It has been 20 years since HIPAA, the Healthcare Insurance Portability and Accountability Act, was signed into law. HIPAA was designed to protect sensitive client information in the healthcare sector by establishing federal data security standards. Despite this, there have been 232 cases of theft and hacking since January 2015. This data, collected by the US Department of Health and Human Service for Civil Rights, only covers instances where data security of 500 or more individuals have been affected, indicating that this number is higher.
Medical data is big money, and not just for tech companies that provide data security solutions. Failure to comply with HIPAA is costly; fines can amount to millions of dollars. In 2015 the Office of Civil Rights (OCR) collected $6.2 million in settlements for HIPAA infractions. Furthermore, the Department of Health and Human Service has been aggressively pursuing entities believed to be in possible breach on HIPAA regulations. The sticking point here is that while penalties are in place for all manners of infractions, HIPAA has not provided clear guidelines on how organizations can comply with HIPAA, despite these tight regulations. Information on best practices has been coming out in dribs and drabs, every time an entity is pulled up for noncompliance. The question then becomes, how do you comply with HIPAA? The first step is to know what the consequences are for not meeting HIPAA regulations; the second is to protect yourself and your organization by making sure there are safeguards in place to keep medical records safe.
Consequences of HIPAA Violations
The cost of mismanaging digital protected medical information, has reached an extra dimension with HIPAA. Not only does the reputation of the organization take a severe walloping, an entity suffers financially as a result of the loss of trust from its publics. Add that to the penalties levied by the government if a company has been lax in its data security compliance regarding electronic protected health information (ePHI) and the associated legal cost incurred, and that financial toll increases further. The most notable instance of the dangers of data security noncompliance is of course that of Advocate Health Care. The OCR started its investigations into possible HIPAA violations in 2013 and in what is the largest settlement to date, on August 4, 2016, Advocate Health Care agreed to pay $5.5 million to the government. Including the Advocate Health Care settlement, the OCR has received payments of up to $20.3 million for HIPAA violations so far this year.
Data security breaches of protected health information (PHI) of fewer than 500 individuals had previously not been examined by the OCR. That changed this month, following investigations into smaller breaches like those of Catholic Healthcare Services and Hospice of North Idaho. On August 19, 2016, the OCR announced that it will also be stepping up its investigations into smaller breaches of PHI. While it will be up to individual regional offices to prioritize which breaches they will prioritize, they are on the look out to crack down on ‘system- and enterprise-wide noncompliance and security and privacy shortcomings. An investigation into a single stolen laptop that held PHI of 80 individuals may uncover an entity’s failure to encrypt any of the data it stores and uses.’
Protect PHI, Yourself, and Your Organization: Comply with HIPAA
Where HIPAA is concerned, ignorance is no defence. Source: American Medical Association
The punishments are severe. However, HIPAA does not provide best practices, nor does it give clear instructions on how an entity can best protect ePHI. Fortunately, they do supply the conceptual framework an organization needs to adhere to. We also have a better understanding of how organizations are vulnerable, thanks to data compiled by US Department of Health and Human Service for Civil Rights, as the HITECH (Health Information Technology for Economic and Clinical Health) Act requires breaches of unsecured PHI to be posted publicly. The best way for an entity to get started on ensuring HIPAA compliance is to get internal and external stakeholders on board.
So who are your external stakeholders?
That would be your customers and your business associates. According to the Department of Health and Human Services, a business associate can be anyone who ‘who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.’ Managed Service Providers (MSPs) are also considered business associates and are also required to sign agreements with health care customers to assure the customers that they are following the data security standards as required by federal law. It falls on each organization to ensure that its external stakeholders are aware of HIPAA, and that they are taking the necessary steps to protect PHI.
Source: Gettins’ Law
How do you make sure your business associates comply with HIPAA?
- Get the required business associate agreement. These contracts are easily obtainable at the US Department of Health and Human Services, here.
- Ensure that when devices are destroyed, all ePHI is destroyed too. For a more comprehensive idea of what this entails, read our earlier post on How Data Destruction Can Prevent A Data Security Nightmare.
Should you inform your customers about HIPAA?
Yes, but you’re not obliged to. However, by informing your customers you are doing the following:
- Providing a transparency that will result in customer loyalty, increased trust, and further enhance your reputation
- Laying out your compliance plan which adds another check on your internal system, helping ensure compliance
- Reducing the number of frustrated and unhappy patients who do not know why they have to come down in person to sign a certain form, or why you were obliged to disclose certain information to a governmental agency.
How should you inform your customers?
While health care professionals can communicate the ins and outs of HIPAA to their clients, brochures and posters in the facility are two ways on informing your customers. A patient’s doctor should also be able to answer any concerns and questions.
Maintaining security and confidentiality need to be the watchwords of all staff that come across ePHI. For this there need to be systems in place that not only limit the number of individuals who have access to such sensitive medical records, there also needs to be a system in place which meets the exacting standards of HIPAA. The Department of Health and Human Services demands physical, technical and administrative security safeguards.
Checklist for HIPAA Compliance:
- Have departmental workshops where all members of each department have a working understanding of HIPAA. A communications person should create internal documents to outline what HIPAA is, and its regulations. They should also be available to answer any questions or concerns personnel may have about HIPAA.
- All personnel must be made aware that any security breaches under their name is a HIPAA violation and that they are liable, by law
- Allow access to ePHI only on certain work stations and program automatic log offs on all work stations
- Incorporate tracking logs or audit reports of all activity on all devices
- Require passwords to open PHI, and provide unique passwords only to individuals who require the information. These authorized personnel must keep their log-in credentials confidential
- Restrict all attempts at removing, deleting, and transferring PHI by requiring log-in information to track who has accessed the information
- Establish emergency access procedures where only department heads and a select few, authorized personnel, have access
- Include encryption on all hardware and software
- Make sure you have a system in place which prevents data loss. Employ a business associate that has experience in this field, allows you to view all the devices at your facility and monitors your operating systems and hardware.
- Commission a complete risk assessment by a third party. Know where you are vulnerable. A risk management plan can strengthen your data protection program. This plan needs to be actionable, with a timeline, the responsibilities of employees and business associates, as well as plans for checks, updates and further assessments
- Include the advice of legal staff who specialize in regulatory compliance and security assessment methodologies
- Create a security budget for HIPAA compliance and risk management programs
- Require physicians to complete the Patient Privacy: A Guide for Providers
While there is no comprehensive list for HIPAA compliance, and the risks of a data security breach vary from organization to organization, there are two overarching things that you can do:
- A risk management assessment
- Engage a business associate that understands HIPAA, and the unique needs of health care providers in ensuring data security solutions
This is where we come in. We have the knowledge and the experience, and our team of IT experts make sure that your concerns are met, and that rigorous data security solutions are implemented and followed through to keep your ePHI secure and safe.