|Photo via Maxpixel|
“There is no perfect security and bad things can happen,” says Time Feldman.
Vigilance is key and now more than ever it is important for healthcare providers and third-party vendors to work together when it comes to being fully covered with the security of health information while assuring HIPAA compliance. HIPAA is the Health Insurance Portability and Accountability Act of 1996 which is a United States legislation that provides data privacy and security provisions for safeguarding medical information.
Tim Feldman, vice president and general manager of Healthcare Compliance & Reimbursement at Wolters Kluwer Legal & Regulatory US, maintains that the buck doesn’t stop at reaching the required compliance level; however, healthcare organizations and their IT departments need to strive toward reaching levels that are much higher than the current compliance levels.
Feldman says, “Compliance requires a commitment. It’s not a point in time; it’s an ongoing state of being. The organization really has to be vigilant, continue to evolve, and constantly be testing its compliance capabilities. It needs to constantly be training its employees.” He further explained, “You get into trouble when you stop doing that and when you consider, ‘Oh, we passed our HIPAA assessment, etc., so we're good to go... It really doesn't work that way.”
Organizations need to remain vigilant and be up to date with current laws and often-changing guidelines. Feldman believes IT teams should also undergo proper training and reminders on what it means to be a protector of a covered entity’s PHI (Protected health information under US law is any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" or a Business Associate of a Covered Entity and can be linked to a specific individual) and the responsibility that goes along with it.
“Education and training is incredibly important because you are committing to these things in business associate agreements,” Feldman says. “It used to be that the covered entity bore most, if not all, of the responsibility. They were responsible for the business associates. The deep pockets were always going to be in the primary covered entity. Now, since the Omnibus rule, (The HIPAA omnibus rule (Health Insurance Portability and Accountability Act of 1996 omnibus rule), in a health information technology (HIT) context, is a rule enacted by the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health (HITECH) Act.) that has changed, where the business associates and their subcontractors are individually liable.”
This is why a team effort and cohesion in healthcare patient data security is at a peak level of necessity between providers and third-party vendors.