Total Pageviews

Monday, July 01, 2013

Cloud Computing Meets HIPAA Omnibus Rule

This provider checklist will get you on board with your looming compliance deadline

By Frankie Rios, CCISP

Posted on: June 24, 2013

Cloud computing and storage is an undeniable migration path and IT strategy. Overall spending on cloud technology is expected to reach an estimated $150 billion annually by 2014, according to a recent Gartner Group study. And within healthcare, 35 percent of health IT professionals surveyed said their organization was implementing or maintaining cloud computing in 2012, up from 30 percent in 2011 according to a new survey by Vernon Hills, Ill. technology vendor CDW.

However, not every software application in healthcare is a candidate for moving to the cloud. And many old myths about cloud computing and cloud storage continue to confuse both covered entities (CEs) and business associates (BAs).

The HIPAA omnibus rule, released in January 2013, helps to confirm the key areas of protected health information (PHI) privacy and security focus for cloud-based solutions in healthcare. The rule gives healthcare organization a checklist for cloud computing. Compliance with these changes goes into effect this month (March 2013) with full enforcement in September.

Cloud Criteria #1: Risk Assessment
In order to protect themselves, covered entities should perform a risk analysis on all potential cloud vendors. The risk assessment should include policies, privacy and security awareness training, account management, physical security, business continuity, incident response and media disposal.  Maintain assessment documents and vendor responses for six years and have them readily accessible should Office of Civil Rights auditors come knocking.

Cloud Criteria #2: Contracts
Review your existing Business Associate Agreements (BAAs) with cloud computing partners and ensure they are updated to comply with HIPAA omnibus. For example, contract language should be specific as to the service, usage and location of the data to be stored in the cloud.

For cloud-based partners using multi-tenant hardware, specific technical and procedural controls for sequestering information by CE or BA should be stated and included in contracts. An indemnity clause must be included stating that the cloud vendor carries enough insurance to cover a breach.

Clout Criteria #3: Audit 
Know if the existing or potential cloud vendor has been audited. Do they have a current SSAE report? If there were findings, is there a documented remediation plan? Are regular, internal audits conducted, and is the cloud vendor willing to share the results?

Cloud Criteria #4: Encryption
Does the vendor provide encryption for the communication of information and the data at rest? Encryption is the best way to protect data and prevent breaches. HITECH requires that communication pathways and data storage devices are encrypted.  Ask cloud vendors to define their encryption methodologies for both.

Cloud Criteria #5: Business Continuity
Business continuity has always been a must have with cloud-based solutions. Some of the new omnibus requirements make it even more important for CEs and BAs. Questions to answer include:

  • How redundant is the vendor's power?
  • How many power feeds does the vendor utilize?
  • How many internet feeds?
  • How often do they perform tests of their systems?
  • Do they keep their equipment sufficiently maintained?

Cloud solutions will keep your PHI private, secure, safe and compliance with HIPAA's omnibus rule. Your effective due diligence ensures that they do.

5 Key Changes Under HIPAA Omnibus Rule
Here are important changes under the HIPAA Omnibus Rule:

1.  Business associates of covered entities are now directly liable for compliance of certain privacy and security rules.
2. The rule strengthens the limitations on the use and disclosure of PHI for marketing and fundraising, and it prohibits the sale of PHI without individual authorization.
3. It adopts the increased and tiered civil monetary penalty structured by the HITECH Act.
4. It mandates breach notification for unsecured PHI under the HITECH Act.
5. It modifies the HIPAA privacy rule as required by the GINA (Genetic Information Nondiscrimination Act), prohibiting health plans from using or disclosing genetic information.

Posted by at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

A Flowchart for Choosing Your Religion

A Flowchart for Choosing Your Religion

Looking for a JOB - How to Be the Next Hire

Making You the Most Viable Next Hire
Being flexible, creative and adaptable in today’s economy is the cornerstone to survival. The job search is no different and, with unemployment rising, requires just as much vigilance. One way you can keep your options open and make yourself even more marketable is by considering Consulting in addition to your quest for full-time employment. Often perceived as an “either-or” scenario, Consulting offers you just as many benefits as it does your “would be” employer:

Track record of Fixing Problems?
Career wise, people typically fall into one of two categories: those who thrive on problem solving and the prospect of a new challenge –or- someone who is exceptionally good at steering the ship once it is on course. If the thought of fixing something that is broken appeals to you (versus has you thinking about reaching for the Tylenol), then Consulting might be an avenue to explore.

A More Flexible Interview
Quite often, what a company needs is someone to tackle a specific problem, not a new full-time employee. Identifying this in the interview and being able to present yourself as the solution to their problem (at a lower cost), can ultimately create a job tailor made for you and your skill set. No one can compete against that.

Dating Before Marriage
A consulting engagement can give you the opportunity to see if this company is a nice place to visit or a great place to live. The only thing worse than a prolonged job search, is ending up in a position that results in you being unemployed again in 6-12 months. Consulting lets you do more due diligence than you could ever accomplish in an interview.

