Editor’s note: Halina explains the essence of healthcare software compliance and lists data security measures that help to achieve it, including data access control, infrastructure security audit, and more. If you need guidance on healthcare organization’s compliance or would like to implement secure and compliant medical software, you are welcome to turn to ScienceSoft's team for healthcare IT consulting.
At the federal level, organizations like the Occupational Safety and Health Administration (OSHA), Department of Health and Human Services (HHS), and Office of the Inspector General (OIG) oversee healthcare providers’ compliance with relevant standards and regulations. The HHS Office for Civil Rights enforces the Health Insurance Portability and Accountability Act (HIPAA). Title II of this act describes policies and procedures for maintaining the privacy and security of patients’ and medical staff’s personal information by the healthcare provider and affiliated business entities. Penalties for the information security violation for organizations operating in the medical industry range from $100 for "unknowing violation" up to $1.5 million for "willful neglect".
At the healthcare organization level, a board of directors usually creates a dedicated compliance committee or hires a healthcare compliance officer to oversee compliance. The role of such professionals is to ensure that the healthcare organization conducts its business in full compliance with state and federal laws and regulations applicable to the medical industry, as well as the internal standards of the organization. The overall need for compliance officers is forecasted to grow by over 8% from 2016 through 2026.
An estimated $2.6 billion loss was attributed to healthcare fraud and abuse in the fiscal year 2019 alone. And this does not only concern billing for non-provided services: the recoveries also included billing for mutually exclusive services, medically unnecessary services, etc. The compliance committee needs to ensure that the healthcare provider is not violating the False Claims Act and facilitate the establishment of trusted billing protocols.
Often, healthcare organizations establish partnerships with healthcare clearinghouses that check medical claims for correctness before submitting them to insurance companies. As the healthcare clearinghouses deal with PHI, they also should act according to HIPAA regulation.
During the reimbursement procedure, an error may provoke the disclosure of patients’ personal data to third parties. For example, a few years ago in New York, more than 500 people were affected by the misuse of their Protected Health Information (PHI). The health insurance subcontractor had a software error that caused rejection letters (including people's names, addresses, diagnoses, etc.) to be sent to the wrong patients.
Software used by healthcare organizations should provide data encryption capabilities to prevent unauthorized parties from altering, destroying, or profiting from sensitive information. It’s important to take into account that the encryption of data at rest can reduce the performance of a healthcare application. The solution to this problem is file-level and block-level encryption. Data encryption in transit doesn't affect application performance in a way for users to notice.
Restricting the access to medical applications by the "roles" of users (for example, administrator, patient, doctor) helps protect the personal data of patients and medical personnel from access by unauthorized users. Among the access control measures for patients and medical personnel, different access rights can be applied: access of each user to the application with full or limited right to read, modify, delete information, etc. User authentication helps ensure a person’s identity before giving him or her ePHI access (using passwords, sign in codes sent to smartphones, etc.).
To ensure the security of medical applications, IT infrastructure, and all transmitted and stored data, a healthcare organization should plan and conduct regular vulnerability assessments and penetration testing of the relevant IT infrastructure components and software.
While implementing healthcare software, the healthcare organization should draw up policies and procedures for ePHI protection against their alteration or destruction. It will help to secure data integrity and patient safety.
During ePHI transmission over an electronic communications network, it should remain inaccessible by third parties. To guard the data from unauthorized access, it should be transmitted using a secure protocol and over the secure network connection.
Ensure compliance of your healthcare organization
Failure to comply with regulatory requirements can result in large penalties for a healthcare organization and undermine the trust of its clients. If you need professional assistance in any aspect of developing and implementing HIPAA-compliant software, you are welcome to turn to ScienceSoft’s healthcare IT consultants.