Compliance Climate & On-Demand HIPAA Real World Scenario

Kent Roberts
by (41 posts) under Healthcare IT
0 Comments

Introduction – rising pressure

The pressure on healthcare providers, plans, and clearinghouses is mounting. Data Privacy Monitor reported in June 2014 that HHS (Health and Human Services) enforcement was expected to increase, per a comment made by a legal official at a local meeting of the American Bar Association held in Chicago.

Jerome B. Meites, who serves as Chief Regional Counsel for the Office of Civil Rights (OCR – the HHS branch that regulates and monitors HIPAA compliance) stated in an interview with Law360 that policing would be increasing astronomically. Between June 2013 and June 2014, $10 million in fines were issued by the agency. Although millions had been paid out YOY (year-over-year) by firms in violation of the law, Meites said the level of punitive actions against healthcare organizations during that period would “pale in comparison to the next 12 months.”

The attorney mentioned that the rise in EMR-related fines was in large part an effort to set precedents for the lack of tolerance the federal government has regarding privacy and security violations. Meites referenced a comment made by Leon Rodriguez, the head of the OCR, when the Final Rule was publicly introduced. Rodriguez wrote that the adjustments to the Privacy Rule and Security Rule (the fundamental elements of compliance for most healthcare companies) would expand “the ability of my office to vigorously enforce… protections.”

Common Violations

This crackdown is making healthcare firms around the nation nervous that all their systems are completely secured and error-free. To help you avoid some of the most common violations in clinical documentation, here are nine of them supplied by New England Medical Transcription:

  1. CCing an incorrect party to an email that includes patient data
  2. Choosing the incorrect patient name
  3. Choosing the incorrect dictator
  4. Selecting the incorrect ID or number of the subject, EMR, or account
  5. Supplying the incorrect practitioner name
  6. Offering PHI to a third party without a legitimate explanation
  7. Delaying or neglecting to notify the company’s compliance officer when a possible data breach occurs
  8. Discarding patient information inappropriately
  9. Accessing EMR without a reasonable explanation.

On-demand real world scenario

The following transcript is based on an interaction between one of our hosting consultants and a client interested in our healthcare compliance solutions. Note that despite our inability to meet the specific request of this company, we do currently have private cloud plans for HIPAA clients.

Consultant:

Welcome to Atlantic.Net. Please tell us about your hosting needs.

Client:

We create and manipulate large SQL databases with trillions of rows from millions of patient records. Therefore our work is all performed on HIPAA Compliant Servers. Our current vendor is XXX. We are looking for on-demand power for 6-12 contiguous hours consisting of 1000 cores, 512 GB RAM, and SSD storage of about 200 GB. Aside from the burst needs, which occur about once a month, we need about 12 hours a day / 30 days a month / 12 months a year of power consisting of 16-32 cores, 64-128 GB RAM, and 200 GB SSD storage.

Backup is needed as well. Please provide quotes on monthly fees.

Consultant:

Thank you for contacting Atlantic.Net concerning your HIPAA compliant hosting requirements. Atlantic.Net provides HIPAA hosting platforms based on Private Dedicated Hardware. We unfortunately cannot provide any type of On-Demand HIPAA hosting solution. Your requirement for On-Demand services would only be possible by using a Cloud Hosting platform. We do not consider that type of platform to be HIPAA compliant and cannot issue a BAA (business associate agreement) for it.

If you want us to provide you with a proposal based on a HIPAA platform that has fixed resources, we can do so.

Client:

Can you explain this a little further please? I’m trying to figure out why I can’t get healthcare hosting that has the same characteristics as other systems.

Consultant:

We currently provide on-demand hosting for clients that require a non-compliant platform, hosted in our SSAE 16 data center in Orlando, Florida. Those customers experience a distributed computing model with an array of computing nodes that interconnect in an industrial-grade fashion.

We have the capability to do the same for HIPAA clients and create large private clouds, but the HIPAA market is in its infancy – not yet at a point where we could make developing such systems a priority. At some point in the future, as demand grows, this could become a reality.

The future of computing is on-demand, but our focus is to provide it to the wider market – at least for now.

Client:

Thank you. Please send me information on your fixed resource plans.

Healthcare virtualization

For those seeking virtual solutions for HIPAA Hosting, we recommend our private virtualization configurations – Complete Healthcare Solutions VP Joseph Nompleggi said that his company chose to work with ours due to their confidence in our “financial strength and proven track record.” Get your proposal today!

By Kent Roberts