A primary concern for every healthcare professional is the safe, secure management of protected health information (PHI). This is especially true for anyone within health information management (HIM) that deals with the exchange of patient information between physicians, health plans, other requesters (e.g., health sciences and law firms), and with the patients themselves. So as an HIM professional, how can you ensure your release of information (ROI) process offers the right level of security to protect PHI?
While there are many standards for security, in healthcare, HITRUST is one of the top certifications. This exhaustive certification looks at all aspects of security within an organization and its applications and provides recognition of a mature security program. So, what is HITRUST and why is it important that you ensure your vendors are HITRUST certified?
A Little Background
Healthcare organizations need to meet a number of security requirements, including standards covered by the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, states, third parties, and government entities such as the Centers for Medicare & Medicaid Services (CMS). The problem with these requirements — they are not prescriptive and can, therefore, be open to interpretation. That’s where HITRUST certification comes in.
The HITRUST Common Security Framework (CSF) provides the prescriptiveness needed for healthcare organizations to effectively implement controls to meet regulatory, third-party and business requirements in a way that is scalable based on key organizational, system and regulatory risk factors.
HITRUST CSF Certification Ensures Security and Compliance
To become HITRUST CSF Certified, healthcare companies must effectively and consistently demonstrate that their applications and data centers, whether on-site or in the cloud, meet compliance and risk standards as assessed by independent professional services firms. CSF Assessors make sure that controls are in place — and working — to avoid breaches or limit exposure in the event of a breach. In other words, a HITRUST CSF Certified partner ensures your patients’ PHI can be safely and securely transmitted and the security protocols in place are fully compliant at the federal, state, government, and industry levels.
With the increasing volume of ROI requests, moving to a Remote ROI process is becoming less of an option and more of a requirement. Be sure your vendors can demonstrate their achievement of security standards.
In addition to HITRUST certification, there are several other security certifications that further demonstrate a company’s commitment to protecting PHI. For example, Ciox has been recognized by several accreditation and validation organizations, including Drummond Group, AICPA, CMS, and eHealth Exchange.
Other Measures For protecting Health Information
Ensuring secure systems and effective controls is critical to the safe handling of PHI, but there are other security-related measures you and your vendors should adopt, such as:
- Audits: The ROI process is not simple. There are at least 32 specific steps, each presenting its own complexities and compliance risk. To ensure the most secure, compliant process, it’s important to build in quality assurance checks or audits throughout the ROI process.
- Education: Employees handling PHI must all receive comprehensive training — on an ongoing basis — to ensure that they fully understand how and why ROI processes must be followed. It’s also important to educate them on the consequences of unauthorized access, not only for the company but for the individual whose PHI is compromised.
- Reporting: When a business partner is accessing your PHI, transparency is critical. One way to facilitate that transparency is through reporting. Ask your vendor partners for reporting on unauthorized disclosures that include trends, causes, and steps taken to remediate the incident.
As the healthcare industry begins to adopt more technology-based solutions, ensuring the security of PHI is more important than ever. When you partner with a company like Ciox, you can benefit from an ROI process that is efficient, secure, and compliant. Information security is the foundation of our technologies and initiatives and we are committed to going above and beyond for our customers in securing their health information. We believe “Every record represents a real person” so we treat the data we are charged with protecting as if it were our family’s, because many times, it is.