Gerry Blass, President & CEO, ComplyAssistant
Ken J. Reiher, MBA, Vice President Operations, ComplyAssistant
What Healthcare Organizations Should Prepare for in the Next Decade
Over the course of 2019, we covered a variety of security and compliance topics, including security risk audits, HIPAA compliance, employee compliance training, and executive leadership and IT governance.
Though these issues are still relevant going into a new decade, we predict a renewed – or even evolved – outlook on four specific areas of security and compliance strategy.
1) The definition of protected data will expand much further beyond PHI.
In 2019, we talked with a panel of our clients about how protected health information (PHI) is often hidden from plain sight, may not be as protected as we think, and therefore can be a high financial risk.
As an industry, HIPAA has trained us to focus heavily on protecting PHI, an extremely important endeavor that requires continued efforts. However, as healthcare technology evolves, we see a need for healthcare organizations to expand their protective shields to include more than PHI.
PHI is not the only type of information subject to breach; other types of data are increasingly valuable to attackers. Going into 2020, we recommend that healthcare organizations create purposeful protection around:
- Personally Identifiable Information (PII)
- Payment Card Industry Data Security Standard (PCI DSS)
- Intellectual Property (IP)
- Business Intelligence (BI)
2) Scrutiny of business partners will become even more rigorous.
Before the digital evolution of healthcare, partnerships with vendors were based on a handshake. In 2018, an astounding 20% of healthcare data breaches occur via third-party vendors. Though healthcare organizations have complicated business associate agreements (BAAs), which are in part meant to hold third parties accountable for how they use, store and share protected information, even BAAs are simply a piece of paper. But, how do you make sure they actually comply with the agreement?
In 2020 and beyond, we anticipate that healthcare organizations will:
- Expand their definition of what constitutes a business partner to include:
- Vendors
- Third-party organizations
- Covered entities
- Downstream business associates
- Create even more rigorous safeguards to ensure any of those business partners comply with security and compliance processes and procedures.
3) The sharing of health data will underscore the need to update HIPAA.
Though CMS changed Meaningful Use to Promoting Interoperability nearly two years ago in part to “emphasize interoperability through measures that require the exchange of health information between providers and patients,” recent news about sharing of patient data has spurred many conversations about how that data can and should be used by third parties.
HIPAA was enacted in 1996. While it may be hard to believe, that was 23 years ago. Current regulations within the final Omnibus rule were issued nearly 7 years ago, but do not address new data usage or entrants to the market. We find that healthcare providers seeing an increase in inquiries from patients who wonder where their data is going, and what regulations allow patients to know who has access to their data.
4) Resource-strapped IT teams will need more help.
In-house IT, compliance and security teams already deal with knowledge, resource and funding shortfalls to manage security and compliance. With new technologies, new threats and a potentially expanded domain (as per points 1 and 2 above), how will healthcare organizations handle it all?
We anticipate that providers and systems will need to supplement in-house expertise and hands-on work with outside resources, including healthcare compliance consultants and virtual CISOs.
Since security and compliance budgets are often low on the priority list, the option to forego full-time employees for temporary or project-based subject matter expertise is an appealing lower-cost option.