Here are 11 tips for healthcare professionals to keep HIPAA compliance in the digital age.
1. With the Health Insurance Portability and Accountability Act of 1996, the Privacy Rule issued by HHS, "addresses the use and disclosure of individuals' health information—called 'protected health information' by organizations subject to the Privacy Rule — called 'covered entities,' as well as standards for individuals' privacy rights to understand and control how their health information is used."
2. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called "covered entities" must put in place to secure individuals' "electronic protected health information," according to HHS.
3. In a digital age, maintaining HIPAA compliance can be trickier than ever before. Virtru recently provided six best practices to maintain HIPAA compliance and stay ahead of data security threats. These include:
- Use a strong data encryption
- Encrypt emails
- Use multi-factor authentication
- Make all your employees experts in HIPAA compliance
- Review the compliance and security practices of business associates
- Be aware of social engineering and inside threats
4. In 2004, HHS received 6,534 complaints, compared to 12,915 complaints in 2013. Of 34, 389 total complaints investigated by HHS, 31 percent were found to be a "no-violation," and 69 percent resulted in corrective action. In 2013, HHS resolved a total of 14,300 privacy complaints, compared to 9,408 in 2012.
5. Technology itself is not the leading cause of HIPAA violations. The top three causes of a data breach, according to data from the Ponemon Institute as cited by the Central and Southern Ohio chapter of HIMSS, are:
- Lost laptops or devices
- Employee mistakes or unintentional actions
- Third party errors.
6. Last year, the largest data breach occurred with Community Health Systems Professional Services Corporation, affecting about 4.5 million people. A cyberattack on UCLA Health this year also affected 4.5 million people. One of the largest data breaches of all time occurred in January 2015 with Anthem, affecting roughly 80 million people.
7. The Health Information Technology for Economic and Clinical Health Act was passed in 2009, which supports the enforcement of HIPAA requirements by raising the penalties for those that violate HIPAA. The HITECH Act was formed as a response to health technology development and increased use, storage and transmittal of electronic health information, according to OnlineTech.com.
The HITECH Act established four tiers of violations with increasing penalties, with a maximum penalty of $1.5 million for all violations of an identical provision, and a $100 minimum. Violating HIPAA for personal gain or malicious reasons can result in a potential jail sentence of up to 10 years. Recently, St. Elizabeth's Medical Center in Brighton, Mass., agreed to pay $218,400 to settle an alleged HIPAA violation and to adopt a corrective action plan for its HIPAA compliance program.
8. In the event of a data breach involving fewer than 500 people, HITECH calls for a written notification by first class mail to the individual at their last known address, as well as annual submission of a log to HHS documenting such breaches during the year involved. Breaches involving 500 or more people require a written notification by first class mail to the individual's address, notification to prominent media outlets serving a state or jurisdiction of a breach involving more than 500 residents of the state or jurisdiction and immediate notification to the Secretary of HHS.
9. In conversation of HIPAA compliance in the digital age, mhealth applications appeal to patients and physicians for their convenience, but also must be HIPAA compliant. Running an app from a HIPAA-compliant hosting environment does not make the app itself compliant, according to a Healthcare Insights blog post. If a HIPAA-covered person or organization uses the app, or if the app stores or transmits personally identifiable health information, both the hosting and app must be HIPAA compliant.
10. An ASC currently using Windows Server 2003 to store PHI could effectively become non-compliant with HIPAA and the HITECH Act, and the servers running Windows 2003 become a major security risk, according to Nelson Gomes, President & CEO, PriorityOne Group.
11. According to a NueMD 2014 HIPAA survey, 31 percent of respondents were "very confident" that their electronic devices are HIPAA-compliant and 18 percent were "very confident" that their mobile devices are HIPAA-compliant. Additionally, 45 percent of respondents have a formal breach notification policy and 33 percent have performed a risk analysis. NueMD also offers an ICD-10 code look up resource you can find here.