Assessing the interactions between your accreditation and HIPAA/HITECH
The relationship between your NIAHO accreditation and HIPAA/HITECH is more evident with the release last year of ISO 9001:2015 and recent updates from the US Department of Health and Human Services (HHS). The enforcement of the "rules" from HHSs Office of Civil Rights (OCR) is now happening and findings of non-compliance can bring the hospital or entity significant fines. These rules are in three sets which include: Privacy (with 81 requirements), Security (with 78 requirements) and Breach Notification (with 10 requirements). Maintaining compliance to these 169 requirements is required.
A recent article (dated 7/5/16) stated that a nursing home system was fined $650,000 for repeat issues related to these rules. That's money that would have been better used somewhere else.
There are many controls that currently exist in your accreditation that affect your compliance to these rules from HIPAA/HITECH. Here's a brief rundown of existing accreditation controls that would mitigate these common HIPAA/HITECH findings:
1- Business associates (aka "suppliers", aka "contractors") are a common source of noncompliance. These persons are controlled per your purchasing and contracting controls in ISO and NIAHO. Properly written contracts will detail specific internal controls for managing devices, PHI, computer access, etc. Also, required re-evaluation of these business associates will ensure compliance based on data collection and analysis of highest risk activities
2- Improper disposal of PHI. Controls regarding disposition and protection of documented information (soft and hard copy) exist and all employees should be educated in this process.
3- Hacking of computer systems. Controls regarding maintenance of the infrastructure (hardware and software), addressing risk (which includes cyber-risk) and opportunities as well as Physical Environment (PE.1) all require maintaining infrastructure from hacking.
4- Lack of authorization for disclosing PHI. There are controls to protect and safeguard patient property, which includes PHI. There are also controls in Medical Records to assure confidentiality of patients medical records.
The silver lining is that your current accreditation provides the foundation for managing these potential, although common, HIPAA/HITECH non-compliances. At BlueSynergy, we can assist you with an assessment of your compliance to these rules. We will conduct a full compliance assessment to the 169 requirements of HIPAA/HITECH, based on the protocols given by HHS. As part of the report of this assessment, we will correlate the HHS requirements to the controls provided by your accreditation (NIAHO and ISO). This will allow for you to conduct similar internal audits in the future and capture these same requirements. This will eliminate audit redundancy, save money and enhance your overall enterprise risk management system.
Interested? Contact Us for more information!
A recent article (dated 7/5/16) stated that a nursing home system was fined $650,000 for repeat issues related to these rules. That's money that would have been better used somewhere else.
There are many controls that currently exist in your accreditation that affect your compliance to these rules from HIPAA/HITECH. Here's a brief rundown of existing accreditation controls that would mitigate these common HIPAA/HITECH findings:
1- Business associates (aka "suppliers", aka "contractors") are a common source of noncompliance. These persons are controlled per your purchasing and contracting controls in ISO and NIAHO. Properly written contracts will detail specific internal controls for managing devices, PHI, computer access, etc. Also, required re-evaluation of these business associates will ensure compliance based on data collection and analysis of highest risk activities
2- Improper disposal of PHI. Controls regarding disposition and protection of documented information (soft and hard copy) exist and all employees should be educated in this process.
3- Hacking of computer systems. Controls regarding maintenance of the infrastructure (hardware and software), addressing risk (which includes cyber-risk) and opportunities as well as Physical Environment (PE.1) all require maintaining infrastructure from hacking.
4- Lack of authorization for disclosing PHI. There are controls to protect and safeguard patient property, which includes PHI. There are also controls in Medical Records to assure confidentiality of patients medical records.
The silver lining is that your current accreditation provides the foundation for managing these potential, although common, HIPAA/HITECH non-compliances. At BlueSynergy, we can assist you with an assessment of your compliance to these rules. We will conduct a full compliance assessment to the 169 requirements of HIPAA/HITECH, based on the protocols given by HHS. As part of the report of this assessment, we will correlate the HHS requirements to the controls provided by your accreditation (NIAHO and ISO). This will allow for you to conduct similar internal audits in the future and capture these same requirements. This will eliminate audit redundancy, save money and enhance your overall enterprise risk management system.
Interested? Contact Us for more information!