×

Protecting Healthcare Data: Part 2 – A Conversation with HealthAxis Experts

Header Images for BlogsNews

In the second part of our Data Privacy Day series, we are focusing on compliance-related questions. We are joined by HealthAxis team members Milonda Mitchell, Compliance Officer; Ralph Pugh, Information Security Analyst III; and Tony Gambino, Cyber Security Engineer.  

Q: With HIPPA adding new requirements around how we handle incidents and new safeguards, how should IT teams approach these updates?  

Ralph:  

  • Revamp Incident Response Plans: The first step is to update existing protocols to ensure rapid detection, reporting, and mitigation of data breaches in compliance with the new standards. 
  • Enhance Safeguards: Strengthening technical controls, such as multi-factor authentication, endpoint security, and advanced firewalls, will help ensure compliance with the new updates. 
  • Audit and Test Systems: Perform regular audits and simulate incident scenarios to validate the effectiveness of new safeguards.  

Tony:  

  • Understand the New Regulations: Conduct a detailed analysis of the updated requirements, focusing on incident response and new safeguards. 
  • Invest in Staff Training: Educate employees on the updated regulations and start new training programs to ensure compliance is met. 
  • Engage Compliance Experts: When new requirements emerge, it is ideal to collaborate with legal and regulatory experts to ensure thorough adherence to HIPAA updates. 

 

Q: What steps are ideal to evaluate and improve privacy practices regularly? 

Milonda: 

  • Privacy Audits: Conduct routine internal audits to evaluate data collection, processing, storage, and sharing practices. 
  • Gap Analysis: Compare existing practices against applicable privacy regulations (e.g., HIPAA, GDPR, or CCPA) and industry standards. 
  • Training & Awareness: Regularly train staff on data protection policies, emerging threats, and compliance requirements. 
  • Risk Assessments: When implementing new processes, tools, or systems that handle sensitive data, perform privacy impact assessments (PIAs). 
  • Update Policies: Review and update privacy policies to reflect changes in regulations, technology, or organizational practices. 

 

Q: How do you ensure secure data sharing between internal departments and external stakeholders? 

Milonda: 

  • Encryption: Use end-to-end encryption for all data transfers, whether internal or external. 
  • Access Controls: Implement role-based access controls (RBAC) to limit data sharing to authorized personnel only. 
  • Data Transfer Agreements: Establish formal agreements (e.g., business associate agreements or data-sharing contracts) with external stakeholders. 
  • Secure Channels: Utilize secure file transfer protocols (e.g., SFTP, HTTPS) or enterprise-grade sharing tools. 
  • Data Minimization: Share only the minimum necessary data required for the specific purpose. 

 

Q: What processes are best practices to have in place to handle data deletion requests under applicable privacy laws? 

Milonda: 

  • Centralized Request Portal: Implement a secure, centralized platform for receiving and tracking data deletion requests. 
  • Verification Process: Verify the identity of the requestor to prevent unauthorized access or deletion. 
  • Data Mapping: Maintain an updated data inventory to quickly identify where personal data resides across systems. 
  • Defined Workflows: Establish detailed workflows for processing requests, including timelines and approvals, to meet regulatory requirements (e.g., GDPR’s 30-day timeframe). 
  • Documentation: Log all deletion requests, including the action taken and the timeline, for compliance tracking. 

 

Q: How do we assess the compliance and security practices of third-party vendors who handle our data? 

Milonda: 

  • Vendor Risk Assessments: Conduct thorough initial due diligence, including security questionnaires and audits, before onboarding vendors. 
  • Contractual Obligations: Include detailed data protection requirements and audit rights in vendor agreements. 
  • Certifications: Require vendors to provide certifications (e.g., ISO 27001, SOC 2) or demonstrate compliance with applicable laws. 
  • Periodic Reviews: Perform regular assessments of vendor practices, especially when regulations or business needs change. 
  • Incident Reporting: Ensure vendors have robust breach notification procedures in place. 

 

Q: How do we monitor and verify third-party adherence to our data privacy requirements? 

Milonda: 

  • Audits & Inspections: Conduct periodic audits, either internally or via third-party services, to verify compliance. 
  • Reporting Obligations: Require vendors to provide regular compliance reports or certifications. 
  • Performance Metrics: Define KPIs and SLAs for privacy and security compliance in contracts and monitor their adherence. 
  • Incident Management: Monitor incident reports from vendors to evaluate their response effectiveness. 
  • Continuous Monitoring: Automated tools are used to monitor vendors’ data protection practices, especially for critical services. 

 

Q: What is the best practice for documenting compliance with data privacy regulations, and how accessible should these records be during an audit? 

Milonda: 

  • Centralized Repository: Maintain a secure, centralized system to store all compliance documentation, such as risk assessments, training logs, data inventories, and incident response records. 
  • Retention Policy: Establish a clear data retention policy to ensure records are kept for the legally required duration. 
  • Version Control: Keep all policy updates, audit findings, and corrective actions version-controlled and timestamped. 
  • Audit-Ready Format: During an audit, ensure records are structured, searchable, and accessible to relevant personnel. If possible, use automated compliance management tools. 
  • Transparency: As necessary, share relevant compliance documentation with regulators, auditors, and stakeholders, ensuring alignment with confidentiality policies. 

 

At HealthAxis, we are committed to supporting health payers in these efforts. Our solutions are designed to improve member engagement, streamline communication, and ensure compliance, ultimately enhancing the overall member experience. Connect with our experts for more detailed insights and practical strategies on how we can support your healthcare organization.

 

Authors:

Milonda Mitchell
Compliance Officer

Ralph Pugh
Information Security Analyst III

Tony Gambino
Cyber Security Engineer

Related Posts

Protecting Healthcare Data: Part 1 – A Conversation with HealthAxis Experts

For this year’s Data Privacy Day, we sat down with our very own Tony Gambino, Cyber Security Engineer, Ralph Pugh, ...

Cloud Computing: Transforming Healthcare Administration for a Smarter Future

As the healthcare landscape becomes increasingly complex, organizations such as health plans, risk-bearing providers, and third-party administrators (TPAs) face mounting ...

Advancing Healthcare Processes with Innovative Technologies: Streamlining Operations to Focus the Human Touch

In today’s dynamic healthcare landscape, operational efficiency and member retention are more interconnected than ever. The challenge lies in finding ...

Want To Know How We Can Help Your Organization?

Get in Touch