Recent Articles

Healthcare Security Compliance

Healthcare security is in for changes in 2009...

There have been a number of recent developments affecting healthcare security and compliance.

One is a significant penalty levied against CVS by the FTC and DHHS- $2.25M. First, let's look at the compliance issue- CVS employees apparently disposed of sensitive data (PHI, credit card, and insurance information) by dumping it in the trash, where anyone could discover it. And here I thought dumpster diving was a lost art form.

Because this was a joint investigation, and because historically the FTC has been far more willing to impose stiff penalties that has DHHS/CMS, I think the  serious penalty probably has more to do with the FTC's involvement, rather than any real shift in HIPAA compliance enforcement on the part of DHHS. As I previously blogged about here, DHHS is doing a handful of audits (<20) of large healthcare providers, which is a move towards getting more serious, but not a huge move, given there are ~5,000 hospitals in the US.

Another recent development in the healthcare security area is the HITRUST Alliance, which is comprised of a number of large healthcare providers. This organization has a laudable goal of building a "common security framework" for healthcare organizations. They have buy-in and involvement from CISO's at large HCO's. They are apparently making progress, as they have a launch event scheduled for 3/3/09. From the information available on the website, they are getting to a more detailed level than the HIPAA Security rule gets to, which is a good and welcome thing.

I wonder about adoption, given that this is not attached to any compliance regulation or enforcement. The healthcare industry has been famous for avoiding getting serious about security for a long time. Perhaps this will be picked up as something required for JCAHO accreditation, which is important to HCS's, or perhaps it will get referenced in new privacy and security standards that are mentioned in the recovery bill, as a future requirement to be addressed as part of a move towards electronic health records. Time will tell. Certainly, if the healthcare industry moves seriously towards EHR's, and linking of different provider's networks via regional/nation health information networks, security and privacy are BIG issues, and the current HIPAA Security and Privacy rules aren't sufficient.

Jim

IT Knowledge Exchange

An IT compliance resource I am happy to recommend:

IT Knowledge Exchange is a community of like-minded IT professionals, seeking answers to their toughest IT questions while lending their own expertise. It is a great place to ask questions pertaining to compliance – check out their compliance tag page for questions that have already been asked and answered in the community:

 

http://itknowledgeexchange.techtarget.com/itanswers/tag/compliance/

 

Users are rewarded for their level of participation in the community – giveaways for t-shirts, gift cards and gadgets run frequently on the site to reward the most active members or great question- and answer-writing skills.

 

IT Knowledge Exchange, aside from being a community of IT experts, also hosts user blogs, as well as editorial blogs from within the TechTarget network. SearchCompliance.com’s blog, IT Compliance Advisor, is hosted here, as well as compliance-focused user blogs, such as Regulatory Compliance, Governance and Security and IT Governance, Risk and Compliance.

 

IT Knowledge Exchange is a great resource for any IT professionals who seek to find answers straight from the best source – their peers. Check out IT Knowledge Exchange today:

 

http://itknowledgeexchange.techtarget.com/itanswers


Joint Commission Updating Information Management Standards for 2009

The Joint Commission, which is a non-profit organization that publishes standards for healthcare organizations and runs  an accreditation program, is updating some of their standards for 2009, including some which impact information security.

NIST SCAP

NIST SCAP, protocol and standard to ease data gathering for security management,  risk management, and compliance measurement.

Automated Compliance Checking

New developments in NERC/FERC compliance, control system security

No articles found.

Recent Compliance, Risk Management, Security News

HIPAA Enforcement Happening in 2008

  • Published 02/19/2008
This just in, HIPAA is now being enforced to some extent. On the heels of the audit of a major healthcare organizations by DHHS' Office of the Inspector General (Piedmont Hospital, reported here), CMS has announced their intention to conduct their own reviews of 10-20 healthcare organizations, to determine their compliance to the HIPAA Security and Privacy regulations. CMS has hired PriceWaterhouseCoopers to conduct the reviews. CMS will post on their website a checklist of items that they will be reviewing for.

After years of zero enforcement (enforcement and penalties were initially conceived of as being complaint-based), healthcare organizations now have two groups of regulators to worry about. The CMS reviews will be aimed at organizations which CMS calls "filed against entities", which are organizations that have experienced complaints.

For healthcare IT folks, this means taking compliance with HIPAA a little more seriously than has generally been the case. » Read More
View News Archive



Popular Authors

No popular authors found.

Popular Articles

No popular articles found.