The Patient Protection and Affordable Care Act of 2010 (ACA) requires each state to have a health insurance Exchange, a marketplace where consumers can easily shop around for health insurance and find the best option for them by comparing price, benefits, services, and quality. In order to obtain Health Insurance Exchange (HIX) compliance, Section 1561 requires that certain security standards and protocols be met by these Exchanges in order to make every effort to protect and ensure the confidentiality, integrity, and availability of the system and its users.
These Minimum Acceptable Risk Standards for Exchanges (MARS-E) are separated into three different classes: technical, operational, and management. These classes consist of nineteen various control families, handling everything from Personally Identifiable Information (PII) to Protected Health Information (PHI), and Federal Tax Information (FTI).
If you find yourself dreading the thought of another audit, viewing it as more of a hassle than anything else, you may be suffering from the widespread but little known "Compliance Fatigue".
The Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. After years of testing and delays, the second round of HIPAA audits are finally materializing, and are expected to be more comprehensive while focusing on the real-world application of policies and procedures across the entire organization and their business associates (BAs).
This program puts to the test the processes, control, and policies of covered entities (CEs) and BAs in accordance with the HITECH Act audit mandate. The OCR has published its entire audit protocol on their website, which completely outlines the procedures auditors must follow when conducting a program audit, making it easier to prepare.
Is your health organization ready for the OCR auditor?
In December of 2014, a new study, “Corporate Data: A Protected Asset or a Ticking Time Bomb?” from the Ponemon Institute found that employees have excessive access to company data, presenting a growing risk to these organizations.
Their findings led to the revelation that there is a significant lack of oversight and control over which employees have access to confidential, sensitive data and how that data is shared. They also found confusion among staff as to what their responsibilities are in protecting company data. Companies that do not make data protection a priority typically have a difficult time staying within compliance standards.
Imagine you walk into work on any normal Monday, sit down at your computer to get the week started and realize that some of your files have been tampered with, moved, or are missing. What just happened? If your company relies on reactive monitoring (break/fix), which is the method of reacting to a problem after an incident has already occurred, then you have to spend a hefty amount of money to have the situation diagnosed, and this doesn’t guarantee that your missing data will ever be recovered. Now, what happens if your company handles sensitive information that has been compromised? The answer: huge fines and possible lawsuits. With proactive monitoring, the continual screening of your data and hardware in order to detect problems early and prevent crises, you could have avoided or at the very least lessen this disaster.
Monitoring of any kind is certainly better than nothing, and reactive monitoring can be useful in some situations. Maybe the company may not require frequent IT support or maybe they are a new client and want to test-drive the support before making any long-term commitments. Evaluating your company’s needs is a must before deciding which method to pursue.
However, if your company is in need of a lot of IT support, proactive monitoring can help you improve efficiency, increase the consistency of your systems, and ultimately save you money.