2013 HIPAA Guidelines

2013 HIPAA Guidelines

How the Focus on HIPAA was Changed in 2013

In 2013, HIPAA guidelines were changed in the Final Omnibus Rule. The extension of HIPAA to cover “Business Associates” was widely reported, as were the regulations that concerned a patient´s right to access their healthcare information. These changes introduced in the 2013 HIPAA guidelines were widely anticipated and caused relatively minor concerns among HIPAA covered entities.

However, a significant change in the 2013 HIPAA guidelines was a revision of the rules about when a breach of Protected Health Information (PHI) should be reported to the Department of Health and Human Resources Office of Civil Rights (OCR). This much less reported revision has major implications for HIPAA covered entities and healthcare organizations in particular.

Whereas previously, healthcare organizations had a duty to report a breach of PHI if there was a significant risk of harm to a patient´s reputation or finances, the revised rules stipulate that any breach, loss or inappropriate disclosure of PHI has to be reported unless it can be established and documented that the risk of harm is low.

Along with this revision of reporting requirements, the OCR introduced tougher financial penalties for breaches of PHI in the 2013 HIPAA guidelines. The upper limit of financial penalty was increased to $50,000 per breach per day, with an annual upper limit of $1.5 million. The extra income generated by the OCR will be used for stricter enforcement of the HIPAA regulations – meaning that healthcare organizations not yet in compliance with HIPAA should take immediate action to prevent unauthorized access to, and the inappropriate disclosure of, PHI.

New Procedures Also Appear in the 2013 HIPAA Guidelines

The 2013 HIPAA guidelines also closed certain gaps in the procedures that had evolved since the original HIPAA legislation was enacted in 1996. For example, changes to the HIPAA Information Access Management Rule now mean that authorized users can only be allowed access to PHI once healthcare organizations have completed a documented process that establishes the identity of the user and determines their need to access PHI. This replaces the previously accepted procedure of blanket authorization for an entire workforce.

This new procedure should make it easier for a HIPAA covered entity to determine where a breach of PHI has originated and take measures to prevent a breach occurring for the same reason again. It also helps covered entities determine whether the breach still has to be reported to the OCR by conducting a risk assessment to establish:

  • Whether the type of information that has been accessed presents a risk of harm to an individual.
  • Whether there is a low risk of data misuse because of the individual who accessed the data.
  • Whether the breach of PHI actually resulted in an unauthorized disclosure.
  • Whether the risk of damage to a patient has been mitigated by the destruction of the disclosed PHI.

Avoiding Data Breaches with Secure Messaging

Ultimately, it is in a HIPAA covered entity´s best interests to prevent unauthorized access to, and the inappropriate disclosure of, PHI. Many HIPAA covered entities – including four of the top five paid-for healthcare organizations in the country – have chosen to implement secure messaging solutions to avoid breaches of PHI.

Secure messaging solutions help healthcare organizations comply with the 2013 HIPAA guidelines by creating a private communications network, within which all PHI is encrypted, and through which all messages containing PHI are sent and received.

In compliance with the HIPAA Information Access Management Rule, only authorized users are allowed access to the network via secure messaging apps that can be downloaded onto desktop computers or mobile devices. The apps have mechanisms in place to prevent PHI from being sent outside of the private communications network, copied and pasted, or saved to a USB Flash drive (lost and stolen USB drives are the second most common reasons for PHI breaches behind lost and stolen laptops).

Message lifespans are assigned to messages so that they delete after a predetermined period of time, and automatic logoffs prevent the unauthorized disclosure of PHI when desktop computers and mobile devices are left unattended. If a Smartphone is lost or stolen, administrators have the ability to remotely delete any messages containing PHI and PIN-lock the app to prevent the use of the app by any non-authorized person.

Secure messaging solutions not only significantly reduce the likelihood of a breach of PHI, but the security features designed to ensure 100% message accountability also accelerate the flow of communication within a healthcare environment. This results in quicker hospital admissions and patient discharges, reduces the amount of time healthcare providers spend playing phone tag and increases productivity. When linked to an EHR, secure messaging has been shown to streamline physician workflows and reduce patient safety events.

Find Out More about the 2013 HIPAA Guidelines

Further information about the changes introduced in the 2013 HIPAA guidelines, and the revised rules about when a breach of PHI should be reported to the OCR, can be found in our “HIPAA Compliance Guide” – a comprehensive white paper that you are invited to download and read.

Our guide elaborates on the implications of the 2013 HIPAA guidelines, the measures that healthcare organizations should take to avoid sanctions in the next round of OCR HIPAA audits, and how secure messaging solutions comply with the HIPAA Privacy and Security Rules.