- Posted May 1, 2014 by
This iReport is part of an assignment:
- Austin Texas Marketing Expert Clint Evans Explains The “So What” Behind LinkedIn’s New Publishing Platform
- Marketing Authority Art Koster Helps Break Down The Facts Behind A Recent Harvard Study That Identifies One Simple Step Any Business Can Take Right Now To Increase Revenues Up To 9 Per Cent
- Baltimore Area IT Security Expert Chris Finegan Issues Tips On Mitigating Heartbleed Related Risks
- Baltimore Area IT Provider Issues Stern Warning To Businesses Still Using Windows XP
In Response To Recent Rash Of HIPAA Violations And Fines - IT Expert Ryan Rosencranz Explains What To Look For When Hiring A HIPAA-Compliant IT Provider
HIPAA violations are ruining companies both from a financial and from a reputation standpoint. Headlines like “Group slapped with $6.8M HIPAA fine” and “HIPAA data breaches climb 138 percent” have decision-makers at these firms scrambling to protect themselves from becoming the subject of one of these articles.
But where do they turn for a solution? Most HIPAA organizations cannot afford their own dedicated IT department and have to rely on contracted IT service providers for their IT support. However, The Fourth Annual Benchmark Study on Patient Privacy and Data Security found that 40 percent of healthcare providers are “not confident” in the ability of their contractors and subcontractors to manage sensitive patient information.
If you are a covered entity, how do you find a provider you can trust? What criteria can you use to select an IT service provider you can trust?
We asked Ryan Rosencranz, owner of FullScope IT, a trusted Baltimore area Managed Service Provider specializing in HIPAA-compliant IT solutions to give us some suggestions.
Ryan started off saying, “My advice to anyone managing a healthcare practice is to look at the reputation and track record of each IT company they were considering to manage their IT systems. Do they have any other HIPAA covered entities as clients? How many? How long have they been providing HIPAA-compliant solutions? Have any of their clients been cited for HIPAA violations? Has the IT company ever been cited? “
“Then I would ask what tools, both technical and non-technical they had to audit HIPAA compliancy. Make sure they are willing to help you develop and enforce strict HIPAA-compliant IT policies within your organization. Especially in regards to secure remote, protecting backup data, and the use of mobile devices which seems to be the weakest link for HIPAA covered entities. This includes providing the tools to encrypt back up data and laptops as well as the ability to remotely lock, locate and even wipe clean the data on mobile devices in the event they are stolen or lost.”
In a recent HIPAA violation case, the HHS Office for Civil Rights has settled with two organizations for a combined $1,975,220 penalty after their unencrypted computers were stolen.
Rosencranz emphasized, “You should also have any candidate IT provider detail for you what policies and procedures they have in place to ensure their own HIPAA-compliance. The rigor of their own HIPAA- compliancy will be a good indicator of the professionalism and attention to detail they will exercise when taking care of yours. In addition to a compliance monitoring and reporting process they should be doing a complete self-audit at least quarterly.”
In fact, HIPAA evaluation standard § 164.308(a)(8) does require covered entities, including IT service providers responsible for sensitive patient information, to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or audits. Most small to medium healthcare providers outsource the evaluations because they just don’t have the resources to do the evaluations themselves.
But Rosencranz cautions, “While most IT services are seen as a price-driven commodities, HIPAA compliance support is not the area of your business where you want you want to be bargain shopping. A thorough baseline HIPAA Audit, when done right, is very intensive process and should run about $1000 for a small medical office and up to $5000 for a large multi-doctor location. Then quarterly audits should run around half those prices. That might sound like a lot of money but having correctly documented, third-party HIPAA-compliancy audit reports in place will prove invaluable if your entity is ever investigated for liability or willful neglect in a suspected breach of sensitive patient data.”
In closing Ryan told us, “I have to admit I was very surprised and concerned when I first saw the results of the Bench Mark Study on Patient Privacy and Data security. The fact that 4 out of 10 healthcare providers don’t trust their contractors and subcontractors doesn’t reflect well on the IT industry. In fact, I started calling my HIPAA-compliancy clients right after I saw the study results just to do a client climate survey and address any concerns they might have. Fortunately for us, all the clients I got a chance to speak to confirmed that we have their full trust and confidence. I can’t say why other healthcare professionals don’t have the same level of trust in their IT providers. I just know there are reliable IT service providers who can provide superior HIPAA-compliant IT support for healthcare providers and other covered entities. You just need to know what to look for and what questions to ask.”
To find out more about Ryan Rosencranz and his IT company visit www.fullscopeit.com