Professional Documents
Culture Documents
M2Sys Healthcare Solutions: Mac Mcmillan, Chair, Himss Privacy & Security Policy Task Force
M2Sys Healthcare Solutions: Mac Mcmillan, Chair, Himss Privacy & Security Policy Task Force
M2Sys Healthcare Solutions: Mac Mcmillan, Chair, Himss Privacy & Security Policy Task Force
Mac McMillan, Chair, HIMSS Privacy & Security Policy Task Force
Topic: Healthcare IT Data Security HIPAA compliance, HIMSS Privacy & Security Task Force Objectives, What is Privacy, Technology Options to Protect Patient Data, Adoption Trends for Personal Health Information (PHI) Applications
Podcast length 35:02
HIPAA Rule Changes and How it Effects Provider Business Associate Relationship
September 23rd: HIPAA compliance deadline for providers & business associates on how Personal Health Information (PHI) is maintained and protected & changes to data breach notifications and enforcement Changes: Breach notification changes to the reporting rules Business Associate status how does the rule apply to business associates and sub-contractors? Privacy Provisions helps protect patient privacy through more effective data management Enforcement new guidelines on what penalties are and how they should be enforced Relationship between business associate and covered entities has not fundamentally changed what changed is the responsibilities of both parties
HIPAA Rule Changes and How it Effects Provider Business Associate Relationship (continued)
Business associates are now held more accountable for privacy and PHI data protection on work they are doing on behalf of the covered entity Covered entities greater emphasis on vendor management in terms of due diligence before vendor contracting, making sure you convey privacy and security expectations, making sure you monitor vendor relationships closely, ensuring you have measures in place for breach notifications & how to deal with data after contract terminations New changes promote more accountability and transparency in the industry
Did you know? Nearly one-third of the 980 problems that HHS' Office of Civil Rights uncovered during privacy and data-security audits of 115 healthcare providers and insurers happened because the organizations were not aware of all of the requirements facing them, according to root-cause analyses performed by HHS contractor KPMG.
Source: Modern Healthcare, April 2013
The Difference Between Access and Possession of PHI Information & How it Impacts HIPAA Compliance
If you create PHI, either originally or derivatively, if you transmit or receive it, you are considered a business associate. If you have possession of the data whether it be in your system or your environment, or you have perpetual access to the information. Cant claim conduit exemption unless you are only maintaining the data in your environment for as long as it takes the system to perform the transference process - otherwise if you take possession of the data for any other reason, (hosting, backing up, storing, etc.) you are a business associate. Even if the covered entity sends encrypted information, if you possess it, you are still considered a business associate business associates are responsible for the entire security rule. New rule defines possession to information as stipulant for compliance possession assumes access
Important to not make decisions or establish policy guidelines based on fear its better to enact policy on what is known Patients may fear the known more than the unknown (e.g. data breaches, medical identity theft, fraud) Consumers understand that their information is at risk Consumers have a much higher level of confidence in their healthcare providers ability to protect PHI than organizations or the government Organizations should base their policies on what they know (what is the threat), what the risks are, and what their controls environment will enable and make smart decisions on how they craft policies to alleviate or mitigate the risk of negative occurrences Fear is a good motivator for making organizational change
**The problem that a lot of modern technological solutions for healthcare have is many do not necessarily have apt security functionality due to a lack of industry standards or protocols
Did you know?
More healthcare facilities are researching the use of biometric identification for employee access control and accurate patient identification. Biometrics has great potential to increase patient safety, reduce the cost of care, and eliminate fraud and identity theft.
Patients have more confidence in a portal that is provided by their caregiver rather than a third party vendor Patients will start to adopt more responsibility for their medical information they are seeking more visibility and portable platforms Patient engagement as part of Meaningful Use Stage 2 will help drive up adoption of PHI applications Almost every hospital now has their own version of a patient portal increased accessibility will also drive up adoption rates
Did you know? Approximately 50% of U.S. hospitals and 40 percent of U.S. physicians in ambulatory practice possess some type of patient portal technology, mostly acquired as a module of their practice management (PM) or electronic health record (EHR) system.
Source: Frost & Sullivan report, September 2013
Thank you to Mac for his time and knowledge for this podcast! Please follow Mac on Twitter (@mmcmillan07) and visit his Web page: www.cynergistek.com
Contact Information
John Trader PR and Marketing Manager M2SYS Healthcare Solutions 1050 Crown Pointe Pkwy. Suite 850 Atlanta, GA 30338 jtrader@m2sys.com 770-821-1734 www.m2sys.com Podcast home page: http://www.m2sys.com/healthcare/healthcare-biometricspodcasts/ : twitter.com/rightpatient : facebook.com/rightpatient : linkedin.com/company/m2sys-technology