“Consulting” on Your Resume
To many recruiters, seeing “consulting” as your current role without any clients/engagements is just a way to dress up being out of work. But, with a list of key accomplishments at those engagements, you show that you are in demand, have more control over your search and are broadening your experience. The latter is extremely important if you are looking to transition industries.

Change Agent
For companies looking to make some sort of change internally (and you should like this if you have a track record of fixing problems), consulting is a more preferred approach versus hiring a permanent employee. It is much easier to come in as a consultant, effect the course correction and then hand it off to the internal leadership.

Money
Besides the obvious benefit of having income during your search, it also gives you breathing room to be more objective in selecting your next job.

It’s Easier to Find a Job When You Already Have One
So much of what makes this true is that fact that when you are employed, you tend to be a bit more objective because you have a “bird in hand.” Consulting (in addition to easing that financial strain, which helps here) can provide the self-assurance that comes along with being employed, which can get whittled away while unemployed.

Presenting yourself as a viable consultant or full time employee isn’t mutually exclusive. Rather, they are simply two sides to the same coin. For the companies where you interview, this will only make you more viable and versatile in your eyes. For you, there is nothing to lose. The worst thing that happens here is you generate some income to inevitable financial strain of your job search. On the other hand, you might just find through this process that you discover your next career move.

Bağdat Caddesi

Gel de parmaklara hakim ol, yapma bir Caddebostan, Bağdat Caddesi nostaljisi şimdi!...diğer bir deyişle 'Karşı taraf' . Cok uzun seneler yazları gittiğim, son yıllarda ise her Türkiye'ye gittiğimde kaldığım Istanbul'un bir başka eşşiz köşesi.
1960'lı 70'li yıllarda köşkleriyle, bahçelerinden salkım salkım sarkan ortancalarıyla, billur gibi denizliyle, 'sayfiye' yeri olmasıyla meşhur Erenköy, Suadiye, Caddebostan.

Dükkanların az, ağaçların çok olduğu, bunca yıl geçmesine rağmen hala güzelliğini koruyan Bağdat Caddesi. On, onbir yaşımdan itibaren yazlarım geçti oralarda. Sokaklarda oynanırdı o zamanlar, öyle pek araba filan geçmezdi. Doyasıya bisiklete binilir, el birakarak gitmek büyük marifet sayılır Erenköy, Saskınbakkal, Göztepe bisikletle rahat rahat gidilir dönülürdü. Deniz için bazı sokakların denize vardıkları noktalarda bulunan kayıkhanelerden saatlik ücretle kayık kiralanır, kadın erkek kürek çekmeyi bilir, kayıktan denize girilirdi. Bazı gençler dalıp iskele ayaklarından midye toplar bazıları ise sığ kumda zıpkınla vatos avlarlardı. Sokaklardan dondurmacılar geçerdi o zamanlar. Simdiki gibi binbir çeşit ne gezer 'Dondurma, Kaymaaak' diye bağıran dondurmacının küçücük arabasında sadece kaymaklı ve limonlu dondurma olur, bazen ise çeşit olsun diye vişneli bulunurdu.

Caddebostan Plajı'nın yanı sıra bir de üyelikle girilebilen klüpler vardı. Marmara Yelken Klubü başta olmak üzere, Balıkadamlar, Caddebostan Yat Klübü ve İstanbul Yelken. Eğer bunlardan birine üyeyseniz veya üye bir arkadaşınız varsa bazı sporları yapma veya izleme olanağınız olur, voleybol, ping pong oynar, kıyıdan yelkenlilerin yarışlarını izlerdiniz. Denizin ortasında ise köfteciler vardı. Bunlardan aklımda kalanı ise mayomuzun kenarına sıkıştırdığımız parayla yüzdüğümüz, veya kayıkla yanaştığımız 'Fıştak'tı. Dönerken yüzülüyorsa demirlemiş kayıklara tutuna tutuna, dinlene dinlene yüzülürdü.

Akşamüstüne doğru herkesi bir 'piyasa' heyecanı alırdı. Saçlar yıkanır, bildiğımız ütüyle ütülenerek düzeltilir, ve (Bağdat) Cadde'ye binbir tur atmaya çıkılırdı. Bir aşağı, bir yukarı. Parkur ise genellikle Santral Durağı'ndan Saşkınbakkala kadardı. O zaman 'cafe' adeti bir elin parmaklarını geçmez, 'Borsa'da yer bulabilmek için hızlı davranmak gerekir, 'Divan' ise gençlere çok pahalı geldiğinden ancak hafif 'yaşı geçmiş'lerin duraklama mekanı olurdu. Hali varaba sahiakti oldukça yerinde olan birkaç genç ise bir aşağı bir yukarı arabayla giderek Mustang veya Corvette'leriyle gelene geçene hava atarlardı.

