Telemedicine Expansion Warrants Greater Controls to Ensure HIPAA Compliance

The July 12 CMS physician fee schedule and quality payment proposal to expand telemedicine reimbursement is good news for improving access to care, especially in rural communities. But as silos around healthcare and technology come down, cybersecurity risk grows.
Securing patient privacy and data will be crucial to healthcare companies in the age of digital health, and adopting a forward-looking, threat-based approach to cybersecurity will be key.
That means first, assessing and taking ownership of your organizational DNA: the data assets and other intellectual property that make you unique—or a potential target. Owning your organizational DNA starts with information governance: identifying, managing, accurately categorizing, protecting and optimizing organizational data from inception to final disposition.
The next step is to factor in the threat environment to understand current exploits and the most targeted vulnerabilities. As of July 12, so far this year the U.S. alone has seen nearly 180 reported large-scale data breaches (those impacting 500 or more individuals), according to the U.S. Department of Health & Human Services. That number equates to 3.2 million patients impacted and spans 40 states.

In terms of breach types and locations of breached information, the biggest threats in 2018 have been unauthorized access/disclosure (77) and email (48), respectively.

That’s where the HIPAA Security Rule comes in. The rule provides the standards that must be applied to safeguard electronic protected health information (ePHI) against threats, hazards and unauthorized disclosure. The rule requires the implementation of administrative, physical and technical controls to ensure the confidentiality, integrity and availability of ePHI. Healthcare organizations and government contractors are also required to conduct a risk analysis and ensure they have reduced the level of risk to an acceptable level.

Hybrid and traditional entities alike should consider using NIST security controls to enable HIPAA compliance.

In the latest BDO Knows Government Contracting Newsletter, BDO’s Maria Ramos, Eric Chuang and George Hondros outline how healthcare organizations can use NIST SP 800-66 r1 and NIST 800-53 r4 publications to pursue HIPAA compliance.
Read the list of safeguards here.