Role Based Access Governance and HIPAA Compliance
The recently passed Health Information Technology for Economic and Clinical Health Act
(HITECH) has meant significant changes to the Health Insurance Portability and Accountability
Act (HIPAA). Previously a reactive and vaguely defined statute, the HITECH act brings
depth of requirements and stepped up enforcement and penalties to HIPAA violations. In
addition, HITECH extends HIPAA coverage to related entities. For example, a healthcare
provider is now responsible for the HIPAA posture of it’s out of house pharmacy services,
billing services, claims processing services and overseas support desks. The updates reflect
the reality of increasingly distributed and interconnected reality of most healthcare organizations.
As a result, HIPAA compliance has become more important (and challenging) than ever.
(HITECH) has meant significant changes to the Health Insurance Portability and Accountability
Act (HIPAA). Previously a reactive and vaguely defined statute, the HITECH act brings
depth of requirements and stepped up enforcement and penalties to HIPAA violations. In
addition, HITECH extends HIPAA coverage to related entities. For example, a healthcare
provider is now responsible for the HIPAA posture of it’s out of house pharmacy services,
billing services, claims processing services and overseas support desks. The updates reflect
the reality of increasingly distributed and interconnected reality of most healthcare organizations.
As a result, HIPAA compliance has become more important (and challenging) than ever.
The act will impose more stringent regulatory and security requirements to the privacy
rules of HIPAA, such as extending the covered entities to include business associates and
related third party vendors in the healthcare industry, increased audit requirements, more
proactive measures to protect personal healthcare information (PHI), increased civil penalties
for a compliance violation of HIPAA, and stricter notification requirements of a security
breaches of protected information.
rules of HIPAA, such as extending the covered entities to include business associates and
related third party vendors in the healthcare industry, increased audit requirements, more
proactive measures to protect personal healthcare information (PHI), increased civil penalties
for a compliance violation of HIPAA, and stricter notification requirements of a security
breaches of protected information.
The result should be better governance and risk management, but it will come at the cost
of increased challenges for covered organizations. IT Security and business unit stakeholders
in particular, will be challenged in a variety of ways. Compliance with the letter of the
guideline can be difficult for organizations without strong access governance processes and
policies. Complicating matters, demonstrating compliance through an annual user access
review and certification process can be even more complex and time consuming, which
results in less time available for organizations to focus on patient care and related activities.
The net result is higher operational and regulatory risk exposure.
Background:
The digital revolution in healthcare has provided an opportunity to greatly streamline
operations and increase levels of patient care and efficiency. But it has not been without
consequences. Risks of compromise of PHI are very real. The Identity Theft Resource Center
estimated that healthcare organizations were responsible for 20.5% of all data breaches in
2008, and the prevailing causes of these issues, while difficult to solve, are well known. Access
governance is at the core of the issue. At the 2008 HIMSS Conference, 64% of audience
members identified user access as their number one IT security concern.
Legislative bodies have long recognized the importance of risk management in healthcare.
HIPAA was passed by congress in 1996 as a means to amend existing regulation to reflect
the realities of modern healthcare. The act recognized the need to move towards freer but
more secure exchange of PHI, and included specific provisions aimed towards administrative
simplification and the privacy/security of electronic data interchange (EDI).
The digital revolution in healthcare has provided an opportunity to greatly streamline
operations and increase levels of patient care and efficiency. But it has not been without
consequences. Risks of compromise of PHI are very real. The Identity Theft Resource Center
estimated that healthcare organizations were responsible for 20.5% of all data breaches in
2008, and the prevailing causes of these issues, while difficult to solve, are well known. Access
governance is at the core of the issue. At the 2008 HIMSS Conference, 64% of audience
members identified user access as their number one IT security concern.
Legislative bodies have long recognized the importance of risk management in healthcare.
HIPAA was passed by congress in 1996 as a means to amend existing regulation to reflect
the realities of modern healthcare. The act recognized the need to move towards freer but
more secure exchange of PHI, and included specific provisions aimed towards administrative
simplification and the privacy/security of electronic data interchange (EDI).
Get more information please download this white paper
