HIPAA is an important part of healthcare today because it ensures the implementation of safeguards to protect sensitive personal and health information. Clients, Customers, and Patients are trusting you with their most precious information; their identify and health information. How are you earning trust?
HIPAA is an important part of healthcare today because it ensures the implementation of safeguards to protect sensitive personal and health information. Clients, Customers, and Patients are trusting you with their most precious information; their identify and health information. How are you earning trust? How are you protecting it? During this article, we try to break down why it is important, what has changed, why you should care, and how you can be prepared to protect not only your business but the trust of your patients and customers.
Is there a reason it matters more today than when HIPAA was introduced in 1996? Well for starters, we live in much more digital world. On April 14, 2003, the US Department of Health and Human Services released the first HIPAA privacy rule that defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”.
On April 21, 2005, the HIPAA Security Rule was introduced. This rule directly addresses electronically stored PHI (ePHI) through three security safeguards: physical, administrative, and technical.
In March of 2006, the Enforcement Rule was introduced. The Enforcement Rule allowed the Department of Health and Human Services to investigate covered entities reported for failing to comply with HIPAA regulations. In addition to an investigation, the Enforcement Rule allows the Office for Civil Rights to apply civil charges to entities that did not comply.
In 2009, The American Recovery and Reinvestment Act (ARRA) was implemented and within it was a vital addition to HIPAA enforcement, the Health Information Technology for Economic and Clinical Health Act (HITECH). The HITECH act introduced provisions for health information management, that included all breaches of ePHI affecting more than 500 individuals must be reported to the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). In addition to the Breach Notification Rule, the HITECH act introduced the Meaningful Use incentive program to encourage healthcare organizations to move their records electronic through implementing an Electronic Health Record (EHR). Today, that incentive program is called Promoting Interoperability.
In March of 2013, the Final Omnibus Rule was introduced and with it many final amendments. The Final Omnibus Rule made clarifications to regulations such as HIPAA and HITECH regarding the application of ePHI, as well as the wording within the acts themselves. The Privacy and Security Rules were also amended to modify the appropriate duration for obtaining a patient’s health information. Previously they were permitted to retain the information for 50 years, but the amendment modified this rule to extend indefinitely. Amendments included specifications for changing work practices in technological advances that were not applicable in 1996, such as mobile devices and tele-health.
HIPAA regulation identifies two types of organizations that must be HIPAA compliant: Covered Entities and Business Associates.
With the CARES ACT passing in March of 2020, 42 CFR Part 2 regulations now aligns more closely with HIPAA. Additionally, HR7898 amends the HITECH ACT to provide for a liability “safe harbor” to minimize the enforcement requirements OCR follows in relation to the Security Rule. There are 3 specific impacts to enforcement that it adds if you can prove you have followed what it designates as “recognized security practices”.
You have to show you have been following these “recognized security practices” for the prior 12 months. It isn’t something you can suddenly start doing to solve a problem that already occurred. If you want this safe harbor option you have to have it built in to your organization well in advance of problems occurring.
The term ‘recognized security practices’ means the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule
IT companies have been preaching best security practices for a long time now, and now there are laws in place that allow companies to take advantage of their due diligence. With more companies working and providing services remotely, especially Healthcare, it is a no brainer why the government is jumping on board to give some rewards for companies proactively mitigating risk.
Often times, whatever triggered the audit, to start with, is not the biggest problem or finding by the OCR. This is why having your HIPAA compliance program in order and continuously working towards your compliance is critical. Note: HHS is REQUIRED by law to investigate ALL HIPAA violation complaints
What OCR may be looking for in an audit will vary, dependent on what triggered the audit initially. Below are some common items that your business or organization could expect to show an auditor in the event of an audit, all of which, are key components of a HIPAA compliance program.
Proof of network vulnerability scans, penetration tests, and breach notification (in the event of a breach) are also common requests by the OCR.
Is not complying with HIPAA against the law? Simply, yes. When you or your organization is not compliant to HIPAA , OCR can impose civil penalties up to 1.5 million dollars and possible jail time. Although jail time is very rare, it can happen.
One thing I always ask people on the fence is that if the law doesn’t scare you, does losing people’s trust scare you? Because that is what is at risk. You are held to a higher standard when you are dealing with someone identity and more specifically their PHI and people are trusting you to do what is right and lawful to protect their information. An everyday person may not know much about what is required by HIPAA, NIST or any other law or standard, but they are trusting that you are doing what is right.
“It’s always easier to carry yourself over someone else”
The truth is that we live in a very digital world and cyber threats are real. Regardless if you are required to be HIPAA compliant or not, a lot of these best practices extend to all industries. Next time you think about passing on a service because of cost, even a lawful one, think about what it cost others, not just yourself.