Healthcare and Its Regulatory Burden
Healthcare data is very sensitive, highly regulated data in current business world today. GRC Labs helps healthcare providers protect private health information (PHI) to comply with industry regulations such as HIPAA.
The healthcare sector is under enormous pressure to cut costs and streamline operations. Government agencies and private insurers want to reduce their expenditures on medical costs, period. They also want outcome-based care, where medical firms are paid for the quality of care they dispense, not the quantity of it.
Cloud-based IT can serve both goals. Healthcare providers can abandon paper-based records in favor of online records management. Those records, in turn, can be securely available. That means medical professionals themselves can be more mobile, giving healthcare providers more flexibility in how they deliver care. Tele medicine can bring far-away expertise to wherever the patient is. Billing and insurance claims can be managed online, accelerating payment cycles.
The federal HIPAA law has required any business dealing with PHI to protect it. PHI is defined broadly: any information about a person’s health status, care patient receives, and payment for health services.
Meanwhile, healthcare organizations routinely collect data such as Name, Age, Medical History, Medications or other treatment received and Payment Information etc. Healthcare businesses also strive to give patients online access to medical records, appointment scheduling etc. That means “customer accounts” for patients, where the healthcare provider manages user IDs, passwords, and possibly location data.
Beyond HIPAA, firms working with PHI also have breach disclosure laws to obey at the state level, should patient records ever be exposed.
Compliance Objective
Firms handling medical data must ensure compliance with privacy and security rules from the moment a piece of PHI is created. In a major healthcare system that relies on cloud-based services, that means the system must.
HIPAA itself only tells firms the compliance objectives they must achieve, not how to achieve them. HITRUST, a consortium of healthcare businesses, has worked to map HIPAA requirements to the Common Security Framework, a standardized assessment and certification program. HITRUST can also be mapped to other frameworks such as NIST, PCI, or COSO.
Assess their breach detection and responsibilities.
Remediate weaknesses, either through security patches to software or through changes to data collection practices.
Be able to report those risk assessments and remediations to other parties as necessary.
Identify non-compliant data management behaviors (say, failure to encrypt data before sending it to the cloud).
Map progress on those remediation efforts.
Integrate new threats or updated regulations into your compliance program as they arise.