With data breaches on the rise, ASC administrators should stay on top of changing HIPAA rules and what constitutes a data breach.
Becker's ASC Review spoke with Marty Puranik, the president and CEO of Orlando, Fla.-based Atlantic.Net, a HIPAA compliant hosting solutions provider about the changes affecting HIPAA, and how ASC administrators can prevent and respond to data breaches.
Question: Given that ASCs typically have a smaller staff than hospitals, what are some ways ASC administrators can prevent data breaches?
Marty Puranik: It is a good idea to identify someone on your staff who will be in charge of training that will cover common breaches that occur (reviewing both internal and external risks), along with HIPAA-compliant policies and procedures to mitigate the threats to records. Your staff needs to understand that health data can never be disclosed on social media and that it's not all right to access ePHI simply out of curiosity. They should know that patient data should not be texted, and that patient files and mobile devices should be protected carefully. Plus, your risk assessment reveals risks. Target high-priority risks immediately.
Q: Can you explain how you've seen HIPAA evolve over the years? How can ASC administrators stay on top of these changes?
MP: One of the main things is that the fines were raised significantly. The maximum annual amount that could be charged per provision was increased from $25,000 to $1.5 million. Another core aspect of compliance introduced in HITECH was the Breach Notification Rule, which made it necessary to contact patients impacted by breaches directly and, in some cases, through the media. Another key change is that HIPAA rules became directly applicable to business associates. The main concept for staying well-versed on compliance is to get help as needed. While in-house training is great, you may also benefit from working with HIPAA-compliant service providers or consultants.
Q: What is considered a data breach? Why is it important for ASCs to know the difference?
MP: Unauthorized use or disclosure of electronic protected health information is a breach. There are three exceptions: if the ePHI was accessed "in good faith" by a person who was acting on behalf of a HIPAA-compliant organization, if it was disclosed by an authorized individual to an unauthorized individual at the same organization, and if the organization from which the information was accessed has a reasonable belief that the unauthorized party would not be able to collect and keep the data. The ePHI also must be unsecured in order for it to be a breach. Determining quickly if a breach has occurred allows you to send mandated notifications and take other first steps.
Q: How can ASCs use technology to protect their patients' health data?
MP: Technology is integral to HIPAA compliance since it is directly related to the security rule, which essentially applies the Privacy Rule to IT. There should be encryption for both in-transit and at-rest data, for instance. SSL certificates should be installed. Backups are used to maintain availability requirements under the law. The backups you use should be offsite CDP backups that allow you to completely restore your information using an up-to-date, easily accessible remote copy. Firewall and multifactor authentication are also critical to maintaining security, and we recommend those as managed services.
Q: How do see the healthcare landscape changing in the coming years? How do you see data breaches affecting growth in the ASC space?
MP: The Office of the National Coordinator’s contest for blockchain advances shows how it is being embraced at the federal level, in part because it helps address interoperability. Blockchain becomes even more important with the growing interoperability challenges of wearables and the IoT. A study from earlier this year showed the average breach sector-wide costs just over $700,000, so it is an unexpected expense for which you get billed the better part of a million dollars. Clearly, that will restrict the growth of a company; the combined effect of these breaches has an impact on all aspects of healthcare, and the ASC space is no exception. The ASC sector is projected for 6 percent growth for the next few years despite the threat landscape.
The insider threat is the most common reason for a breach, per a study released earlier this year. Since that’s the case, there should be increased awareness that strong healthcare security preparation – setting aside compliance for a minute – is about looking within as much as it is about looking without. Now, most of these incidents are human error, so we are not generally talking about malice. Nonetheless, the results are the same.