Lyniate Team

Privacy and Security: How to Make Sense of all the Regulations

August 21, 2013

It seems like not a week goes by without some organization being fined in excess of a million dollars for some type of PHI (Protected Health Information) security breach. The latest breach this week has to do with a leased photocopier. Apparently Affinity Health Plan, a New York-based managed care plan, returned a leased photocopier that contained PHI on the hard drive for up to 344,579 individuals.

According to an article by Healthcare IT News, “the investigation revealed that Affinity failed to incorporate the electronic PHI stored on photocopier hard drives in its analysis of risks and vulnerabilities as required by the Security Rule.” But which security rule? One would assume HIPAA. But could it be The Joint Commission, or Meaningful Use, or even State rules? And within all those rules, where does it spell out how leased equipment must be handled? And how many people must Affinity Health Plan have on staff to comb through all these rules and enforce them?

With 806 employees, Affinity Health Plan might have the resources to absorb the costs of continually monitoring and enforcing all the rules and regulations. But what about small healthcare facilities, or especially, a solo-practice primary care physician? Trying to keep up with all the privacy and security rules, among all the other mounting overhead requirements in healthcare is causing many healthcare providers to rethink their career path.

One organization that is gaining attention in the healthcare privacy and security area is HITRUST. At first glance, HITRUST appears as if it might be one more organization with additional rules and regulations regarding privacy and security policy. But, in fact, there are no new rules or regulations imposed by HITRUST, rather they consolidate 17 authoritative sources on privacy and security into one place.

HITRUST offers a tool called their Common Security Framework (CSF). This tool can be used as a self-assessment, or can be used to provide certification by 3rd-party independent auditors. One key aspect of the CSF is that it is flexible enough for small organizations to use.

It is these small organizations in particular that don’t have the resources to comb through all the rules and regulations themselves and don’t have the financial capability to pay someone to do it for them.  The CSF self-assessment allows the little guys to use the tool and get feedback on how they are doing without sorting through all the regulations independently.

Maybe one of the reasons there are so many headlines about privacy and security breaches is because the number of sources and the sheer volume of rules makes it an almost insurmountable task for healthcare facilities to do their due diligence. Should Affinity Health Plan have known that they were liable for leased equipment, or that those copiers were storing scanned images indefinitely?

PHI is very important to protect. But, the industry needs concise and clear guidance on privacy and security policy – something a small practice can get their hands around. Is HITRUST the solution?  It seems like a good start.

Related Blogs

Lyniate Team

Smooth sailing to the cloud with a hybrid cloud approach  

As you chart a course toward digital transformation, a hybrid approach can help you avoid rough waters. By using both cloud and on-prem capabilities you’ll have the tools you need to stay afloat and safely navigate your cloud journey.

Read more

Lyniate Team

How does an EMPI work to improve patient outcomes and increase revenue?

With an enterprise person master index (EMPI), healthcare organizations can significantly reduce duplicate patient records and correct errors in patient demographic information.

Read more

Chandan Padmanna

How migrating your healthcare integrations to the cloud modernizes your infrastructure 

To benefit from cloud infrastructure modernization, consider how to migrate your healthcare data integrations to the cloud.

Read more