Geceleri ise açık hava sinemalarının keyfine doyulmazdı. Caddebostan'daki Ozan Sineması'nda genellikle Türk filmleri oynar, çıkınca biraz aşağıda, Caddebostan Maksim Gazino'sunun (MIGROS)yakınındaki büfe'de 'zümküfül' yenirdi (Bir çeşit sosisli sandoviç ) Yabancı filmlerin mekanı ise Budak Sineması'ydı (Şimdiki CKM). Yastıgını kapıp tahta iskemlelere yerleştirdikten sonra, çekirdeğini çıtlatarak izlenirdi filmler. Bazen bu sinemalarda Cem Karaca gibi o zamanın ünlü sesleri konserler verir, bazıları ağaç tepelerinden konser izlerdi.

Sonra sonra o köşkler birer birer yıkılmaya, yerlerin uzun uzun binalar dikilmeye, Cadde'deki evlerin yerlerini dükkanlar almaya, arabalar çoğalmaya, faytonlar yok olmaya, tekerlekli dondurmacıların yerini Algida'cılar almaya başladı. Ama ne mutlu ki tüm büyümeler, kalabalıklaşmalar rağmen 'Cadde'yi bozmayı başaramadı! O hala 'Cadde', İstanbul'un ,Türkiye'nin en güzide caddesi hala boydan boya yürümekten zevk aldığım, bir yerde oturup geleni geçeni izlemenin keyfini her yıl bir iki hafta yaşayabildiğim bir yer.

Galata' ya dogru...

Galata' ya dogru...

The best way to improve health care requires physicians and other stakeholders

My honest approach for how to improve the care is to support a methodology such as being self-serving. I would like to start a program to introduce a software-based point-of-care tool for obtaining patient feedback. This real time information can be used with clients to positively impact the patient experience, nurse engagement, physician (soft skills) competence and overall quality. In my perspective the criteria for fulfilling the demand for finding the best way to improve healthcare is that it need be simple to implement, impactful and cost effective. The most impact to healthcare improvement will come from process improvement and healthcare provider recruitment AND retention. The by-products will be reduced cost of care and improved patient satisfaction. This applies to hospitals and private practices. Based on current studies and the economy, supplying adequate healthcare to the community is already tough and is going to get more challenging. Recruiting sufficient healthcare coverage will boost revenue and provide some improvement to patient satisfaction (wait time and access). However, failure to retain the medical staff will significantly hurt the outcome. With high demand and low supply, it will be well worth the time and money to present "we have the greenest pastures here". The method mentioned above may be called such as point-of-care through successful implementations that may turn in to popular key parts of process improvement. You need to have some feedback from the patients and the physicians in order to measure the processes that should be or are currently being improved. In order to achieve this you have to create the acronym HOSPITAL to help those in Healthcare recall the numbers of different types of inefficiencies in any medical facility. Those who have been exposed to Six Sigma and Lean have an appreciation for improvement opportunities and generally view things through differently trained eyes that can see within all those facilities. Publishing the results of the similar programs online may offer a transparent access to the consumers to monitor these inefficiencies. Welcoming any feedback relative to this and encourage your staff to consider this method or similar training methods for their teams will be highly critical for the outcome. We have to understand that it is impossible to solve a problem that we are unaware of. By providing even the most basic tools at the lowest level possible, these problems have a way of surfacing. While everyone recognizes that healthcare systems and organizations need to improve, I think not enough time is spent on firstly identifying the key stakeholders, and secondly properly ENGAGING them. I strongly believe that not enough time is spent trying to engage physicians in this process. In my experience too many of these "improvement strategies" are top-down decisions by non-clinical managers who failed to conduct any research into what physicians might want or what stumbling blocks there are/were to get them to adopt the new technologies. EMR/EHR/CPOE are prime examples - all of these require a breakdown in the normal activity flow of providers, as it requires them to either find and log on to a terminal or carry a bulky instrument. Almost all clients and colleagues I have worked with resent and resist those methods. And look how few MDs are part of Healthcare consulting firm teams. IMHO, I believe more energy should be spent engaging rather than alienating MDs as a first step, then doing the same for patients in order to get buy in from the two key stakeholders as I see it. I've always found that engaging these stakeholders on projects from the beginning results in more buy-in and most importantly, better recommendations/outcomes (a better product).

ULTIMATE RESULTS

ULTIMATE RESULTS

Ilhan Arsel

Ilhan Arsel

BJK FOREVER

BJK FOREVER
Karga kartalların sırtına oturur ve boynunu ısırır. Kartal cevap vermez, kargayla savaşmaz; kargaya zaman veya enerji harcamaz, bunun yerine sadece kanatlarını açar ve göklerde yükselmeye başlar. Uçuş ne kadar yüksek olursa, karganın nefes alması o kadar zor olur ve sonunda karga oksijen eksikliği nedeniyle düşer. Kartaldan öğrenin ve kargalarla savaşmayın, sadece yükselmeye devam edin. Yolculuk için gelebilirler ama yakında düşecekler. Dikkat dağıtıcı şeylere yenik düşmenize izin vermeyin....yukarıdaki şeylere odaklanmaya devam edin ve yükselmeye devam edin!! Kartal ve Karga dersi