In 1996, when the Health Insurance Portability & Accountability Act (HIPAA) was enacted, most medical records had yet to make the transition from analog to digital.
Now, almost twenty years later, manila folders are lumbering towards the La Brea Tar Pits, while digital medical information is now consumed on devices as stationary as desk-tops to untethered smartphones and tablets. With this turn in technology comes a greater need to enforce HIPAA compliance – enter Omnibus.
Omnibus Fines Could Cripple a Medical System
The efficiencies offered by instant access to data at patient bedsides are numerous. The data dangers however, especially in light of Omnibus’ tenets of increased accountability and increased fines, rightfully make IT wary of this open accessibility especially when Bring Your Own Device (BYOD) is factored into the equation.
Omnibus Red Flags for IT Include:
- Strengthening the privacy and security protection for individuals’ personal health information (PHI).
- Modifying the Breach Notification Rule for Unsecured Protected Health Information, putting in place more objective standards for assessing a health care provider’s liability following a data breach.
- Increasing penalties for noncompliance based on the level of negligence, with a maximum penalty of $1.5 million per violation.
- Strengthening the privacy and security protection for individuals’ personal health information (PHI)
- Holding HIPAA business associates to the same standards for protecting PHI as covered entities, including subcontractors of business associates, in the compliance sense.
Naturally there’s much more inside Omnibus’ voluminous 563 page legislation, but these points alone should give IT administrators pause for concern where mobility is concerned.
Imagine if you will Dr. Mal Practice, an avid Twitter user. What happens when the good Doctor means to Twitpic a shot of his kids and instead shares the picture of a patient’s rash? That’s an Omnibus violation.
What about when the good Doctor leaves his iPad at the lunch table with no lock and no passcode? A multi-million dollar violation bill when we remember that each small piece of data shared is its own separate infraction.
The disaster scenarios go on and on. However, protection measures can be summed up in a much tidier fashion.
Omnibus Necessitates IT Visibility & Management
A combination of policy and technology are the bedrocks for Omnibus compliance. Use these five simple steps to start discussions in your organization.
Policy Making: No mobility strategy, regardless of industry, will be effective without customized and well-informed policy and enforcement structures. Healthcare providers should first make an exhaustive list of all support, security, compliance, productivity and monitoring processes that will need to be covered, and then establish a firm set of rules.
Multi-Device & OS Support: No two devices are managed the same…withoutmobile device management (MDM) that is. Android’s fragmentation and Apples’ recent iOS7 release mean BYOD devices could run a wide gamut of manufacturers and operating systems. With MDM, Healthcare IT can manage all device types and operating systems from one common console. Also, operating systems can be enforced with MDM policies to stop updates until IT is sure the OS will integrate with corporate systems and custom apps.
Passcode Enforcement: This one seems simple enough, but many organizations are still deploying soft passcodes or none at all. Data from Fiberlink shows Healthcare is ahead of other industries, but there is still a long way to go. With mobile device management, IT can enforce passcode length and complexity on any device in the ecosystem.
App & Content Management: You can’t have a mobility discussion without exploring the apps and content being accessed by doctors, nurses and staff. With MDM, mobile application management (MAM) and content management, IT can facilitate the distribution of apps and content to ensure only the right individuals or groups receive access to what they need.
Separation of Work and Play: Many healthcare organizations are seeing the need for a hard line to be drawn between work and personal data on mobile devices. Dual-Personal or containers keep information for work separate from the consumer based information sieves that live on most tablets and smartphones. Containers can also be used to control how users interact with data, blocking functions like cut & paste gives an extra measure of protection against patient information making its way on to the internet and personal emails.
How have you prepared for Omnibus? Share your best-practices in the comments section.