The latest amendments in HIPAA widen the extent of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act (HITECH). Many the 2013 HIPAA rules are based on modifications in working processes and technology developments since 1996 when the first law was passed.
In the most current HIPAA changes, three security measures were introduced in the Security Rule to protect the integrity of electronic Protected Health Information (ePHI) in storage or transmission:
- Administrative security measures include things such as the assigning of an information security officer, risk analysis, business associate agreements, employee training and the development of appropriate policies.
- Physical security measures include equipment specifications, security controls for equipment and ePHI portable storage devices like flash drives and physical access to web servers and hardware used in storing ePHI.
- Technical Security measures include things like remote access to the database where the ePHI is stored, audit controls, security of data transmission and keeping track of ePHI access and correspondence.
Covered entities should take note of these security measures especially if they’re enforcing BYOD policies, have difficulties following the requirement to store ePHI for six years, or offer unrestricted Web access. In order to comply with the most recent HIPAA changes, covered entities must use systems that ensure the end-to-end security of patient data and protective measures against data breaches.
A Changed Definition of Data Breaches
The meaning of a data breach was also changed in the new HIPAA rules for 2013. A data breach now refers to any event where an unauthorized exposure of ePHI occurred with the exception that the covered entity could undoubtedly show a low probability of exposure of patient data.
Implementing encryption is one way to show that there’s a low probability of patient data exposure. It is not necessary though because under the HIPAA Security Rule, data encryption is an “addressable” requirement. That means if a covered entity can show that encryption isn’t required, or a suitable substitute is in use, there’s no need for encryption.
By encrypting health-related data and all personal identifiers, even if there’s unauthorized ePHI access, the information will be undecipherable, unreadable and unusable. Therefore, it is less likely that patient information will be compromised. If covered entities use encryption for data stored in servers, databases flash drives or transmitted via a network, they can avoid OCR penalties for data breaches or non-compliance with the current HIPAA changes.
Use of Encryption in Healthcare
It isn’t difficult to use encryption in healthcare. Many covered entities are switching to secure messaging as a primary way of communication. Secure messaging suits the BYOD policies that many covered entities have offered, and eliminates the chances of a data breach – not only through encrypted communications, but by restricting communications in a private network with full message accountability.
Secure messaging certainly aids in the compliance of a covered entity with the most recent HIPAA changes. However there ought to be systems created to provide an audit trail of ePHI to quicken the communications cycle in different facets of healthcare. The use of secure messaging has been used for promoting collaboration and improving efficiency – boosting the process of diagnoses, the accuracy of filling prescriptions and reducing the volume of adverse incidents.
Although secure messaging takes care of the issues of encryption in healthcare, the solution for sent and accepted messages is secure email archiving. Covered entities have to retain healthcare data for a minimum of six years, and secure email archiving keeps and indexes encrypted emails to ensure content could be quickly retrieved for search or compliance audit.
Cyber Threats to the Privacy of ePHI
The major cause of data breaches thus far is human error, which occur when workers misplace USB flash drives, the unencrypted laptop of an employee gets stolen and ePHI is improperly disposed. Criminals have been targeting employees through phishing campaigns or malware infection because of this fact.
Using a web filter is the best way to protect against this cyber threat. A web filter helps to keep employees from being redirected to fake sites that steal employee’s login details and deploy malware. Web filtering tools, when set up, can prevent unauthorized file downloading, thus stopping a cybercriminal from going past a covered entity’s cybersecurity defenses.
Web filters improve productivity. By limiting website access, employees can’t utilize social media websites, go to shopping websites or watch live-stream movies at work. Limiting internet access also eliminates the possible HR problems and establishes a more user-friendly work environment.
The Newest Developments in HIPAA
With the changes to HIPAA and HITECH lately, the OCR has more enforcement activities, including HIPAA investigations and audits. Furthermore, there has been more issuance of civil penalties on Covered Entities and Business Associates for non-compliance with HIPAA.
OCR fined the following big data breaches:
- Feinstein Institute was fined in March 2016 the amount of $3.9 million for the theft of a laptop containing the unencrypted sensitive data of 13,000 research study participants.
- In March 2016, North Memorial Health Care of Minnesota also got fined the amount of $1.55 million for several failures in protecting the health records of 9,497 people against unauthorized disclosure.
- OCR fined Advocate Health Care Network in August 2016 the amount of $5.55 million for the unauthorized exposure of the medical records of roughly 4 million patients as a result of theft.
OCR also fined the following lesser offences:
- Cornell Pharmacy, in April 2015, got penalized the amount of $125,000 for the improper disposal of paper health records that potentially caused a PHI breach.
- OCR fined Presence Health in January 2017 the amount of $475,000 for its non-compliance to the requirement of issuing a breach notification letter in sixty days from discovery as required by the HIPAA Breach Notification Rule.
- OCR fined CardioNet in April 2017 the amount of $2.5 million for a potential PHI breach due to not understanding the HIPAA risk assessment requirement.
Non-Compliance with the Latest HIPAA Changes is Not Excused
To comply with the requirements of the recent HIPAA changes does not call for substantial resource, money or time. It’s free to download secure messaging apps and most healthcare employees are already knowledgeable about their interface. Administrators trying to find an old email will say that it is easier with secure message archiving. Web filters will just be noticeable if employees visit any malicious site.
It is better to invest with all three solutions as these demand little maintenance, employee training and operation cost. Moreover, covered entities can cut down on costs and won’t have to worry about being heavily fined by OCR when a data breach occurs.