These changes…strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
— Leon Rodriguez, Director of HHS Office for Civil Rights
With HIPAA Audits being such a successful mechanism for detecting PHI breaches the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just recently entered into their next phase of ongoing Random Audits and throughout 2015 many Covered Entities (CE) will be receiving pre-audit-surveys from the OCR. The OCR has stated the process will continue with select CE's being audited as well as all the CE, Business Associates (BA).
With these staggering statistics and the challenging regulations in mind, the healthcare industry has been realizing the absolute and critical necessity for a HIPAA Compliance Privacy Officer with an Information Security background within their organizations. The duties and responsibilities associated with a HIPAA Compliance Privacy Officer require an individual with wide breadth of knowledge and expertise to oversee ongoing compliance activities within their organization; this involves the development, implementation and maintenance of privacy policies and operations to ensure the organization is within full accordance to Federal and State privacy laws.
Unfortunately, this can be very difficult for many small to medium-size business’s (SMB’s) whom must overcome daunting challenges like lack of time, resources, and expertise. In many cases with SMB organizations, the individual who is designated as the organization HIPAA Officer is typically performing other duties and has primary role responsibilities; often faced with too much responsibility and challenged by a lack of sufficient time and resources.
At the same time for SMB organizations, hiring someone to be exclusively devoted to HIPAA Compliance is prohibitively expensive for the ongoing duties, especially once an effective compliance program has been established. The U.S. Department of Labor, Occupational Employment and Wages of May 2014 reports that the mean annual wage of a Compliance Officer in the NY-NJ Metropolitan region to be $83,590 excluding employee benefits and $108,886 for an annual median wage.
“If you handle protected health information, you may be able to get by without understanding the details of health reform, but you cannot survive in your job if you do not understand and comply with the HIPAA/HITECH rules. Anyone involved in the health care business who does not comply with these laws is a walking liability.”
— James C. Pyles, Board of Directors of a National Physician House Call Association
Put succinctly, many organizations just do not have the size to warrant the expense of having a full time Privacy Officer, and a part time Privacy Officer as a secondary duty does not work due to the need to stay current with the complexities of the Federal and State privacy regulations.
It is today’s challenging regulatory laws coupled with the growing threat of security breaches and the dilemma of expensing a full time Privacy Officer, which is the drive for many organizations to turn to outside HIPAA Compliance Experts for assistance. The decision to outsource HIPAA Compliance is recognized by several independent studies and healthcare analyst’s to have significant advantages.
Introducing vCompliance Services
A Synergy of Health Information Privacy Compliance with Leading IT Services and Security Experience
Benefits of vCompliance over in-house Health Information Privacy Compliance:
- Reduced cost of recruiting, supporting full-time staff and employee benefits
- Full regulatory compliance with regular Executive-level reports on all compliance functions
- Detailed knowledge of all Healthcare Information related Federal and NY,NJ State Laws and Regulations
- Hands on experience in dealing with privacy issues in various settings including mitigating OCR audits
- Predictable and accurate budgeting for exactly the compliance services you need
What Differentiates vCompliance from others?
IT security expertise and best practices that compliment HIPAA Compliance for true End-to-End compliance including policies, procedures, reporting, risk management, user training and IT safeguards
Experience in supporting hundreds of healthcare providers and thousands of clinical staff
Healthcare Information Systems Engineers with functional background knowledge and experience with a myriad of EMR, PMS, PACS, RIS, LIS and HIE systems
Healthcare Information and Management Systems Society member with HIPAA-HITECH-Omnibus certification
Evaluate and Assess Your HIPAA Compliance for Free
HIPAA compliance assessments evaluate regulatory obligations, current level of compliance, and gaps with respect to HIPAA-HITECH-Omnibus Privacy and Security.
Contact us at (212) 915-0590 for a HIPAA Compliance Assessment that will provide you with a report of your compliance gaps, a priority ranking of your risks, and recommendations for mitigating your risks.
Do not risk the medical and financial well-being of your patients and the credibility and future business of your healthcare organization.