access to a workstation, transaction, program, or process; • Confirming the existence of a security awareness and training THe jOurNaL OF THe HeaLTHCare BILLINg aNd maNagemeNT assOCIaTION 17 program for all workforce members; • ensuring that periodic security updates are provided; • ensuring that procedures are in place for guarding against, detecting, and reporting malicious software; • ensuring procedures are in place to monitor log-in attempts and report discrepancies; • assessing the relative criticality of specific applications and data in support of other contingency plan components; • Limiting physical access to electronic information systems and the facilities in which they are housed while allowing properly authorized access; • ensuring electronic PHI is stored in an encrypted format; • ensuring that an electronic session is terminated after a predetermined period of inactivity; • ensuring electronic PHI is protected from improper alteration or destruction; • ensuring improper modification of transmitted electronic PHI can be detected; and • ensuring a mechanism is in place to encrypt electronic PHI when transmitted. “The standards for HIPaa/HITeCH data security compliance demanded by a third-party examiner are rigorous and not easily achieved,” says ratcliffe. “In order for the vendor to attain near zero tolerance, especially since the Centers for medicare & medicaid services has not issued standards yet, the meticulous nature of the exam is by design. It is precisely the demanding, arduous, thorough nature of the examination that provides validation.” confidentiality While some may question whether a service provider would truly be willing to undergo such an examination into security, technology, logistical controls, and other proprietary information, ratcliffe says that providers are not required by law to reveal every detail of the findings of their third-party examination. a confidentiality agreement between the service provider and the auditing firm ensures that the exam’s results remain protected. Full disclosure to clients is generally voluntary, and a brief summary letter from the third-party examiner should suffice as proof of compliance. Steps to compliance after examining each aspect of the service provider’s security, the aud iting firm may make several recommendations to enhance compliance with federal regulations. as such, an assessment wouldn’t be considered a pass/fail exam, but rather an inventory of existing policies, procedures, and safeguards; a period of adding or adjusting said policies and procedures; and a final assessment to confirm that all requirements and addressable items have been met. “While it’s true that a small percentage of compliance and control examination engagements take longer to conclude than others because more deficiencies are discovered, all are eventually corrected to the satisfaction of our team of professionals,” says ratcliffe. “Items that typically require work before a security provider can obtain a satisfactory assessment include inside threats caused by complacency or failure to follow protocols, along with the lack of a process for regularly scheduled privilege reassessment.” Knowing that your vendors have submitted to a thorough assessment of security practices as they relate to HIPaa/HITeCH data standards goes a long way toward ensuring your own compliance and providing peace of mind to your clients, but a side benefit may be found in the burden of liability. “Our recent research concludes that there is a trend in the cyber security insurance industry for underwriters to look more favorably on vendors and their clients that have achieved compliance and controls assessments from a recognized thirdparty examiner,” says ratcliffe. “They view data security as a management mindset, both positively and negatively. While the liability burden may not change, cyber security brokers have said their underwriters may consider a slight premium reduction for businesses successfully completing a formal, third-party CPa or examination.” While HIPaa/HITeCH certification does not currently exist, it may be useful to go the extra mile and see whether your vendors have taken the initiative to have their policies and procedures assessed. In the world of data, you can never be too safe. Leslie Haywood is CEO of eBridge, a Tampa, Floridabased provider of hosted document management solutions for the medical billing and healthcare industry. For more information, visit www.eBridge.com or email LHaywood@eBridge.com.
Billing_JanFeb15
To see the actual publication please follow the link above