Risk managers need to closely examine what happens to data handled by their organization and its business associates in order to ensure compliance with the HIPAA omnibus final rule. That is the view of Maureen Kaplan, sales director, healthcare, for Verizon.
“Risk managers need to have a thorough understanding of where their Electronic Protected Health Information (EPHI) is today inside their organization,” she said.
“That first step is critically important because so many healthcare companies I’ve talked to today feel as though they have a good sense of where their private information is and the controls around it and when you dig in a little deeper you start to realise that that sense of control of their data may not be as rock solid as they think.”
A vital next step is to do a cross reference to the new HIPAA omnibus ruling for any vendor that touches the EPHI. If storage is involved, and if there is any kind of modification to that data then the vendor must have a business associate agreement.
Having identified where your organization’s PHI is and the vendors associated with it, it is important to verify that a business associate agreement is in place. Kaplan believes that rather than viewing the omnibus ruling as yet another layer of regulations, risk managers should embrace the tighter controls as a tool to help their businesses perform more effectively.
“Having this ruling has given companies a reason to go back and look at where their controls are and implement changes for the future that are ultimately going to make their business stronger and more efficient,” she said.
“It’s an opportunity to put some business context around why risk management is so important for a business and to use it as a chance to open up conversations that may be a little stale or may have never taken place at all. It’s something that’s out there and so we should all be embracing it and allowing it to make our businesses better.”
HIPAA, Risk managers, Electronic Protected Health Information (EPHI)