The recent changes in HIPAA expand the scope of the Health Insurance Portability and Accountability Act as well as the Health Information Technology for Economic and Clinical Health Act (HITECH). A lot of the 2013 HIPAA rules reflect changes in working procedures and technology advances since 1996 when the original legislation was signed into law.
In the latest HIPAA changes, the Security Rule introduced three “safeguards” to secure the integrity of digitally stored and transmitted Protected Health Information (ePHI). These 3 security measures are:
Administrative Security measures covering information security officers assigned, risk assessments, business associate agreements, training and the creation of suitable policies.
Physical Security measures covering equipment specifications, security controls for devices and media utilized for storing ePHI (such as flash drives), and physical access to servers or other hardware that store ePHI.
Technical Security measures covering matters like who is given remote access to databases storing ePHI, audit controls, security of transmission, monitoring of ePHI access and communication.
These security measures are particularly important to covered entities implementing BYOD policies, those that have problems following the requirement to store ePHI for six years, and those that provide unfiltered Web access. So as to adhere to the latest HIPAA changes, covered entities need to use systems that make sure of the end-to-end security of patient information and have procedures that protect against data breaches.
A Modified Meaning of Data Breaches
One of the changes in the new HIPAA rules for 2013 was the change in the definition of a data breach. A data breach is now said to have happened any time there has been an unauthorized exposure of ePHI, except if the covered entity can clearly show a low possibility of patient data exposure.
One way to show a low possibility of patient data exposure is the use of encryption. Data encryption is an “addressable” requirement of the HIPAA Security Rule. That means it need not be followed if a covered entity can prove it isn’t required, provided an appropriate substitute has been put in its place that offers an equivalent level of protection.
Encrypting medical-related information that contains personal identifiers makes sure that in the event of unauthorized ePHI access, the information is undecipherable, unusable and unreadable. By encrypting data in databases, servers, flash drives or data transmitted through a network, covered entities can avoid OCR penalties for non-compliance.
Implementing Encryption in Healthcare
It is not hard to implement encryption in healthcare, although it does come at a cost. The cost is certainly lower than those of mitigating data breaches and paying regulatory fines. A lot of covered entities are turning to secure messaging as a principal means of communication. Secure messaging compliments the BYOD policies that a lot of covered entities have implemented, and reduces the risk of a data breach – not merely by means of encrypted communications, but likewise by limiting communications to a private network and ensuring total message accountability.
Secure messaging can help a covered entity comply with the latest HIPAA changes and also speed up the communications cycle in various aspects of healthcare. Secure messaging has been shown to promote collaboration, improve productivity, increase the speed of diagnosing patients, improve the accuracy of filling prescriptions, and can reduce the potential for errors.
While secure messaging settles encryption issues in healthcare related to the recent HIPAA changes, secure email archiving is appropriate for sent and received communications before the recent HIPAA updates. Covered entities need to keep healthcare information for at least six years, and secure email archiving allows them to index and store encrypted emails. Indexing means that if messages need to be retrieved, such as during legal discovery or a compliance audit, they can quickly and easily be found and recovered.
The Cyber Threat to the Confidentiality of ePHI
The biggest cause of data breaches to date is human error, which includes employees misplacing USB flash drives, theft of employees’ unencrypted laptops, and the improper disposal of ePHI/PHI. Cybercriminals also target employees as they are a weak point that can be exploited to gain access to ePHI – Through phishing for example.
One of the best protections against this cyber threat is a web filter. A web filter can help prevent employees from being directed to fake websites that steal login information or download malware. Web filtering tools can be set up to stop the unauthorized downloading of files, thus preventing a cybercriminal from breaking through the cybersecurity defenses of a covered entity.
Web filters can also help to enhance productivity. By restricting access to any website, employees won’t be able to use social media sites, visit shopping portals or watch live-stream videos while at work. Restricting access to the Internet also does away with potential HR problems and creates a more user-friendly work environment.
More Recent Developments in HIPAA
Since the HHS has updated HIPAA, the Office for Civil Rights has increased enforcement of HIPAA Rules through audits, investigations of complaints and data breaches. There has also been an increase in HIPAA violation penalties for noncompliance.
- In March 2016, OCR fined Feinstein Institute $3.9 million as a result of the theft of a laptop that contained the unprotected sensitive information of 13,000 research participants.
- North Memorial Health Care of Minnesota was penalized in March 2016. A penalty of $1.55 million was issued for multiple failures to protect 9,497 health records against unauthorized disclosure.
- In August 2016, OCR fined Advocate Health Care Network $5.55 million for the unauthorized exposure of the health records of 4 million.
Lesser offences that have attracted an OCR financial penalty:
- In April 2015, Cornell Pharmacy was penalized $125,000 for improperly disposing of health documents.
- In January 2017, OCR fined Presence Health $475,000 for its failure to issue breach notifications within the sixty days demanded by the HIPAA Breach Notification Rule.
- In April 2017, OCR fined CardioNet $2.5 million for a potential PHI breach caused by a misunderstanding of the requirements of HIPAA risk assessment.