Privacy management and breach prevention are growing in complexity.
The scope of data privacy includes protected health information (PHI), proprietary organizational data, and personal identifiable information (PII). Since healthcare is patient-centric, providers must plan for an increase in privacy concerns and complaints. Every issue and complaint must be handled swiftly and with care.
Information is an organization’s most valuable, non-human asset.
The increasing number of incidents shows the necessity to remain vigilant about all cyber risks, including those unrelated to medical information. It is easy to focus exclusively on protecting the electronic health record (EHR) or claims data. Don’t forget to assess and implement safeguards for other valuable information assets. This includes business-critical information systems with employee information or confidential proprietary information.
Central to our services is providing the knowledge you need to stay abreast of changes that impact your privacy program. Today, every organization needs a privacy officer who understands security safeguards. According to the Ponemon Institute/IBM Security 2019 Cost of a Data Breach Report, the average cost of a healthcare data breach in the United States is $15 million, or $429 per record. The time it takes to process and recover from a large breach can be overwhelming to most healthcare organizations.
Privacy and breach management services:
- Virtual Privacy Officer/Interim Privacy Officer
- Privacy and Breach compliance program development and/or review
- Policy and procedure development (privacy, security, breach)
- Patient Right to Access evaluation
- HIPAA educational presentations (with an assessment of learning and tracking log)
- Business Associate Agreement and vetting of compliance levels
- Breach response planning
- Breach management consulting review and support
- Post-breach documentation support
- Office for Civil Rights (OCR) audit preparation – mock or focused audit
- General Data Protection Regulation (GDPR) compliance support
- California Consumers Privacy Act (CCPA) program support
Patient Access – A patient has the right to their health information.
The number one complaint the Office for Civil Rights (OCR), the HIPAA enforcement agency, receives from patients is about providers and payers not giving them access to his/her medical record. From a patient’s perspective, the request being made is simple. Today, the majority of us rely on quick text-based communication as opposed to a phone call, fax, or email.
For years, OCR enforced the Right of Access largely by counseling entities on their obligations to get patients their health data (OCR calls this providing “technical assistance”). In early 2019, OCR confirmed that one of its top policy initiatives is to enforce the rights of patients under the HIPAA Privacy Rule to ensure that patients are given access to their health information at a reasonable cost. In 2019, in short order, OCR alleged two violations that resulted in fines and a corrective plan. Each of the alleged violations had a combination of the following: a delay in getting records to the patient, failure to provide the records in the format requested (electronic) to the patient’s third party designee, and charged unreasonable fees.
Engage tw-Security to provide insight into your program.
Engage tw-Security as “fresh eyes” to evaluate your processes, policies, and strategic and remediation plan. The following are key elements of our patient access evaluation.
- Conduct a complete review of your Release of Information (ROI) workflow and policies related to requests for access to / copies of patient information
- Identify pitfalls and complications such as mental health records, substance abuse records, HIV, family planning, and state regulations regarding minors
- Determine how easy it is for patients to request their records. What is the typical turnaround time? What is the communication process? How are requests prioritized and documented?
- What is the EMR/EHR portal capability and does it provide access to patients’ typical requests?
- Identify the organizational and operational risks and document the remediation business decisions
Privacy goes beyond HIPAA.
The role of the data privacy officer goes beyond the Health Information Management (HIM) department. tw-Security’s experienced certified privacy professionals assist in establishing a strong centralized data privacy management program with a governance structure that supports consistent practices across the organization, adhering to regulatory compliance, and driving out inefficiencies.
Ensuring that the right people have the right access to the right resources at the right time is more important than ever due to the continual rise in cybersecurity threats, smart technology, and social media.
HIPAA Privacy and Breach Notification Rules – Two-page reference
