The threat of security breaches is no small problem in healthcare. Because of the sheer volume and variety of information contained in healthcare systems, the industry is one of the largest targets for thieves, especially for those who want to gain access to valuable protected health information (PHI).
To shield this sensitive health information, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is increasingly assessing compliance with the HIPAA Privacy, Security, and Breach Notification Rules with an audit program. The OCR audits help ensure adherence to data protection regulations, especially as they relate to business associates (BAs), who have access to millions of patient records.
Managing contracts and compliance data is a challenge for healthcare organizations today. The process often involves people and departments across the organization requiring a secure but nimble system for tracking negotiations and approvals. Current regulations require healthcare providers to know more about who they are doing business with and to manage their vendor population with consistent scrutiny to maintain accurate data. Adding to the complexity, with mergers becoming more common, hospitals are seeing an increase in the number of local contracts along with contracts that fall outside of med-surg that need to be maintained as well. As a result, organizations need to interact with contracts in new ways, with more flexibility while maintaining even more data and security.
Managing business associate (BA) relationships in this era of change takes an ongoing approach. In fact, building a culture of compliance is the only way to make iterative improvements. So, does your organization demonstrate a culture of compliance through daily actions? Do you know the areas where the Office for Civil Rights (OCR) is putting the most emphasis? Does your organization understand the current definition of a business associate in the eyes of the OCR?
The Health Insurance Portability and Accountability Act (HIPAA) has evolved from a means to modernize information exchange in healthcare to now include Privacy, Breach Notification and Security Rules. The progression led to the initial audits of covered entities in 2011 and ultimately, to the final Omnibus Rule in 2013 which folded business associates (BAs) into the liability equation regarding data breaches. The point being that protected health information (PHI) and ePHI is the responsibility of the entire industry.
The Office for Civil Rights (OCR) defines business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” If you fall into this category, this blog post is for you.
For hospitals and health systems today, it’s not a matter of WILL my organization get targeted by hackers but WHEN. Nearly 90 percent of healthcare organizations surveyed by the Ponemon Institute for its Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data experienced a data breach in the past two years, and nearly half (45 percent), had more than five data breaches in the same time period.1
What are some of the biggest challenges that vendors face with credentialing?
When hospitals began creating credentialing programs they turned to their vendors, holding them accountable for meeting the new credentialing requirements. It turned out that many vendors were not prepared for the scope of this event. As companies endeavored to meet the variety of compliance requirements for each healthcare organization, the struggle to incorporate credentialing into everyday business practices came into the spotlight.
Protecting patient healthcare data is becoming a greater challenge for healthcare facilities as the industry transitions from manual to electronic information storage and sharing. The rising number of criminal attacks on hospital and healthcare system data and the sheer magnitude of individuals (over 30 million) affected by data breaches has resulted in greater regulatory pressure on healthcare organizations.
This past spring, many provider organizations received notice of a yet another regulatory compliance assessment as part of their HIPAA accountability checklist.
The Department of Health and Human Services, Office for Civil Rights (OCR) announced the start of the Phase 2 HIPAA Audit Program to ensure that “policies and procedures adopted by covered entities and their business associates meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.” Indianapolis-based Eskenazi Health, one of the largest safety net health systems, was one of those organizations.
Anyone who sells to healthcare systems is aware that visiting sales and service representatives must meet a specific set of credentialing requirements for hospital access. These requirements are driven by the need to meet standards for patient safety, controlling costs and limiting exposure to fines and sanctions. These credentials become complex when you realize each facility requires different documentation and each facility manages it a little differently.
The OCR audits are already well underway. For those organizations that did not find a notice in their inbox, now is not the time to rest. The need for a robust credentialing and compliance program has never been more important.
Vendor representative credentialing has grown significantly in priority - and changed in scope over the last several years with increased regulatory requirements. As the importance for a process became more and more apparent, many healthcare supplier organizations developed programs based on the immediate need or circumstance, with some evolving over time.
Maintaining accreditation and compliance with HIPAA regulations is an on-going process for healthcare systems. In this post, Cheryl Watkins-Knowles, director of Purchasing for Palmetto Health, describes how their organization is using GHX Vendormate Credentialing and access management solutions to address their goals for accreditation, patient and staff safety, and mitigate financial risk.