Recent HIPAA Changes

Recent HIPAA Changes

The recent HIPAA changes extend the scope and extent of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act (HITECH). Many of the new HIPAA rules for 2013 account for changes in working practices and advances in technology since the original legislation was enacted in 1996.

Within the recent HIPAA changes, the Security Rule introduces three “safeguards” to protect the integrity of electronically stored and transmitted Protected Health Information (ePHI). These three safeguards are:

  • Administrative Safeguards – covering factors such as the assigning of an information security officer, business associate agreements, risk assessments, training and the development of appropriate policies.
  • Physical Safeguards – covering equipment specifications, controls for devices and media used to store ePHI (including flash drives), and physical access to servers and other hardware on which ePHI is stored.
  • Technical Safeguards – covering issues such as who can remotely access a database on which ePHI is stored, audit controls, transmission security and how access to and the communication of ePHI is monitored.

These safeguards are of particular significance to covered entities that have implemented BYOD policies, have storage issues with the requirement to save six years of ePHI, or who provide unfiltered Internet access. In order to comply with the recent HIPAA changes, covered entities must implement mechanisms that ensure the end-to-end security of patient data and have processes in place to prevent a data breach.

A Revised Definition of Data Breaches

Also included among the new HIPAA rules for 2013 was a revised definition of what constitutes a data breach. A data breach will now be presumed to have occurred when there has been the unauthorized exposure of ePHI unless the healthcare organization, health insurance provider, employer or vendor/business associate can demonstrate that there is a low probability that patient data was compromised.

One of the best ways of demonstrating a low probability that patient data was compromised is through encryption. The encryption of data is an “addressable” requirement of the HIPAA Security Rule, meaning that it does not have to be implemented if a covered entity can show it is not necessary, or if a suitable alternative to the requirement is instigated.

However, by encrypting all personal identifiers and health-related data any unauthorized exposure of ePHI will be undecipherable, unreadable and unusable – resulting in a low probability that patient data was compromised. The encryption of data in databases, on servers, on flash drives or as it moves through a network can also help covered entities avoid OCR fines for failing to comply with the recent HIPAA changes.

The Implementation of Encryption in Healthcare

The implementation of encryption in healthcare is not difficult to achieve. Many covered entities are switching their primary method of communication to secure messaging. Secure messaging compliments the BYOD policies that many covered entities have introduced, and eliminates the risk of a data breach – not only through encrypted communications, but also by encapsulating communications within a private network that provides full message accountability.

Secure messaging not only helps to comply with the recent HIPAA changes, but the mechanisms intended to provide an audit trail for ePHI also accelerate the communications cycle in many areas of healthcare. Secure messaging has also been proven to foster collaboration and enhance productivity – improving the speed of diagnoses, the accuracy with which prescriptions are filled and reducing the volume of adverse events.

Whereas secure messaging resolves the issue of encryption in healthcare since the new HIPAA rules for 2013 were introduced, secure email archiving is an appropriate solution for communications sent and received prior to the recent HIPAA changes. Covered entities have to keep healthcare data for a minimum of six years, and secure email archiving not only stores them in an encrypted format, but also indexes emails and their content for easy retrieval in the event of discovery or compliance audit.

The Cyber Threat to the Integrity of ePHI

The single largest cause of data breaches has been, to date, human error. Employees mislaying USB Flash drives, unencrypted laptops stolen from the back seat of a car and the improper disposal of ePHI have been responsible for many millions of records being exposed. Aware that employees are the weakest link in a covered entity´s cybersecurity defenses, criminals are targeting them through phishing campaigns and malware downloads.

One of the strongest defenses against cyber threats is the implementation of a web filter. With a suitably robust web filter, covered entities can prevent employees being directed to bogus websites that request their login credentials and sites that harbor malware. Web filtering solutions can also be configured to prevent the download of certain file types, making it harder for a cybercriminal to break through a covered entity´s cybersecurity defenses.

Web filters also have a productivity-enhancing benefit. With the ability to restrict access to any website, administrators can prevent employees from using social media channels, visiting shopping portals or watching live-streamed videos during working hours. Restricting access to certain areas of the Internet can also eliminate potential HR issues and create a more user-friendly working environment.

Further Recent HIPAA Developments

Since the recent changes to HIPAA and HITECH, the OCR has increased its enforcement actions with more investigations and two rounds of HIPAA audits. The consequence is that many more Covered Entities and Business Associates are being issued with civil penalties for non-compliance with HIPAA.

The largest data breaches are punished accordingly:

  • In March 2016, the Feinstein Institute was fined $3.9 million when a laptop containing the unprotected PHI of 13,000 research participants was stolen.
  • Also in March 2016, North Memorial Health Care of Minnesota was fined $1.55 million after multiple failings led to the unauthorized disclosure of 9,497 health records.
  • In August 2016, Advocate Health Care Network was fined $5.55 million for the unauthorized disclosure of almost 4 million patient health care records due to theft.

But fines are also being issued for lesser offences:

  • In April 2015, Cornell Pharmacy was fined $125,000 for the improper disposal of paper health records that could have resulted in a breach of PHI.
  • In January 2017, Presence Health was fined $475,000 for failing to report a breach of PHI within the sixty days allowed by the HIPAA Breach Notification Rule.
  • In April 2017, CardioNet was fined $2.5 million after a potential breach of PHI occurred due to a misunderstanding of HIPAA risk assessment requirements.

No Excuse for Failing to Comply with the Recent HIPAA Changes

Complying with the recent HIPAA changes is not resource intensive, time-consuming or expensive. In the case of secure messaging, apps for secure messaging are free to download and most healthcare employees will be familiar with the text-like interface already. Administrators conducting a search for an old email will find secure text archiving a simpler process than currently available to them; while only employees visiting inappropriate websites will notice the presence of a web filter.

All three solutions have minimal maintenance overheads, require little training and are inexpensive to run. In terms of the efficiency savings they generate, the solutions for complying with the recent HIPAA changes are a worthwhile investment – and will cost covered entities far less than a fine from the OCR in the event of an avoidable data breach.

You can read more about the new HIPAA rules for 2013, and solutions for compliance, in our “HIPAA Compliance Guide”.