Industry Update: We are from the Government. We're here to help.

By Bill Jenkins, Senior Security Engineer, Coalfire

Anyone working in the healthcare IT industry can attest to the fact the federal government is not shy about offering "help". The problem is that healthcare compliance is so complex that the “help” is not always helpful. In order to meet the challenges of healthcare compliance, it is essential to understand whose help you actually need and why.

The Department of Health and Human Services (HHS) is the cabinet-level federal department charged with overseeing and regulating U.S. Healthcare. Within the HHS are four additional organizations with their own areas of oversight and their own rules of compliance: The Office of Civil Rights (OCR); The Centers for Medicare and Medicaid Services (CMS); The Office of the National Coordinator for Health Information Technology (ONC-HIT); and The Federal Drug Administration (FDA). Depending on your function within the healthcare industry, you may be under the authority of one or more of these bodies, so it is important to understand each of their roles.

The OCR is responsible to the Healthcare Insurance Portability and Accountability Act (HIPAA): the regulation most people think of when dealing with healthcare. This Act includes a Privacy Rule, a Security Rule, and a Breach Notification Rule—the result of the Health Information Technology for Economic and Clinical Health Act (HITECH). The OCR receives and investigates complaints; works within HHS to promote compliance regulations; publicly posts information concerning healthcare incidents impacting 500 people or more; and issues significant fines for breaches of patient information. The OCR also mandates and funds HIPAA audits.

The ONC-HIT is a new organization created as a result of HITECH to guide and promote the broader adoption of Electronic Health Records (EHRs). The ONC is responsible for defining meaningful use and runs the associated grant and certification programs for entities furthering the use of EHRs. If you are a vendor of healthcare management software, you will look to the ONC to identify functional requirements and to learn about the certification process needed to assert that your products meet the definition of meaningful use. The ONC also certifies HIPAA-compliant products and is working with the OCR to update HIPAA in other areas. If you are a healthcare provider, the ONC provides direction on the adoption of EHRs as well as information on vendors of certified products.

The CMS drives the healthcare transaction practices governing Medicare and Medicaid. They define the vocabulary and set the rules for identifying, classifying, and compensating treatments and medications. They also promote the improved use of electronic transactions, and have recently updated their primary catalog, the Interface Control Document (ICD), to version 10. While meaningful use does not require the adoption of ICD-10, those implementing IT improvements under HITECH would be wise to address these changes as well.

The FDA oversees the development of medications and medical devices. Focusing on safety, this agency implements its own data protection, integrity, and privacy requirements. Organizations conducting clinical trials, developing implants, producing data devices for the operating room, etc. must design their overall compliance program within the regulations and reporting requirements of this agency.

Complicating the system even further is the fact that the regulations do not end at the federal level. The individual states offer their own set of compliance rules. Consider this scenario: When a patient in one state participates in a clinical trail run by a university in another state under the funding from a pharmaceutical company headquartered in a third state, who intervenes if that patient’s medical information from the trial is maliciously posted on Facebook?

Healthcare IT is a complex industry. Healthcare IT compliance is an even more complex issue. In order to successfully overcome these challenges, you need an integrated program matching your company’s data and business practices to the applicable rules and regulations of the healthcare agency overseeing your work. Coalfire Systems can help you negotiate the labyrinth of compliance regulations and develop a program that will transform the federally offered “help” into something that is actually helpful.