FEATURE sTOrY Vendor Security WHAT IT MEANS TO BE HIPAA COMPLIANT By Leslie Haywood HIPAA compliance is a must, not only for your billing company but also for your vendors. Any third party that has access to your clients’ electronic protected health information (PHI) – whether a document management system, a scanning provider, a storage facility, etc. – must demonstrate its own compliance with data security regulations as set forth by the Department of Health and Human Services. It would be rare, if not unheard of, to come across a healthcare service provider that does not assert HIPaa compliance. Indeed, the vast majority of vendors will meet HIPaa/HITeCH data security standards. But in today’s competitive climate, it is I n today’s competitive climate, it is becoming more common for service providers to take the additional step of obtaining an independent audit of policies and procedures to ensure they fully meet federal law. becoming more common for service providers to take the additional step of obtaining an independent audit of policies and procedures to ensure they fully meet federal law. “more and more, we are seeing requests for proposals requiring letters of attestation or third-party examination,” says eric ratcliffe, director of sales for 360 advanced, a Tampa, Florida-based licensed CPa firm and PCI-qualified security assessor (Qsa) that independently assesses the security of vendors seeking to emphasize their commitment to compliance to potential customers. This leads to the question: What does it really mean when a vendor says it has completed a successful HIPaa security audit? the Steps of an Audit “The general trend in the cyber security insurance industry is toward favoring firms that have completed an outside compliance examination successfully,” ratcliffe says. “and, of course, at the end of the day, compliance should matter significantly to all management and staff in the vendor organization as an element of the service culture.” HIPaa rules protect all individually identifiable health information, and covered entities must have a contract with each service provider handling PHI that defines the business relationship and the provider’s obligations under law. In the course of a HIPaa security audit, an auditing firm thoroughly examines the risks and vulnerabilities that may come up regarding the confidentiality, integrity, and availability of electronic PHI. In addition, a service provider is required to implement or demonstrate that it has policies and procedures in place to: • regularly review records of information system activity (e.g., audit logs, access reports, security incident tracking reports); • Create, change, and safeguard passwords; • Identify and respond to suspected or known security incidents, mitigate the harmful effects of known security incidents, and document security incidents and their outcome; • respond to an emergency or other occurrence that damages systems containing electronic PHI; • specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic PHI; • govern the receipt and removal of hardware and electronic THe jOurNaL OF THe HeaLTHCare BILLINg aNd maNagemeNT assOCIaTION 15
Billing_JanFeb15
To see the actual publication please follow the link above