Although it's been about 18 months since the HIPAA Omnibus Rule went into effect, many healthcare organizations are still struggling to comply with certain provisions, says security expert Tom Walsh.
One challenge involves getting various vendors to sign off on, and completely understand, updated business associate agreements that spell out their direct HIPAA compliance liability under the rule, says Walsh, founder of the consulting firm tw-Security.
Because a covered entity, depending on its size, may work with hundreds of vendors that have access to protected health information, getting all those business associate agreements signed "just takes a long time," he says in an interview with Information Security Media Group at the HIMSS 2015 Conference in Chicago.
Many covered entities also are having trouble complying with a HIPAA Omnibus provision that requires organizations to accommodate patients' requests to not disclose to their health insurer information about a product or service that they paid for out of their own pockets, Walsh says. "The electronic health records systems are not set up to do this," he says. "In fact, every organization I've spoken to is struggling with this."
Walsh says some organizations have been attempting to comply with the out-of-pocket provision by "flagging" the cash payment in their admissions-discharge-transfer modules. But other entities "downstream" that have access to patient information may not know that that information shouldn't be released to insurers, he notes.
In the interview, Walsh also discusses:
- How healthcare entities can improve oversight of their business associates;
- They best way for healthcare organizations to move beyond the HIPAA-compliance mindset to more robust information security programs;
- The most important lessons the healthcare sector should learn from recent mega-breaches, including the Anthem Inc. hacker attack.
Walsh is founder and president of tw-Security, an Overland Park, Kan.-based firm that advises healthcare organizations on risk management strategies. He has more than 22 years of information security experience. Walsh is also a frequent speaker at conferences and is the author of four books on healthcare information security.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.