From opensesame by Brian Johnson
Rapid adoption of health IT has transformed healthcare over the last five years. Hospitals have long relied on digital technology, but for many ambulatory providers working in smaller practices, the switch to Electronic Health Records (EHRs) has been recent and rapid. It was driven by the government’s Meaningful Use Program, which helped to pay for the new systems.
Smaller practices typically lack their own IT staff, so the opportunities for service providers are profound. In fact, the government estimates that there are 2 million to 3 million so-called Business Associates (BAs) that provide services to the 700,000 medical organizations in the United States.
But this expansion of opportunity has also brought new federal regulation. The HITECH Act, which funded the adoption of EHRs, also required BAs to follow the same HIPAA requirements as healthcare organizations. For the first time, companies that provide IT support or merely host medical data in the cloud have had to meet HIPAA requirements.
They also are subject to federal investigation and fines if they do not follow the law.
There are three basic steps required for HIPAA compliance, but the most important for BAs is training. In fact, BAs trying to understand the new regulatory landscape should start by training at least one member of their staff as a Compliance Officer. HIPAA requires special training for the Compliance Officer, but it also makes sense for BAs. The Compliance Officer is the one who can guide the organization through all the other HIPAA requirements.
The Compliance Officer can oversee training for the rest of the staff. In fact, the law requires anyone who has access to Protected Health Information (PHI) to receive regular training.
The Compliance Officer will also be key in guiding the company through the Security Risk Analysis (SRA), which is the second basic step. The Risk Analysis is a comprehensive review of compliance gaps and vulnerabilities. It is essentially a roadmap to the company’s compliance. Although it is best to use independent auditors, the process is much more efficient with a Compliance Officer in charge.
The third fundamental of compliance is implementing policies and procedures. These policies and procedures are essential to administrative compliance.
An IT company that has implemented HIPAA compliance has profound opportunities for providing services to healthcare organizations. For one, they can market themselves as HIPAA-compliant. Many practices are still catching up on their own compliance, and they are searching for help with both HIPAA and technology. A BA that can demonstrate HIPAA compliance has a major competitive edge.
The BA can also provide compliance services out to medical practices. Many practices will pay a higher managed service fee if it includes a compliance solution, so the practice can “consume” compliance without having to organize the effort. Similarly, BAs can offer encryption services to their medical clients, because encrypted health data does not have to be reported to the government or patients if it is lost or exposed. The government reports that about 60 percent of all health data breaches could have been by encryption. BAs can also offer encrypted email, which is also required.
Finally, many medical practices are already ready to replace their original EHR and upgrade their hardware. Many others are moving into the cloud. BAs that understand compliance and the transformation of health IT are well-positioned to benefit.
Sign up for the Certified Health IT Security Professional course to kickstart your compliance. The course provides all the training needed to serve as the Compliance Officer required by HIPAA. It also includes training on government requirements for encryption, PCI DSS in healthcare, and more!