Regulatory Compliance in Healthcare Organizations

Written by
Published 04/03/2018
Regulatory Compliance in Healthcare Organizations

2017 acted as a call to action for those in the healthcare industry. Patient Health Information (PHI) incorporates everything hackers need to steal identities and compromise an organization’s reputation. Therefore, protecting PHI, and more importantly, electronic patient health information (ePHI) means that healthcare organizations need to be more diligent ensuring that their daily compliance activities match their policies.

Healthcare Regulatory Compliance

What Regulatory Compliance Requirements Affect Healthcare

Although the Health Insurance Portability and Accountability Act (HIPAA) gets the most screen time, organizations involved in healthcare need to incorporate the Health Information Technology for Economic and Clinical Health Act( HITECH) compliance as well. Although interrelated, 2009’s HITECH specifically intended to promote information technology while protecting privacy and security concerns regarding ePHI.

HITECH modified not only HIPAA but also the Social Security Act. Thus, understanding how the different regulatory compliance puzzle pieces fit together became more difficult.

How HIPAA and HITECH Are Similar

The Health and Human Services Department (HHS) oversees both HIPAA and HITECH compliance.

Healthcare organizations most often focus on HIPAA compliance because it established the Privacy Rule setting national standards regarding medical record and PHI protection. Since the Privacy Rule’s adoption in 2000, HHS made only one modification 2002 thus establishing it as one of the first information security and privacy regulations.

The Office of the National Coordinator for Health Information Technology (ONC) promotes healthcare quality by promoting health IT and establishing guidelines for electronic health records (EHRs) and securing ePHI to protect privacy.

Thus, while HIPAA and HITECH integrate with one another, they come with distinct foci. HIPAA focuses on protecting privacy and expands beyond information systems. Meanwhile. HITECH focuses specifically on information technology and preserving electronic information.

How HIPAA and HITECH Differ

While HIPAA and HITECH have many similarities, they also differ on several important details.

Although HITECH extended HIPAA, HIPAA remains focused on breach notification and privacy to protect against fraud and identity theft.

Meanwhile, HITECH distinguishes itself from HIPAA since it created restructured civil and criminal compliance penalties. Moreover, it extended the breach notifications requirement beyond covered entities and incorporated business associates.

Finally, from an information technology perspective, compliance managers should focus on the importance of effective encryption. Even should a malicious actor breach the ePHI, effective encryption mitigates rule violations. Thus, if the encryption effectively makes the information unreadable, the organization breached may not be fined.

However, proving effective encryption additionally means being in compliance with the NIST Federal Information Process Standard. Thus, healthcare regulatory compliance requires understanding your organization’s IT architecture.

How HITECH’s Compliance of Medicare and Medicaid Impact HIPAA Business Associates

Understanding healthcare regulatory compliance requires understanding overlaps between business associates, their information, and how that can impact the overall supply chain.

The definition of Business Associate incorporates and person or entity not covered entity’s workforce member who provides services to or performs functions or activities for a covered entity.

Traditionally, the Omnibus Rule’s definition of Business Associate brings healthcare management companies, healthcare plans, and healthcare payment organizations under the arc of HIPAA and HITECH. However, for those working with Medicaid, additional services may be incorporated under these compliance requirements.

For example, HITECH and HIPAA consider Medicaid’s Non-Emergency Medical Transportation (NEMT) to be a Business Associate under the Omnibus Rule. Thus, despite being nothing more than a network of transportation brokers, information collected remains subject to these healthcare regulations.

Thus, organizations need to determine their location in the supply chain to ensure no HIPAA or HITRUST violations as well as to decide whether or not they want to assume the regulatory compliance risk if they choose to scale.

What the Board of Directors Needs to Know

Organizations looking to shift into the healthcare sector need to ensure that their Board recognizes the compliance implications. Providing the appropriate level of Board oversight requires visibility into both the healthcare landscape as well as the organization’s current compliance environment. Moreover, should an organization decide to incorporate healthcare providers or their vendors as part of its business plan, the Board of Directors needs to understand how they fit into that supply chain.

Under HIPAA, vendor risk creates corporate risk. Thus, whether your company sits at the top of the supply chain, in the middle, or at the bottom, any interaction with HIPAA regulated entities means you need to be compliant also.

Thinking about HIPAA and HITECH violations as dominoes in a row, if one domino falls so do all the others. Thus, vendor management’s importance may increase if you decide to expand into the healthcare industry.

How Automation Eases the Healthcare Regulatory Compliance Burden

ZenGRC’s SaaS platform enables organizations to visualize compliance gaps. Regulatory compliance no longer needs to act as a barrier to new markets. As you map controls to a particular standard or framework, ZenGRC allows you to assign that control to other standards or frameworks that it satisfies.

The first step for successful implementation of the Health Information Trust Alliance Cybersecurity Framework (HITRUST CSF) is to engage in a CSF Self-Assessment with the help of a CSF assessor. CSF assessors are consulting firms that HITRUST approved to perform the assessment. Using this information, you can gauge your system and regulatory requirements to help determine your risk and scope.

For example, an organization currently ISO 27001 compliant may be using a firewall. If you choose to incorporate PCI DSS compliance, a firewall is also an accepted control. Assuming that you want to expand to acting as a healthcare provider payment processor, you need to determine whether this control maps to HIPAA and HITECH compliance.

Once you set up your controls in ZenGRC, it automatically maps current controls to new standards as you add them. This means that your ISO 27001 controls will be mapped to your new PCI DSS compliance framework. All you need to do now is determine what additional controls you need to incorporate.

The HHS Office of the Inspector General (OIG) offers a guideline that discusses all the parties involved in your compliance efforts, from your employees to your Board of Directors. Automation helps you better communicate with your organization’s various stakeholders, providing them with the right information for their needs.

A HIPAA compliance audit is similar in that an audit management software that provides a single source of truth can help you save time. Saving time saves money because your employees can focus on securing your environment.

With an automation tool like ZenGRC, you can monitor your compliance while storing all your necessary documentation in one place.

ZenGRC’s compliance management software provides a risk dashboard that gives insight into the effectiveness of your ongoing monitoring so that you can meet internal audit standards.
Not only does this simplify incorporating new standards into your overall landscape, but it also means that you can expand your business into revenue streams that seemed too onerous before.