In 2011, the Office for Civil Rights commenced a series of pilot compliance audits to assess how well healthcare providers were implementing HIPAA Privacy and Security Rules. The first found of audits was completed in 2012 and highlighted many companies were failing to comply with even the most basic of HIPAA’s rules.
Audited organizations registered numerous violations of the HIPAA Breach Notification Rule, Privacy Rule and Security Rule, with the latter resulting in the highest number of violations. The OCR issued action plans to help those organizations achieve compliance.
It is widely expected that the second round of audits will not be as lenient as the first. Any covered entity that does not implement the required controls faces financial penalties, sanctions, potential loss of license and even criminal proceedings for failing to secure ePHI.
Achieving Full HIPAA Compliance
If you have any queries relating to the storage, transmission and disposal of ePHI, the actions organizations must take in response to a breach and the policies and procedures which must be adopted to achieve full compliance, seek legal advice from the appropriate professionals.
CEs are allowed some flexibility on the privacy and security safeguards used to protect data within the constraints set by HIPAA. Data encryption, for instance, must be addressed but not necessarily implemented if other controls provide the necessary protection.
In addition to protecting and controlling ePHI, the technical safeguards help to streamline communication and information flow. Organizations which have adopted secure communications channels and implemented data controls have benefited from improved efficiency, faster response times and have improved patient outcomes. This acts as a further incentive to comply with HIPAA while ensuring that patient health data remains fully protected.
Outline of the Technical Safeguards
Data Encryption
The use of laptop computers and other mobile devices for storing or accessing ePHI inevitably results in a HIPAA breach if those devices are lost, stolen or improperly recycled. Password protection of devices – and the data they contain – is a reasonable step to prevent unauthorized access, but HIPPA deems it insufficient if this is the only safeguard implemented. Hackers have become proficient in cracking passwords, and therefore they do not provide an adequate amount of security.
Data encryption involves the conversion of data into indecipherable symbols – termed cipher text – by complex algorithms. These add an extra layer of security as they require a key to convert the data back into its original form. Data encryption ensures privacy, but can offer other security benefits such as verification of users, access logging, the prevention of record changes and non-repudiation of access and/or theft.
HIPAA allows for the level of security and number of safeguards implemented to be adjusted as appropriate based on the sensitivity of the data it is used to protect. Data can be encrypted with single security key access or with separate keys for encryption and decryption (symmetric and asymmetric data encryption).
If a mobile device containing encrypted data is lost or stolen or if computer networks are hacked, while this will be considered a security breach, it would not be a HIPAA violation unless the access key is also disclosed.
Secure Messaging
All mobile devices that transmit data over unsecured networks-ranging from smartphones to pagers-are not HIPAA compliant. Therefore, the CEs rely on their employees not sending ePHI over these networks so as not to incur a violation.
“Bring Your Own Device” (BYOD) schemes have now been introduced by many healthcare providers to improve efficiency and cut costs. However, modern mobile devices have even greater potential to cause HIPAA violations due to the ease at which personal identifiers and ePHI can be sent. Policies and procedures may be enacted to control how these devices are used. Several surveys have been conducted which suggest that in practice many medical professionals are still using the devices to communicate ePHI despite attempts to discourage this behaviour.
Secure messaging solutions prevent this. They work by maintaining ePHI on a secure database and then allowing authorized medical professionals to access the data via downloadable secure messaging apps. Administrative controls monitor the activity of the authorized personnel on the app. Risk assessments are performed when installing these apps, as required by HIPAA and Office for Civil Rights’ auditors.
Compliant Cloud Storage
The healthcare industry has seen a movement from physical data storage to electronic data storage. With this movement, there come increased risks and costs. The demands placed on healthcare organizations to continually upgrade servers and networks, and employ the staff to manage data centres, can be considerable. In addition to the hardware, space must be devoted to storing the equipment and physical controls must be used to control access.
The most cost effective solution for many healthcare providers is to outsource data storage and take advantage of the “cloud” to store data instead of using their own expensive data centres. HIPAA-compliant cloud hosting employs the appropriate controls to secure all stored data with encryption. By outsourcing, healthcare organizations can comply with HIPAA regulations without having to invest so heavily in IT infrastructure.
Compliant Mobile Platforms
Mobile health apps have spiked in popularity with patients. They are now widely used for tracking and monitoring health and fitness. These types of devices have sparked the beginning of a revolution in home healthcare. There are hopes that they can be used in conjunction to e-visits to provide home care services to patients at a fraction of the healthcare centre visits.
Patient portals similarly have great potential and improve interaction between care providers and patients, and cut down on unnecessary costs while helping to improve patient outcomes. The development of HIPAA compliant mobile apps frameworks, compliant storage and HIPAA compliant web solutions means healthcare providers can take advantage of the benefits of new technology without jeopardizing the privacy and security of patient data. It is one of the many ways in which rapid advances in patient-accessible technology is set to create new challenges for those tasked with complying to HIPAA regulations.