The recently passed Health Information Technology for Economic and Clinical Health Act (HITECH) has meant significant changes to the Health Insurance Portability and Accountability Act (HIPAA). Previously a reactive and vaguely defined statute, the HITECH act brings depth of requirements and stepped up enforcement and penalties to HIPAA violations. In addition, HITECH extends HIPAA coverage to related entities. For example, a healthcare provider is now responsible for the HIPAA posture of it’s out of house pharmacy services, billing services, claims processing services and overseas support desks. The updates reflect the reality of increasingly distributed and interconnected reality of most healthcare organizations. As a result, HIPAA compliance has become more important (and challenging) than ever.

The act will impose more stringent regulatory and security requirements to the privacy rules of HIPAA, such as extending the covered entities to include business associates and related third party vendors in the healthcare industry, increased audit requirements, more proactive measures to protect personal healthcare information (PHI), increased civil penalties for a compliance violation of HIPAA, and stricter notification requirements for security breaches of protected information.

The result should be better governance and risk management, but it will come at the cost of increased challenges for covered organizations. IT Security and business unit stakeholders in particular, will be challenged in a variety of ways. Compliance with the letter of the guideline can be difficult for organizations without strong access governance processes and policies. Complicating matters, demonstrating compliance through an annual user access review and certification process can be even more complex and time consuming, which results in less time available for organizations to focus on patient care and related activities. The net result is higher operational and regulatory risk exposure.

One area that leads to a significant number of audit findings - access change management - will become even more of a challenge under the more stringent guidelines of HIPAA. To practice effective access risk management, organizations will need to shore up processes governing initial access requests (joiners), changes to access due to transfers (movers), and termination of access (leavers). The joiner/mover/leaver framework provides a useful mechanism for entitles to use as a basis for a risk based approach to access governance.

It follows that forward thinking organizations should use the passage of the HITECH as an opportunity to take a more risk oriented approach by implementing an access governance framework and modernizing how patient information is stored and accessed through electronic health records (EHR). Such an approach will yield increased customer trust, decreased operational burden, streamlined operations and superior access risk management - all of which leads to improved organizational value.

Read this white paper to learn more about a pragmatic approach to HIPAA compliance that uses role based access governance to proactively insure regulatory compliance.