HIPAA Omnibus: Educating Vendors A CISO Describes Challenges with Smaller Business Associates

October 16, 2013

It is always reassuring to find that your vision of the marketplace is shared by someone who is in the direct line of fire. 14 acute care hospitals certainly means that he is dealing with over 1,000 business associates many if not most of which are not fully compliant with the Omnibus Rule. I have not yet talked with him but will try and find out what tools he is using to reach out to these BAs and what success he is having. Multiply him by thousands of CISOs in the healthcare industry and you begin to see the depth and breadth of the problem. We designed BA Tracker for this situation. To help the CE find out where the problems lie and to offer the BA a cost effective and efficient method of get compliant, staying compliant, and proving compliance with the Compliance Meter(tm). Imagine being able to look a screen and seeing all of your BAs ranked by risk level and then being able to offer help to the ones in the higher risk categories, a win for both sides.

Here is the article:

Although the enforcement date for the HIPAA Omnibus Rule was Sept. 23, compliance is an ongoing project, and educating smaller business associates is a continuing challenge, says Jeff Cobb, CISO at Capella Healthcare.

The Tennessee-based health system, which operates 14 acute care and specialty hospitals in six states, deals with many smaller business associates that lack a mature security program, Cobb says.

“So the education to help them understand their [new HIPAA] obligations, and to work with them to identity the bigger risk areas, and to create a corrective action plan or a remediation schedule - that’s going to be an ongoing conversation for us. That is something that will never go away,” he says in an interview with Information Security Media Group.

Looking ahead to next year’s privacy and security priorities, Cobb says compliance issues will continue to top the list.

“One of the big things for us is audit preparedness,” he says. “It’s about how we can be better prepared to defend ourselves when that time comes. It’s not a matter of ‘if’ in our minds, it’s a matter of when.

Audit preparation involves both readiness for a HIPAA compliance audit as well as an audit of whether the organization correctly attested to meeting the requirements for the HITECH meaningful use electronic health record incentive program, he explains.

In the interview, Cobb also discusses:

The difficulty in complying with a HIPAA Omnibus’ provision that requires healthcare providers to accommodate patients’ requests to not disclose to their health insurer information about care that they paid for out of their own pockets;

The competition with other healthcare providers for information security talent;

Why many organizations are still struggling with addressing basic security measures.

As CISO for Franklin, Tenn.-based Capella Healthcare, Cobb is responsible for information security and privacy. He has more than 12 years of experience in information technology and security, primarily in healthcare. Previously, Cobb served in leadership and consulting positions with Ingenuity Associates, UnitedHealth Group and AIM Healthcare, now part of Optum. He is also president of the Middle Tennessee chapter of the Information Systems Security Association and chair of the Metro Nashville Information Security Advisory Board.


Back to News