Compliance & Legal

The coronavirus pandemic has acted as an "unexpected experiment" for telehealth, but despite its huge promise and the hopes of many that it will become the new normal, experts say it's difficult to predict what's next.

CMS requirements for approved clinical decision support mechanisms could cause extra burden and more keystrokes for physicians attempting to meet appropriate use criteria.

The Exposure Notification Privacy Act requires public health officials to be involved with any exposure notification systems and prohibits commercial use of users' data.

The group tells CMS and Congress that two-dozen "cumbersome" regulations, many related to telehealth, that were waived or relaxed in response to COVID-19 should stay that way.

Over the past decade, workloads and data have moved increasingly into the cloud. For the healthcare industry, that means personal health information is stored in multiple environments – and so security should be able to respond to threats across those environments too. "As the IT estate continued to evolve, the traditional 'gate in castle' approach to security became less and less relevant," said Ryan Smith, VP of product at Armor Cloud Security, in a HIMSS20 Digital presentation.  "It was no longer sufficient enough to have a firewall on the outside perimeter," he said. "Instead, you had to begin focusing on the workload. When you think about security, you have to be thinking about how you're protecting that workload." During his talk, Maintaining Visibility and Security Across Hybrid Infrastructure Deployments in the Healthcare Industry, Smith explained that cloud-based security failures are nearly always the fault of the customer, rather than the security provider – and that in healthcare companies, orchestrating security teams is often "a very fragmented picture." This means, Smith said, that security in the cloud is not a technology problem, but an operations problem – and a cultural problem – for businesses. The defense of healthcare information, in particular, presents a number of unique challenges, including a murky understanding of cloud architecture and data landscapes, poor authentication, weak role-based controls, stubborn end-user adoption, and a lack of orchestration between point solutions.  Another hurdle, Smith said, involves furthering the understanding that regulatory constraints under HIPAA aren't always prescriptive.  "Compliance is built on a checklist of how we should maintain best practices," Smith said. "Compliance is more of a point-in-time snapshot. … Security never sleeps, while compliance is often a once-a-year activity." "Threat actors don't care if you're compliant," he pointed out. Plus, as Smith noted, compliance often results from security.  Security platforms should protect the data environment from both accidental and intentional threats, Smith said. He explained that tools focused on Cloud Security Posture Management, Cloud Workload Protection and Cloud Access Security Brokers can work together to address the all-around security needs of an organization. This is important, Smith said, because "healthcare data is gold to bad actors."  The financial impact of data breaches is often significant due to government fines, loss of customers or theft of intellectual property. "If you are subject to breach," Smith said, "there is tremendous impact to the business." .jumbotron{ background-image: url("/sites/hitn/files/u2556/HIMSSDigitalJumbo.jpg"); background-size: cover; color: white; } .jumbotron h2{ color: white; } HIMSS20 Digital Experience the education, innovation and collaboration of the HIMSS Global Health Conference & Exhibition… virtually. Kat Jercich is senior editor of Healthcare IT News. Twitter: @kjercich Healthcare IT News is a HIMSS Media publication.

The Trusted Exchange Framework and Common Agreement, designed to ensure an individual's electronic health information is available when they need it, depends on participation from stakeholders across the healthcare ecosystem.

In their HIMSS20 Digital session, privacy policy experts Deven McGraw and Jodi Daniel offer a deeper look at digital patient access, the APIs that enable it – and the mistakes healthcare organizations make when providing medical records.

Hospitals are having a hard time reporting data to public health agencies, according to a new JAMIA study, which finds patchwork data sharing, "often occurring via fax or phone."

The legislation would forbid companies from using health information for "discriminatory, unrelated or intrusive purposes."

CMS will require hospitals to adopt the Hybrid Hospital-Wide 30-Day Readmission measure by 2023. Experts say you should start preparing now.